Jump to content

WinShock

From Wikipedia, the free encyclopedia
WinShock
Technical nameMS14-066
TypeExploit (from bug)
Isolation dateMay 2014
Technical details
PlatformWindows Server 2003, Windows Server 2008, Windows Server 2008 R2, , Windows Server 2012, Windows Server 2012 R2, Windows 95, Windows 98, Windows XP, Windows Vista, Windows 7, Windows 8, Windows 8.1
Abused exploitsCertificate Verification Bypass, Buffer Overflow, Remote Code Execution

WinShock is computer exploit that exploits a vulnerability in the Windows secure channel (SChannel) module and allows for remote code execution.[1] The exploit was discovered in May 2014 by IBM, who also helped patch the exploit.[2] The exploit was present and undetected in Windows software for 19 years, affecting every Windows version from Windows 95 to Windows 8.1[3]

Details

[edit]

WinShock exploits a vulnerability in the Windows secure channel (SChannel) security module that allows for remote control of a PC through a vulnerability in SSL, which then allows for remote code execution.[1][4] With the execution of remote code, attackers could compromise the computer completely and gain complete control over it.[5] The vulnerability was given a CVSS 2.0 base score of 10.0, the highest score possible.[6]

The attack exploits a vulnerable function in the SChannel module that handles SSL Certificates.[7] A number of Windows applications such as Microsoft Internet Information Services use the SChannel Security Service Provider to manage these certificates and are vulnerable to the attack.[8]

It was later discovered in November 2014 that the attack could be executed even if the ISS Server was set to ignore SSL Certificates, as the function was still ran regardless. Microsoft Office,[9] and Remote Desktop software in Windows could also be exploited in the same way, even though it did not support SSL encryption at the time.[10]

While the attack is covered by a single CVE, and is considered to be a single vulnerability, it is possible to execute a number of different and unique attacks by exploiting the vulnerability including buffer overflow attacks as well as certificate verification bypasses.[11]

Responsibility

[edit]

The exploit was discovered and disclosed privately to Microsoft in May 2014 by researchers in IBM's X-Force team who also helped to fix the issue.[3] It was later disclosed publicly on 11 November 2014,[1] with a proof-of-concept released not long after.[12]

See also

[edit]

References

[edit]
  1. ^ a b c "MS14-066: Vulnerability in SChannel could allow remote code execution: November 11, 2014 - Microsoft Support". support.microsoft.com. Retrieved 2024-04-28.
  2. ^ "WinShock: A 19-year-old bug". www.eset.com. Retrieved 2024-04-28.
  3. ^ a b "Microsoft patches 19-year-old Windows bug". CNET. Retrieved 2024-06-16.
  4. ^ Mayer, Wilfried; Zauner, Aaron; Schmiedecker, Martin; Huber, Markus (2016-08-31). "No Need for Black Chambers: Testing TLS in the E-mail Ecosystem at Large". 2016 11th International Conference on Availability, Reliability and Security (ARES). pp. 10–20. arXiv:1510.08646. doi:10.1109/ARES.2016.11. ISBN 978-1-5090-0990-9.
  5. ^ "CERT/CC Vulnerability Note VU#505120". www.kb.cert.org. Retrieved 2024-06-16.
  6. ^ "NVD - CVE-2014-6321". nvd.nist.gov. Retrieved 2024-06-16.
  7. ^ Czumak, Mike (2014-11-29). "Exploiting MS14-066 / CVE-2014-6321 (aka "Winshock")". Security Sift. Retrieved 2024-06-16.
  8. ^ "Triggering MS14-066 | BeyondTrust Blog". BeyondTrust. Retrieved 2024-06-16.
  9. ^ "Microsoft fixes '19-year-old' bug with emergency patch". BBC News. 2014-11-12. Retrieved 2024-06-16.
  10. ^ Hutchins, Marcus (2014-11-19). "How MS14-066 (CVE-2014-6321) is More Serious Than First Thought – MalwareTech". malwaretech.com. Retrieved 2024-06-16.
  11. ^ Group, Talos (2014-11-11). "Microsoft Update Tuesday November 2014: Fixes for 3 0-day Vulnerabilities". Cisco Blogs. Retrieved 2024-06-16. {{cite web}}: |last= has generic name (help)
  12. ^ Leyden, John. "WinShock PoC clocked: But DON'T PANIC... It's no Heartbleed". www.theregister.com. Retrieved 2024-06-16.
[edit]