0patch Blog

Friday, September 30, 2022

Micropatches for Windows Kerberos Elevation of Privilege (CVE-2022-35756)

by Mitja Kolsek, the 0patch Team

August 2022 Windows Updates brought a fix for a local privilege escalation in Windows Kerberos, discovered by Nick Landers (@monoxgas) of NetSPI. Nick and James Forshaw (@tiraniddo) presented this vulnerability at the BlackHat USA 2022 conference and subsequently published proof-of-concept scripts. This made it possible for us to create a patch for affected "security-adopted" Windows systems that no longer receive official fixes from Microsoft.

The vulnerability allows an attacker to bypass an integrity check for a security buffer of a PAC structure sent inside attacker's AP-REQ request. The flawed integrity check improperly inspects the security buffer type by comparing it to constant SECBUFFER_TOKEN while ignoring that its value can also include two bit flags in the upper byte. Nick's and James' proof-of-concept adds one such flag to the value, bypassing the integrity check, and can therefore arbitrarily modify the PAC structure - for instance, to claim the requestor is not the actual low-privileged user but a local administrator. According to Microsoft's advisory, "a domain user could use this vulnerability to elevate privileges to a domain admin."

Microsoft assigned this issue CVE-2022-35756 and fixed it by removing the execution branch that led to the bypass. Our micropatch is logically equivalent to Microsoft's:

MODULE_PATH "..\AffectedModules\kerberos.dll_6.1.7601.24545_Win7_32-bit_NoESU\kerberos.dll"
PATCH_ID 1053
PATCH_FORMAT_VER 2
VULN_ID 7492
PLATFORM win32

patchlet_start
    PATCHLET_ID 1
    PATCHLET_TYPE 2
    PATCHLET_OFFSET 0xe856
    N_ORIGINALBYTES 5
    JUMPOVERBYTES 0

    code_start

        push eax                ;save the original rax value
        mov eax, [ebp-0x14]       ;get the flag location pointer +0x8 for the previous push
        bt dword[eax+0x28], 0x19 ;test the 0x19-th bit
        pop eax                   ;restore original rax value
        jb SKIP                   ;if bit is set, keep the old rcx value
        mov eax, 1                ;if bit is not set, mov 1 into rcx
   SKIP:
; the value of rax here will be stored to rcx and serve as an argument
; in a call to KerbCreateTokenFromTicketEx

   code_end
patchlet_end

The micropatch was written for the following Versions of Windows with all available Windows Updates installed:

Windows 10 v2004
Windows 10 v1909
Windows 10 v1903
Windows 10 v1809
Windows 10 v1803
Windows 7 without ESU, with year 1 of ESU and with year 2 of ESU
Windows Server 2008 R2 without ESU, with year 1 of ESU and with year 2 of ESU

This micropatch has already been distributed to all online 0patch Agents with a PRO or Enterprise license. To obtain the micropatch and have it applied on your computers along with our other micropatches, create an account in 0patch Central, install 0patch Agent and register it to your account with a PRO or Enterprise subscription. Note that no computer restart is needed for installing the agent or applying/un-applying any 0patch micropatch.

To learn more about 0patch, please visit our Help Center. For a trial or demo please contact sales@0patch.com.

We'd like to thank Nick Landers (@monoxgas) and James Forshaw (@tiraniddo) for publishing their analysis with a proof-of-concept that allowed us to reproduce the vulnerability and create a micropatch. We also encourage security researchers to privately share their analyses with us for micropatching.

Wednesday, September 14, 2022

Micropatch For Memory Corruption in Microsoft Outlook (CVE-2022-35742)

by Mitja Kolsek, the 0patch Team

August 2022 Windows Updates brought a fix for a memory corruption vulnerability in Microsoft Outlook, discovered by security researcher insu of 78ResearchLab. The vulnerability exploits a flaw in Outlook's processing of multiple Content-Type headers in a multipart/signed email, whereby a malicious email can lead to free'ing an unallocated memory address and crashing Outlook as such email is downloaded (even before one can view it). Once such email is in user's Inbox, Outlook crashes whenever the user clicks on it or it gets displayed in the Preview pane.

