Zero-day Vulnerability in Windows 8.1 Disclosed by Google

Last year Google security researcher had disclosed a critical security vulnerability "HeartBleed" that leaves whole internet under threats. Now again Google researcher 'James Forshaw' have disclosed another Privileged Escalation bug in Microsoft Windows 8.1 operating system. This is the Zero-day vulnerability in Windows 8.1.

The bug is figured out critical as successful exploitation allows the hackers to modify the content and can take  full controlled over the exploited system. As Microsoft have retires Windows 7 and make its users  to upgrade to windows 8.1, hence leaves millions of users under threats.

Forshaw, have released a POC of the vulnerability, and mentioned that he had tested for the vulnerability only on the Windows 8.1, previous version of the Windows is may be affected but it is not cleared.
The vulnerability resides in the function AhcVerifyAdminContext, an internal function and not a public API which actually checks whether the user is an administrator.

"This function has a vulnerability where it doesn't correctly check the impersonation token of the caller to determine if the user is an administrator. It reads the caller's impersonation token using PsReferenceImpersonationToken and then does a comparison between the user SID in the token to LocalSystem's SID. It doesn't check the impersonation level of the token so it's possible to get an identify token on your thread from a local system process and bypass this check. For this purpose the PoC abuses the BITS service and COM to get the impersonation token but there are probably other ways" - Forshaw wrote.

The PoC contains two program files and some set of instructions for executing the files which, if successful, finally result in the Windows calculator running as an Administrator. According to the researcher, the vulnerability is not in Windows User Account Control (UAC) itself, but UAC is used in part to demonstrate the bug.

The PoC has been tested on Windows 8.1 update, both 32 bit and 64 bit versions. and he recommended users to run the PoC on 32 bit. To verify perform the following steps:

• Put the AppCompatCache.exe and Testdll.dll on disk
• Ensure that UAC is enabled, the current user is a split-token admin and the UAC setting is the default (no prompt for specific executables).
• Execute AppCompatCache from the command prompt with the command line "AppCompatCache.exe c:\windows\system32\ComputerDefaults.exe testdll.dll".
• If successful then the calculator should appear running as an administrator. If it doesn't work first time (and you get the ComputerDefaults program) re-run the exploit from 3, there seems to be a caching/timing issue sometimes on first run.