New bypass disclosed in Microsoft PatchGuard (KPP)

November 22, 2019 TH Author

A security researcher published proof-of-concept code last month for an exploit that can bypass the Microsoft Kernel Patch Protection (KPP) security feature, more commonly known as PatchGuard.

Named ByePg, this is the second Patchguard bypass discovered and publicly disclosed in the past six months, after InfinityHook, which was disclosed in July this year.

What is Microsoft PatchGuard

Microsoft PatchGuard is a security feature that was introduced in 2005 in Windows XP. It is only available for 64-bit versions of Microsoft Windows, and its role is to prevent apps from patching the kernel.

Patching the kernel is a technical term that refers to modifying the operating system’s most important component (which relays commands from apps to the underlying hardware) with unauthorized code.

Before PatchGuard’s release, many applications took liberties with modifying Windows’ kernel so they could do their job easier or could access sensitive functions. Antivirus software, shady drivers, game cheats, and malware, would often used kernel patching for their own very different purposes.

Rootkit developers were among the biggest fans of kernel patching, using the technique as a way to embed their malware at the OS level, giving it unfettered access to all of the user’s computer.

Initially, PatchGuard wasn’t the resounding success that Microsoft had hoped, and several bypasses were discovered in the late 2010s, all of which Microsoft eventually patched.

PatchGuard didn’t kill rootkits on its own, but rootkits did eventually die out, especially after the launch of Windows 10, which featured additional security features, alongside PatchGuard.

PatchGuard bypasses

However, even if PatchGuard took a backseat in Windows’ ever-increasing layers of security features, security researchers have continued to prod at its internal mechanism, looking for new ways to bypass the protections it provides.

After Windows 10’s release in 2015, the most notable of all PatchGuard bypass was GhostHook, discovered by CyberArk researchers in 2017. GhostHook abused the Intel Processor Trace (PT) feature to bypass PatchGuard and patch the kernel.

A second bypass was discovered and disclosed over the summer, in July. Found by Nick Peterson, anti-cheat expert at Riot Games, this bypass was named InfinityHook, and abused the NtTraceEvent API to patch the kernel.

Describing the bypass at the time, Peterson said “InfinityHook stands to be one of the best tools in the rootkit arsenal over the last decade.”

Last month, a third PatchGuard bypass was disclosed; this time by Turkish software developer Can Bölük. Named ByePg, this exploit hijacks the HalPrivateDispatchTable to allow a rogue app to patch the kernel.

Just like Peterson, when describing ByePg, Bölük used said that the “weaponization potential of [ByePg] is only limited by your creativity.”

ByePG is considered even more dangerous, as it can bypass both PatchGuard and Hypervisor-Protected Code Integrity (HVCI), a feature that allows Microsoft to blacklist bad drivers on users’ devices.

All three — CyberArk, Peterson, and Bölük — went public with their respective PatchGuard bypasses after Microsoft refused the fix the issues.

Controversy

Microsoft’s response in all three cases was the same. All three exploits needed admin rights to run, meaning they couldn’t be classified as security issues.

The OS maker argued that once an attacker has access to a local system with admin rights, they can carry out any operation they want. Technically, they’re right, but also wrong. While this explanation might be true for any other attack vector, it is not valid for PatchGuard, a system meant to safeguard the kernel even from high-privileged processes — like a driver or antivirus apps. This was PatchGuard’s sole purpose, researchers argued.

They also said that it’s trivial nowadays for an attacker to elevate privileges and then run something like InfinityHook or the new ByePg to establish a permanent foothold in the kernel itself, and open the door for the return of rootkits on Windows 10, a place where they haven’t really managed to infect on the same numbers as they did with older Windows versions like XP, Vista, and 7.

When this reporter reached out to Microsoft in 2017, the OS maker said they were not ignoring the issue, but they were just not prioritizing it as a security flaw.

At Microsoft, security flaws get fixed right away and patches are delivered via the monthly Patch Tuesday process. Bugs, on the other hand, are patched on a biannual cycle.

For its credit, Microsoft did patch GhostHook somewhere in late 2017, but nobody knew it happened for weeks. A patch for InfinityHook was also shipped in Windows Insider builds in September, and is most likely included with Windows 10 v1909, released earlier this month.

ByePG remains unpatched, and Bölük, just like the other security researchers before him, is now feeling that his research work is being spurned.

The researcher told ZDNet in a private conversation that he understood Microsoft’s bug bounty program’s rules, and that he would not be eligible for a monetary payout. However, he feels that Microsoft is downplaying the severity of these exploits and delaying patches unnecessarily, opening the door for possible attacks.

Rules will not be changing

From our interactions with Microsoft’s public relations staff, we knew we wouldn’t get a straight answer to our questions, so we reached out to a Microsoft employee who works part of the company’s bug program and provided anonymity for his statements.

The employee described the PatchGuard bypass issue as a technical loophole in the company’s program rules, but one that’s not going to get an exception from Microsoft’s staff.

While the rule that “administrator-to-kernel is not a security boundary” clearly states that exploits run with administrative privileges don’t count for the company’s bug rewards program, he also understands that this is an big issue with PatchGuard, especially.

However, our source wanted to be very clear that that these issues don’t get ignored, and bypassing PatchGuard or any of the company’s other security features does raise an eyebrow at Microsoft.

The three PatchGuard bypasses might not have gotten a “security bug” classification, but they were eventually fixed, only at a slower pace, and by another team.

The Microsoft employee tells us that this classification as a bug rather than a security flaw is what usually irks about 99% of researchers who report these things.

He says most security researchers understand that Microsoft’s bug bounty program has rules and they won’t be eligible for cash rewards, but most are annoyed that their work — which in many cases took months — won’t any get public recognition from Microsoft, at all.

Furthermore, the bugs they find will also not receive a CVE number — an identification code for a valid vulnerability, which many researchers collect and flaunt as trophies.

This is why, he said, many researchers go public with details about their work, complete with proof-of-concept code, that can be very easily weaponized. Our source tells us he doesn’t blame researchers for doing so, nor do his colleagues, as this is sometimes the only way to show their reverse engineering and bug-hunting talents in the absence of a nod from Microsoft.