While Microsoft categorized this flaw as "denial of service", it seems possible it could be exploited for arbitrary code execution.

0patch has security-adopted Office 2010 in November 2020 when its support was officially terminated, but Microsoft kept providing security updates for it until April 2021. After that date, we analyzed every published vulnerability affecting still-supported versions of Office to see if Office 2010 was affected, and until now, have not confirmed any. This is the first case where we could reproduce a publicly detailed, potentially critical issue in an Office 2010 component.

Thankfully, the researcher published an analysis and a POC for this vulnerability. This made it possible for us to create a patch for Outlook 2010 that no longer receives official fixes from Microsoft.

Microsoft assigned this issue CVE-2022-35742 and fixed it by properly preserving the flag (bit) that denotes whether a Content-Type buffer needs to be free'd or not. Our micropatch is logically equivalent to Microsoft's:

MODULE_PATH "..\AffectedModules\OUTLMIME.DLL_14.0.7268.5000_Office-2010_64bit_202104\outlmime.dll"
PATCH_ID 1025
PATCH_FORMAT_VER 2
VULN_ID 7481
PLATFORM win64

patchlet_start
   PATCHLET_ID 1
   PATCHLET_TYPE 2
   PATCHLET_OFFSET 0x27d72
   N_ORIGINALBYTES 5
   JUMPOVERBYTES 0
   PIT outlmime!0x27db9,outlmime!0x27d7d,outlmime!0x272ac

   code_start

        mov r15, 0            ; default r15 for setz command
        call PIT_0x272ac        ; rewrite original code for patch placement
        mov ebp, eax            ; rewrite original code for patch placement
        test eax, eax           ; rewrite original code for patch placement
        js PIT_0x27db9        ; rewrite original code for patch placement

        mov eax, [rdi+100h]     ; get flag from memory
        and al, 2               ; check flag state
        cmp al, 2               ; check flag state
        setz r15b               ; set r15 accordingly to flag
        jmp PIT_0x27d7d         ; jump to block where memory is copied

   code_end
patchlet_end

patchlet_start
   PATCHLET_ID 2
   PATCHLET_TYPE 2
   PATCHLET_OFFSET 0x27db3
   N_ORIGINALBYTES 5
   JUMPOVERBYTES 6
   PIT outlmime!0x27db9

   code_start

        mov [rdi+12Ch], eax     ; rewrite original code for patch placement
        mov rax, [rbx+0F8h]     ; read value from memory
        test byte[rax+10h], 4   ; check if read memory+10h contains 4
        jnz PIT_0x27db9         ; if memory+10h contains 4 then check flags
                                ; else jump to function return block

        test r15d, r15d         ; check if flag is set
        jz AND_BLOCK            ; if set jump to AND_BLOCK

        or dword[rdi+100h], 2   ; if flag not set then set it
        jmp PIT_0x27db9         ; jump to function return block

   AND_BLOCK:
        and dword[rdi+100h], 0FFFFFFFDh    ; reset flag
                                ; continue normal execution
   code_end
patchlet_end

This video demonstrates the effect of our micropatch. With 0patch disabled, downloading the malicious email in Outlook 2010 crashes Outlook, and restarting Outlook leads to the same result, effectively disabling user's email; with 0patch enabled, the malicious email gets downloaded and while it can't be displayed due to malformed content, it sits there doing no harm.

The micropatch was written for 32-bit and 64-bit versions of Outlook 2010, fully updated with its latest free updates from April 2021.

To learn more about 0patch, please visit our Help Center.

We'd like to thank insu of 78ResearchLab for publishing their analysis and providing a proof-of-concept that allowed us to reproduce the vulnerability and create a micropatch. We also encourage security researchers to privately share their analyses with us for micropatching.

Thursday, September 8, 2022

Micropatches for Windows IKE Extension Remote Code Execution (CVE-2022-21849)

by Mitja Kolsek, the 0patch Team

January 2022 Windows Updates brought a fix for a remote code execution vulnerability in Windows IKE Extension discovered by Polar Bear. Ten days ago (as of this writing), researchers from 78ResearchLab published an analysis and a POC for this vulnerability. This made it possible for us to create a patch for affected "security-adopted" Windows systems that no longer receive official fixes from Microsoft.

