Unpatched vulnerability in Windows 8.1 gets published

An unpatched vulnerability in Windows 8.1 has been disclosed on Google Security Research. The issue was subject to a 90-day automatic disclosure policy, meaning the existence of the vulnerability is published after 90 days without a broadly available patch for the issue. The issue allows for privilege elevation in ahcache.sys/NtApphelpCacheControl.

From the report:

This function has a vulnerability where it doesn't correctly check the impersonation token of the caller to determine if the user is an administrator. It reads the caller's impersonation token using PsReferenceImpersonationToken and then does a comparison between the user SID in the token to LocalSystem's SID. It doesn't check the impersonation level of the token so it's possible to get an identify token on your thread from a local system process and bypass this check. For this purpose the PoC abuses the BITS service and COM to get the impersonation token but there are probably other ways.

So far this issue has only been found on Windows 8.1, and it is unknown if previous versions of Windows are vulnerable. While no patch is broadly available, at least one user reports that they are unable to replicate the bug in recent builds of Windows 10.

Source: Google Security Research

Joseph Keller