Security News > 2021 > August > Windows EoP Bug Detailed by Google Project Zero

The gist of the matter is that the default rules of the Windows Filtering Platform - a set of API and system services that provide a platform for creating network filtering apps - permit executable files to connect to TCP sockets in AppContainers, which can enable malicious actors to pull off EoP. Essentially, some rules defined in WFP can be matched by a malicious actor to connect to an AppContainer and inject malicious code.

As Forshaw explained in his report, connecting to an external network resource from an AppContainer is enforced through default rules in the WFP: "For example, connecting to the internet via IPv4 will process rules in the FWPM LAYER ALE AUTH CONNECT V4 layer," he wrote.

"Eventually an AC process will match the 'Block Outbound Default Rule' rule if nothing else has, which will block any connection attempt."

Although the flaw affects any system with these default rules, he specifically mentioned testing on Windows 10 version 2004 in his report.

As far as a fix goes, Forshaw suggested that perhaps default rules "Shouldn't match AC processes or they should be ordered after the AC block rule."

"I'm not sure if there's a general way of fixing the issue, but as an AC process can't enumerate the current rules then an AC process would never know if non-default rules have been added that they could abuse."

News URL

https://threatpost.com/windows-eop-bug-detailed-by-google-project-zero/168823/