The vulnerability allows a remote attacker to cause memory (heap) corruption on the target computer by sending a malformed ISAKMP packet using the IKE protocol, whereby the VendorID payload is longer than the expected 10h characters. The vulnerable code namely prepares a 10-character buffer on the stack for storing this value, and in case a longer value is provided, the memcpy (memory copy) operation results in memory locations beyond the end of buffer being overwritten with attacker-chosen content. In the absence of a negative proof, such vulnerabilities are assumed to be exploitable for arbitrary code execution (although the POC at hand only results in crashing the process.)

Microsoft assigned this issue CVE-2022-21849 and fixed it by adding a check for the length of the VendorID value: if the length isn't exactly 10h (if the size of the entire payload including the 10h-byte prologue isn't exactly 20h), it ignores this value. Our micropatch with just two CPU instructions is logically equivalent to Microsoft's:

MODULE_PATH "..\AffectedModules\ikeext.dll_10.0.17134.254_Win10-1803_64-bit_u202105\ikeext.dll"
PATCH_ID 1018
PATCH_FORMAT_VER 2
VULN_ID 7502
PLATFORM win64

patchlet_start
   PATCHLET_ID 1
   PATCHLET_TYPE 2
   PATCHLET_OFFSET 0x2d93f
   N_ORIGINALBYTES 5
   JUMPOVERBYTES 0
   PIT IKEEXT.DLL!0x1fb64

   code_start

        cmp r13d, 20h     ; is the size of the VendorID payload equal to 20h?
        jne PIT_0x1fb64   ; if not, ignore the value

   code_end
patchlet_end

The micropatch was written for the following Versions of Windows with all available Windows Updates installed:

Windows 10 v2004
Windows 10 v1903
Windows 10 v1803

Note that Windows 7 and Server 2008 R2 are not affected by this issue, and Windows 10 v1909 was still receiving official updates in January 2022.

To learn more about 0patch, please visit our Help Center.

We'd like to thank Polar Bear for finding this issue, and 78ResearchLab researchers for publishing their analysis and providing a proof-of-concept that allowed us to reproduce the vulnerability and create a micropatch. We also encourage security researchers to privately share their analyses with us for micropatching.

Wednesday, August 31, 2022

Micropatches for Local Privilege Escalation in LSASS (CVE-2022-30166)

by Mitja Kolsek, the 0patch Team

Update 9/1/2022: Micropatches for Local Privilege Escalation in LSASS (CVE-2022-30166) that were issued yesterday were reported to cause authentication problems with SharePoint and Remote Desktop Gateway Service. After successfully reproducing the issue these patches have just just revoked, and will be automatically disabled on all systems within 60 minutes. No action is needed on 0patch users' and administrator' end while we're working on issuing corrected patches.

Update 9/20/2022: After reproducing functional problems caused by our original micropatches we have now issued new ones. We'd like to thank all customers who promptly reported problems and helped us reproduce them. No action is needed on 0patch users' and administrator' end to have the new patches applied.

June 2022 Windows Updates brought a fix for a local privilege escalation in Local Security Authority Subsystem Service (LSASS), discovered by James Forshaw of Google Project Zero. James published details and a POC on July 14.

The vulnerability allows a local non-admin attacker to use a certain type of impersonation (specifically, impersonating a token at identification level) to get the service running as Local System to enumerate the ticket cache not only for the requesting user but also for the Local System account. With this information, the attacker could elevate their privileges on the local system.

Microsoft assigned this issue CVE-2022-30166 and fixed it by creating an "anonymous" impersonation when the original attempt at impersonation fails; as a result, a malicious request ends up returning only requesting user's ticket cache.

