Black Hat USA 2024: researcher strips all Windows security using updates to downgrade


A fully patched and secure system is just an illusion. SafeBreach Labs researcher Alon Leviev has bypassed the deepest layer of Windows security without a screwdriver and made a fully patched Windows machine vulnerable to hordes of past vulnerabilities.

The potential consequences can be absolutely devastating. Potential attackers using this method could compromise systems completely, access all the data and secrets, move laterally in the network, and maintain persistence while being undetectable.

The Virtualization-Based Security (VBS) system is touted as a secure memory enclave protecting the most important secrets and Windows resources, isolated from the rest of the OS and unprotected code.

ADVERTISEMENT

However, even with the enforced UEFI locks, which were only accessible during boot, VBS and all other Windows parts fell to Leviev’s devised Downgrade attack.

“I was able to show how it was possible to make a fully patched Windows

machine susceptible to thousands of past vulnerabilities, turning fixed vulnerabilities into zero-days and making the term “fully patched” meaningless on any Windows machine in the world,” Leviev said in a paper.

Attackers would still need to gain an initial foothold with administrative privileges first, but once they're in, it’s over.

So how did he do it?

TLDR answer: the researcher found a flaw in the Windows Update process that allowed the Downgrade Attack to be executed. Critical Windows OS components can be altered by undetectable, persistent, and irreversible downgrades, leaving the system completely compromised.

Now, let's dig deeper.

A downgrade attack, also known as a version-rollback attack, aims to revert the fully up-to-date system to an older version.

ADVERTISEMENT

BlackLotus, a bootkit (a type of malware infecting and modifying the boot process), was previously observed in the wild and had similar capabilities, shocking the cybersecurity community. It was able to run and maintain persistence on fully patched and up-to-date Windows 11 systems with Secure Boot enabled. Windows patched the vulnerability, but the problem seems to be more significant.

Leviev found several vulnerabilities and used them to develop Windows Downdate – a tool to take over the Windows Update process.

Windows Update owns system files that are not accessible to administrators or other computer users. System files are only accessible to the Trusted Installer, a built-in service account for managing system files, which has higher permissions.

When Windows receives an update, the process is performed over multiple reboots. The researcher found that during the process, the action list is saved, specifying which files to update, the source and destination files, and other information.

update-action-list

While this file itself is not accessible to the user, the Windows registry has a key that holds the executable that parses the list and the list path. This registry key was not Trusted Installer enforced and could be used to control all the update actions, such as creating, deleting, moving, hard-linking files, modifying registry keys and values, “and much more.”

The researcher created a custom downgrading action list and added its path to the registry. The system assumes that the action list is verified because it is created post-verification. Finally, Windows updated following instructions to downgrade.

No malicious activity was detected since the “update” was performed legitimately. The system also appeared fully up-to-date.

The researcher then was able to “patch” other system files to stop Windows from installing newly available updates and to stop detecting corruptions.

All of this only marked the first part of the attack – privilege elevation from Administrator to kernel.

ADVERTISEMENT

The next target was VBS (Virtualization-Based Security), which had even higher privileges. This isolated environment runs critical security processes, stores sensitive data, and isn’t directly accessible to the kernel or other computer users.

VBS is initialized first after the computer’s firmware boots. To disable this protection, a malicious actor would need physical access to UEFI, also commonly known as BIOS.

“I wondered what would happen if I tried to replace the Secure Kernel or the hypervisor powering VBS with invalid files that, for example, are not digitally signed and are attacker-controlled. I assumed the machine would boot into the recovery environment since invalid files are a sign of compromise. Instead, I was extremely surprised to find that the OS loader booted normally, abandoning VBS if it failed to validate one of VBS’s files,” the researcher said.

The Downgrade process effectively allowed him to disable VBS, bypassing the UEFI lock.

That means an attacker could extract credentials against the most restrictive settings. The researcher demonstrated that he was able to disable Credential Guard and Windows Defender.

The researcher then continued downgrading various components to escalate privileges and access all isolated Windows environments created by the VBS. Previously disclosed vulnerabilities were then used to compromise all of the so-called Virtual Trust Levels (VTLs).

The hypervisor, a specialized micro-kernel that manages other virtualized systems on the computer, is the most privileged entity in VBS and the entire Windows system.

The researcher downgraded it to a version from two years ago and escalated privileges to the so-called RIng -1, compromising the entire stack. Leviev was surprised to not find any downgrade detection even on Secure Kernel.

security-layers

“I found no downgrade mitigation in any component of the virtualization stack – the entire stack was vulnerable to downgrades.”

ADVERTISEMENT

Following responsible disclosure practices, SafeBreach notified Microsoft of the research and its findings in February 2024.

The author believes that other operating systems may be equally susceptible to similar attacks, and more research and focus is needed on the design of the virtualization stack.

The research “Windows Downdate: Downgrade Attacks Using Windows Updates” was introduced at the Black Hat USA 2024 conference.