PoC exploit for Windows 0-day downgrade attack released

A proof-of-concept (PoC) exploit has been published for two critical zero-day vulnerabilities in Microsoft Windows that enable a novel “downgrade attack.” The vulnerabilities, dubbed CVE-2024-38202 and CVE-2024-21302, were originally disclosed by SafeBreach researcher Alon Leviev at Black Hat USA 2024 and DEF CON 32 earlier this month.

The vulnerabilities allow an attacker to manipulate the Windows Update process to secretly downgrade a fully patched Windows system to an older, vulnerable state, effectively turning previously fixed vulnerabilities back into exploitable zero-day vulnerabilities.

“This allowed me to make a fully patched Windows machine vulnerable to thousands of past vulnerabilities, turn fixed vulnerabilities into zero-day vulnerabilities, and render the term 'fully patched' meaningless on every Windows machine in the world,” Safebreach's Alon Leviev explained in his original investigation.

Leviev has now published the PoC exploit called “Windows Downdate” on GitHub. The tool automates the exploitation of the two zero-days to take control of the Windows Update process and create “completely undetectable, invisible, permanent and irreversible downgrades” for critical operating system components.

Free Webinar on Detecting & Blocking Supply Chain Attack -> Book your Spot

Windows Downdate can bypass integrity checks, Trusted Installer enforcement, and other security checks to downgrade core Windows DLLs, drivers, and even the NT kernel itself. It can also downgrade Credential Guard and Hyper-V components to re-expose patched privilege escalation vulnerabilities.

The implications are severe – an attacker could use these techniques to silently revert a fully updated Windows deployment to a vulnerable state, allowing thousands of previously patched vulnerabilities to be exploited again. Scanning and recovery tools cannot detect malicious downgrades.

Windows Downdate abuses unprotected elements of the Windows Update architecture to secretly downgrade a fully patched system to an older, vulnerable state while disabling critical security features in a way that is very difficult to detect and undo.

“I managed to make a fully patched Windows machine vulnerable to thousands of past vulnerabilities, turn fixed vulnerabilities into zero-day vulnerabilities, and make the term 'fully patched' meaningless on every Windows machine in the world,” said Alon Leviev.

Microsoft acknowledged the zero-day vulnerabilities in two alerts on August 7 and stated that patches were being worked on. However, a month later, the fixes were still not available, prompting Leviev to release the PoC to raise awareness and enable faster patching.

“Microsoft is developing a security update that revokes outdated, unpatched VBS system files to address this vulnerability, but it is not yet available,” the company said in its alert on CVE-2024-21302.

In the meantime, Microsoft has provided some mitigations, such as implementing an Access Control List (ACL) or Discretionary Access Control List (DACL) to restrict access to the PoqexecCmdline registry key that enables the attack.

However, security experts warn that these measures are incomplete and can be easily bypassed by determined attackers. The only complete solution is to install official security updates from Microsoft as soon as they are available.

The incident highlights the potential dangers of so-called zero-day vulnerabilities in core operating system components or designs that can be exploited to compromise systems and repeatedly expose patched vulnerabilities. It also underscores the need for more proactive research into these complex attack surfaces.

“Design features of an operating system should always be reviewed and considered a relevant attack surface, regardless of how old the feature is,” said Alon Leviev. “We believe that other operating systems can be equally vulnerable to similar attack vectors and that all operating system vendors need to be vigilant about the threats they pose.”

Are you from SOC and DFIR Teams? Analyse Malware Incidents & get live Access with ANY.RUN -> Get 14 Days Free Acces