Our micropatch with 18 CPU instructions is logically equivalent to Microsoft's:

MODULE_PATH "..\AffectedModules\lsasrv.dll_10.0.19041.1415_Win10-2004_64-bit_u202112\lsasrv.dll"
PATCH_ID 1017
PATCH_FORMAT_VER 2
VULN_ID 7441
PLATFORM win64

patchlet_start
    PATCHLET_ID 1
    PATCHLET_TYPE 2
    PATCHLET_OFFSET 0x2e302
    N_ORIGINALBYTES 5
    JUMPOVERBYTES 5
    PIT lsasrv!0x145f0,ntdll!NtClose

    code_start

        mov byte[rdi+0x11], 1     ;original overwritten code
        mov [rdi+0x14], eax       ;original overwritten code

        cmp eax, 1                ;check current tokens impersonation level. 1 == ANONYMOUS
        jne END                   ;if it is ANONYMOUS nothing needs to be done and we
                                  ;skip the patch

        mov rcx, [rbx+0x0c0]    ;move current token handle to rcx so we can close it
        sub rsp, 0x20             ;create shadowspace with additional 0x8 bytes to
                                  ;align the stack
        call PIT_NtClose        ;close the token handle
        add rsp, 0x20             ;delete the created shadowspace
        mov qword[rbx+0x0c0], 0x0 ;overwrite the old handle with 0x0

        mov rcx, rdi            ;move SECPKG_CLIENT_INFO_EX to rcx
        lea rdx, [rbx+0x0c0]    ;move new handle pointer to rdx for output
        mov qword[rcx], 0x3e6     ;move LsapAnonymousLogonId to rcx pointer
        push 0x000003e6           ;push LsapAnonymousLogonId to stack so we can use the
                                  ;pointer
        lea rcx, [rsp]            ;move the pointer to LsapAnonymousLogonId into rcx

        sub rsp, 0x28             ;create shadowsapce
        call PIT_0x145f0        ;call LsapOpenTokenByLogonId to get a new anonymous
                                  ;token
        add rsp, 0x30             ;clear shadowspace and account for the push
        mov rax, 1                ;move 1 to eax as some versions of this dll need it
                                  ;and we don't need the return value
   END:

   code_end
patchlet_end

This video demonstrates the effect of our micropatch. With 0patch disabled, the POC obtains and displays the token cache of both the current user and Local System; with 0patch enabled, only user's token cache is accessible to the local non-admin user.

The micropatch was written for the following Versions of Windows with all available Windows Updates installed:

Windows 10 v2004
Windows 10 v1909
Windows 10 v1903
Windows 10 v1809
Windows 10 v1803
Windows 7 (no ESU, ESU year 1, ESU year 2)
Windows Server 2008 R2 (no ESU, ESU year 1, ESU year 2)

To learn more about 0patch, please visit our Help Center.

We'd like to thank James Forshaw for publishing their analysis and providing a proof-of-concept that allowed us to reproduce the vulnerability and create a micropatch. We also encourage security researchers to privately share their analyses with us for micropatching.

Wednesday, August 10, 2022

Micropatches For "KrbRelay" Local Privilege Escalation Vulnerability (Wontfix/0day)

by Mitja Kolsek, the 0patch Team

Update 10/21/2022: Microsoft silently fixed this issue with October 2022 Updates. No CVE ID was assigned.

"KrbRelay" is a tool for forced authentication issue in Windows that can be used by a low-privileged domain user to take over a Windows computer, potentially becoming a local or domain admin within minutes. The tool, based on James Forshaw's research, was developed by security researcher cube0x0, and was later wrapped by Mor Davidovich into another tool called "KrbRelayUp" that further automated attack steps for escalating privileges.

KrbRelay provides various options to launch different versions of attack; some of these options were already known under the name RemotePotato0, for which we already had patches before. What was new for us with KrbRelay was its capability to launch a local service (running in session 0) via RPC and exploit it for leaking Local System credentials through forced authentication. In order to be exploitable, a service must allow authentication over the network, and just two such services were identified on affected Windows versions:

ActiveX Installer Service, identified by CLSID 90f18417-f0f1-484e-9d3c-59dceee5dbd8; and
RemoteAppLifetimeManager.exe, identified by CLSID 0bae55fc-479f-45c2-972e-e951be72c0c1.

