Мануал/Книга [BlackHat USA 2024] Windows Downdate: Downgrade Attacks Using Windows Updates

[weaver]

Description

Downgrade attacks force software to revert to an older, vulnerable version of itself. In 2023, the notorious BlackLotus UEFI bootkit emerged, downgrading the Windows boot manager to bypass Secure Boot. Microsoft addressed the threat, mitigating downgrade attacks on the boot manager to protect Secure Boot against downgrades. However, we wondered whether Secure Boot was the only critical component vulnerable to downgrade attacks.

Aiming to find an undetectable downgrade flow, we investigated the least suspicious entity for executing downgrade attacks - Windows Updates, and identified its Achilles' heel, enabling us to fully take control over it. This allowed us to create downgrading updates, bypassing all verification steps performed during updates, including integrity verification and Trusted Installer enforcement.

Armed with these capabilities, we managed to downgrade critical OS components, including DLLs, drivers, and even the NT kernel. Afterwards, the OS reported it's fully updated, unable to install future updates, with recovery and scanning tools unable to detect issues.

We then aimed higher, and found that the entire virtualization stack is at risk too. We successfully downgraded Hyper-V's hypervisor, Secure Kernel, and Credential Guard's Isolated User Mode process to expose past privilege escalation vulnerabilities.

Furthermore, we discovered multiple ways to disable Virtualization-Based Security (VBS), including its features such as Credential Guard and Hypervisor-Protected Code integrity (HVCI), even when enforced with UEFI locks. To our knowledge, it's the first time VBS's UEFI locks are bypassed without physical access.

Lastly, we discovered another vulnerability in a Windows Updates restoration scenario, making all of the attack vectors accessible by unprivileged attackers!

In this talk, we'll introduce "Windows Downdate" - a tool that takes over Windows Updates to craft custom downgrades and expose thousands of past vulnerabilities, turning fixed vulnerabilities into 0-days. It makes the term "fully patched" meaningless across any Windows machine worldwide.

blackhat.com/us-24/briefings/schedule/#windows-downdate-downgrade-attacks-using-windows-updates-38963


slides

http://i.blackhat.com/BH-US-24/Presentations/US24-Leviev-Windows-Downdate-Downgrade-Attacks-Using-Windows-Updates-Wednesday.pdf

 

[ZAGREB2030]

линк на слайды кривоват, его ревизнули на такой

https://i.blackhat.com/BH-US-24/Presentations/REVISED_US24-Leviev-Windows-Downdate-Downgrade-Attacks-Using-Windows-Updates-Wednesday.pdf

 

[weaver]

Статья
https://www.safebreach.com/blog/downgrade-attacks-using-windows-updates/

Инструмент
https://github.com/SafeBreach-Labs/WindowsDowndate