Proof of concept WMI virus (zero-day)
69 points
1 year ago
| 8 comments
| github.com
| HN
kachapopopow
1 year ago
[-]
Ah, good to know that there's people still making a complete mockery of windows even now.

Do note that VBS mitigates a majority of 'buffer overflow' exploits and Microsoft has historically shown to brush off these vulnerabilities so that 100k bounty is pretty far fetched.

Any WMI operation does touch the disk (because it's a database), but similar to any kind of other database they're mixed with writes that happen in a normal environment and are not really possible to tell between malicious applications.

WMI requires administrator privileges to write so the privilege escalation is not that interesting except in limited environments (and Microsoft has also shown in the past that they don't care about these), which is fair considering you can't call 'sudo' a security vulnerability.

reply
b8
1 year ago
[-]
Zerodium and similar 0day sweatshops pays a lot for these 0days. Bug bounty programs directly thru the companies have been documented to screw over researchers.
reply
tptacek
1 year ago
[-]
Zero-day brokers pay in tranches for completed reliable exploits; bug bounties pay in lump sums for (generally) POCs. It's not an apples-apples comparison.
reply
b8
1 year ago
[-]
ZDI pays lump sums AFAIU.
reply
tptacek
1 year ago
[-]
ZDI is more like a bug bounty than a grey market broker.
reply
kachapopopow
1 year ago
[-]
Can confirm.
reply
alberto-m
1 year ago
[-]
From a Reddit comment [1]: “the repo contains two novel and different ways to run any process as the SYSTEM user. It also disables every antivirus through a novel process privilege deescalation exploit”

[1] https://old.reddit.com/r/ReverseEngineering/comments/1icgfua...

reply
p_ing
1 year ago
[-]
I don't know how one can argue (in the reddit thread) Administrator -> SYSTEM is a security vulnerability or even a privilege escalation. The Administrator can grant themselves kernel debug rights!
reply
thomquaid
1 year ago
[-]
Sticky keys into SYSTEM console; same as always.
reply
Almondsetat
1 year ago
[-]
Quoting the README: "The WMI is an extension of the Windows Driver Model. It's a CIM interface that provides all kinds of information about the system hardware, and provides for a lot of the core functionality in Windows. For example, when you create a startup registry key for an an application, that's really acting on the WMI at boot."
reply
EvanAnderson
1 year ago
[-]
Persistence inside the WMI database is fun. There was a good talk about this at DerbyCon[0] years ago. I think it has gotten more press since several APT groups were using it but it still isn't a well-known persistence mechanism.

[0] https://www.irongeek.com/i.php?page=videos/derbycon5/break-m...

reply
ComputerGuru
1 year ago
[-]
The real value in this: a new way to more easily disable Windows Defender on Windows 11.
reply
jolfosh
1 year ago
[-]
The fact that so many critical infrastructure systems still depend on Windows is absurd (I say from my Windows machine). Great find! Thank you for sharing.
reply
ptx
1 year ago
[-]
So where is the data actually stored if it "never touches the disk"? Is it some UEFI or BIOS thing?
reply
NetOpWibby
1 year ago
[-]
I wonder why this person didn’t submit this to Microsoft for a billion dollars.
reply
musjleman
1 year ago
[-]
Because this has no actual value for anyone and MS would (did?) ignore him.
reply
NetOpWibby
1 year ago
[-]
Surely MS has bug bounty programs, no? Maybe I'm missing something.
reply
musjleman
1 year ago
[-]
You're missing the fact that there is basically no bug here.

All this does is:

* Store data in a database.

* Kill AV software provided you have admin privileges.

The latter might be remediated by MS down the line, but they don't generally give bounties.

reply
NetOpWibby
1 year ago
[-]
Yeah, the AV thing was what gave me pause. The only thing I miss about Windows is ESET's Nod32. Best AV I've ever used. I know they have a Mac version now but I don't see the point in getting it.
reply
p_ing
1 year ago
[-]
Yes they do for credible threats. Otherwise there is the Windows Feedback Hub ;)
reply