Microsoft does not fix forced authentication issues unless an attack can be mounted anonymously. Our customers unfortunately can't all disable relevant services or implement mitigations without breaking production, so it is on us to provide them with such patches.

For the purpose of identifying vulnerabilities we decided to name the vulnerability exposing the above services "KrbRelay", as other attack vectors provided by the tool were already blocked by our existing patches for RemotePotato0. We decided to inject our patch logic at the point where a local unprivileged attacker launches the exploitable service, because such patch would be fairly simple - and we like it simple: it's harder to make mistakes.

Our patch, source code shown below, resides in rpcss.dll and checks whether someone is trying to launch one of the above services via RPC; in such case, if the requestor's token is elevated, we allow it, otherwise not. This is the same approach as we used with patching RemotePotato0.

MODULE_PATH "..\Affected_Modules\rpcss.dll_10.0.17763.3113_Srv2019_64-bit_u202207\rpcss.dll"
PATCH_ID 992
PATCH_FORMAT_VER 2
VULN_ID 7416
PLATFORM win64

patchlet_start
   PATCHLET_ID 1
   PATCHLET_TYPE 2
   PATCHLET_OFFSET 0x6674
   N_ORIGINALBYTES 5
   JUMPOVERBYTES 0
   PIT Advapi32.dll!GetTokenInformation,ntdll!_strnicmp,rpcss.dll!0x68ccd
   ; memory representation:    17 84 f1 90 f1 f0 4e 48 9d 3c 59 dc ee e5 db d8
   ; clsid:                    90f18417-f0f1-484e-9d3c-59dceee5dbd8

    code_start
        call VAR
        dd 0x90f18417                 ; CIeAxiInstallerService Class
        dw 0xf0f1, 0x484e
        db 0x9d, 0x3c, 0x59, 0xdc, 0xee, 0xe5, 0xdb, 0xd8
   VAR:
        pop rcx                       ; rcx => clsid in memory respresentation
        mov rdx, [rbx]                ; ClientToken hadle
        mov r8, 16                    ; length to compare
        call PIT__strnicmp            ; Compares the specified number of characters
                                      ; of two strings without regard to case
        cmp rax, 0                    ; rax == 0 string are equal
        jne CONTINUE                ; if rax != 0 continue normal code flow

        mov rdx, [rbx+8]
        mov rdx, [rdx]
        mov rcx, [rdx+40h]            ; current session token, TokenHandle
        mov rdx, 14h                ; TokenInformationClass, TokenElevation
        sub rsp, 30h                ; home space + vars
        lea r8, [rsp+30h]             ; TokenInformation
        mov qword[rsp+30h], 0         ; memset
        mov r9, 4                     ; TokenInformationLength
        lea rax, [rsp+28h]            ; ReturnLength address
        mov [rsp+20h], rax            ; pointer to address
        call PIT_GetTokenInformation ; The GetTokenInformation function retrieves a
                                      ; specified type of information about an access token
        add rsp, 30h                ; restore stack pointer
        cmp byte[rsp], 0            ; token elevated?
        je PIT_0x68ccd                ; if elevated(1) continue normal code flow

   CONTINUE:

   code_end
patchlet_end

Micropatch Availability

While this vulnerability has no official vendor patch and could be considered a "0day", Microsoft seems determined not to fix relaying issues such as this one; therefore, this micropatch is not provided in the FREE plan but requires a PRO or Enterprise license.

The micropatch was written for the following Versions of Windows with all available Windows Updates installed:

Windows 10 v21H2
Windows 10 v21H1
Windows 10 v20H2
Windows 10 v2004
Windows 10 v1909
Windows 10 v1903
Windows 10 v1809
Windows 10 v1803
Windows 7 (no ESU, ESU year 1, ESU year 2)
Windows Server 2008 R2 (no ESU, ESU year 1, ESU year 2)
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016
Windows Server 2019
Windows Server 2022

This micropatch has already been distributed to, and applied on, all online 0patch Agents in PRO or Enterprise accounts (unless Enterprise group settings prevent that).

If you're new to 0patch, create a free account in 0patch Central, then install and register 0patch Agent from 0patch.com, and email sales@0patch.com for a trial. Everything else will happen automatically. No computer reboot will be needed.

To learn more about 0patch, please visit our Help Center.

We'd like to thank James Forshaw and cube0x0 for sharing details about this vulnerability and sharing a tool, which allowed us to create a micropatch and protect our users. We also encourage security researchers to privately share their analyses with us for micropatching.

Wednesday, July 27, 2022

Changes in 0patch Pricing For New Subscriptions Coming in August

[Update 8/1/2024: Today, 24 months after the pricing update described in this article, we are discontinuing our pre-2022 legacy prices for renewed subscriptions. All new subscriptions as well as renewals will from now on be on current prices only. This overrides information about existing subscriptions in this article.]

Over the years, 0patch has evolved from a simple proof-of-concept into a production-grade security service protecting computers around the World. We've been adding features and improving reliability, we have developed tools and processes to speed up vulnerability analysis and patch development, and we still have many ideas and plans to implement.

What was initially met with various skeptical remarks has now become a standard for protecting Windows computers in our customers' organizations who use 0patch both for keeping their legacy systems secure from old and new exploits, and for blocking 0day attacks while others are still waiting for original vendor fixes. We're happy to see our customers expanding their 0patch deployments and spreading the word to their peers.

To reflect the increased value and support further innovation and growth of our team, we're announcing our first price increase since our launch in 2019. This change, having been advertised on our pricing page for months, will go into effect on August 1, 2022, and will only apply to new subscriptions that get created on or after August 1, 2022; any existing subscriptions (including trials) will remain on the old pricing for 24 months as long as they're renewed on time.

0patch PRO: Price of a PRO license will be increased for 2 EUR/year to 24,95 EUR/year (increase of 0,20 EUR/month).

0patch Enterprise: Price of an Enterprise license will be increased for 12 EUR/year to 34,95 EUR/year (increase of 1,20 EUR/month). We have until now offered Enterprise features for no extra charge but it's time to detach Enterprise pricing from PRO pricing to reflect the added value of Enterprise features.

Our mission has always been to help our users neutralize critical vulnerabilities in a low-effort, low-risk and affordable way before attackers start exploiting them. We remain committed to this mission and attentive to users' feedback when prioritizing new features that will make their work easier and their environments more secure.

Friday, July 1, 2022

Micropatching the "DFSCoerce" Forced Authentication Issue (No CVE)

by Mitja Kolsek, the 0patch Team

"DFSCoerce" is another forced authentication issue in Windows that can be used by a low-privileged domain user to take over a Windows server, potentially becoming a domain admin within minutes. The issue was discovered by security researcher Filip Dragovic, who also published a POC.

Filip's tweet indicated this issue can be used even if you have disabled or filtered services that other currently known forced authentication issues such as PrinterBug/SpoolSample, PetitPotam, ShadowCoerce and RemotePotato0 are exploiting: "Spooler service disabled, RPC filters installed to prevent PetitPotam and File Server VSS Agent Service not installed but you still want to relay DC authentication to ADCS? Don't worry MS-DFSNM have your back ;)"

A quick reminder: Microsoft does not fix forced authentication issues unless an attack can be mounted anonymously. Our customers unfortunately can't all disable relevant services or implement mitigations without breaking production, so it is on us to provide them with such patches.

The Vulnerability

The vulnerability lies in the Distributed File System (DFS) service. Any authenticated user can make a remote procedure call to this service and execute functions NetrDfsAddStdRoot or NetrDfsremoveStdRoot, providing them with host name or IP address of attacker's computer. These functions both properly perform a permissions check using a call to AccessImpersonateCheckRpcClient, which returns error code 5 ("access denied") for users who aren't allowed to do any changes to DFS. If access is denied, they block the adding or removing of a stand-alone namespace - but they both still perform a credentials-leaking request to the specified host name or IP address.

Such leaked credentials - belonging to server's computer account - can be relayed to some other service in the network such as LDAP or Certificate Service to perform privileged operations leading to further unauthorized access. Unsurprisingly, attackers and red teams like such things.

Our Micropatch

Since a proper access check was already in place, just not reacted to entirely properly, we decided to use its result and correct the logic in both vulnerable functions.

The image below shows our patch (green code blocks) injected in function NetrDfsremoveStdRoot. As you can see, a call to AccessImpersonateCheckRpcClient is made in the original code, which returns 5 ("access denied") when the caller has insufficient permissions. This information is then stored as one bit into register r8b, and copied to local variable arg_18 (sounds like an argument, but compilers use so-called "home space" for local variables when it suits them). Our patch code takes the return value of AccessImpersonateCheckRpcClient and compares it to 5; if equal, we sabotage attacker's attempts by placing a zero at the beginning of their ServerName string pointed to by rcx, effectively turning it into an empty string. This approach allows us to minimize the amount of code and complexity of the patch, which is always our goal. Function DfsDeleteStandaloneRoot, which causes the forced authentication to attacker's host, is then called from the original code (moved to a blue trampoline code block) but it gets an empty string for the host name - and returns an error. A blocked attack therefore behaves as if a request was made by an unprivileged user with an illegal ServerName. We decided not to log this as an attempted exploit to avoid possible false positives in case a regular user without malicious intent might somehow trigger this code via Windows user interface.

Source code of the micropatch shows two identical patchlets, one for function NetrDfsAddStdRoot and one for NetrDfsremoveStdRoot:

MODULE_PATH "..\Affected_Modules\dfssvc.exe_10.0.17763.2028_Srv2019_64-bit_u202206\dfssvc.exe"
PATCH_ID 952
PATCH_FORMAT_VER 2
VULN_ID 7442
PLATFORM win64

patchlet_start
   PATCHLET_ID 1                ; NetrDfsAddStdRoot
   PATCHLET_TYPE 2
   PATCHLET_OFFSET 0x183e
   N_ORIGINALBYTES 5
   JUMPOVERBYTES 0
   code_start
        neg eax                ; get original return value from AccessImpersonateCheckRpcClient
        cmp eax, 5               ; check if access denied(5) was returned
        jne CONTINUE_1          ; return value is not 5, continue with
                                 ; normal code execution
        mov word[rcx], 0         ; else set ServerHost to NULL. Result: DFSNM
                                 ; SessionError: code: 0x57 - ERROR_INVALID_PARAMETER
                                 ; continue with original code
   CONTINUE_1:

   code_end
patchlet_end

patchlet_start
   PATCHLET_ID 2                ; NetrDfsremoveStdRoot
   PATCHLET_TYPE 2
   PATCHLET_OFFSET 0x1c96
   N_ORIGINALBYTES 5
   JUMPOVERBYTES 0
   code_start
        neg eax                  ; get original return value from AccessImpersonateCheckRpcClient
        cmp eax, 5               ; check if access denied(5) was returned
        jne CONTINUE_2           ; return value is not 5, continue with
                                 ; normal code execution
        mov word[rcx], 0         ; else set ServerHost to NULL. Result: DFSNM
                                 ; SessionError: code: 0x57 -
ERROR_INVALID_PARAMETER
                                 ; continue with original code
    CONTINUE_2:

   code_end
patchlet_end

Micropatch Availability

While this vulnerability has no official patch and could be considered a "0day", Microsoft seems determined not to fix relaying issues such as this one; therefore, this micropatch is not provided in the FREE plan but requires a PRO or Enterprise license.

The micropatch was written for the following Versions of Windows with all available Windows Updates installed:

Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016
Windows Server 2019
Windows Server 2022

Note that only servers are affected as the DSS Service does not exist on workstations.

This micropatch has already been distributed to, and applied on, all online 0patch Agents in PRO or Enterprise accounts (unless Enterprise group settings prevent that).

To learn more about 0patch, please visit our Help Center.

We'd like to thank Filip Dragovic for sharing details about this vulnerability, which allowed us to create a micropatch and protect our users. We also encourage security researchers to privately share their analyses with us for micropatching.