In July 2022, Microsoft patched a PPL bypass flaw, but a new exploit called “BYOVDLL” has been discovered, allowing attackers to bypass LSASS protection.
All about BYOVDLL
In October 2022, Gabriel Landau revealed that the “Bring Your Own Vulnerable DLL” (BYOVDLL) method could still bypass the patched vulnerability, allowing PPLdump to run without modifications. This sparked interest in exploring arbitrary code execution in protected processes using various DLLs, even without system reboots, despite Microsoft’s patching efforts.
Windows system protection has two tiers: Protected Process (PP) and Protected Process Light (PPL), with different levels of security based on the signers. LSASS, a PPL, is often targeted for in-memory credential extraction due to its broader attack surface compared to higher-level PPs.
The KeyIso service within LSASS had two significant vulnerabilities:
- An out-of-bound read flaw (CVE-2023-36906).
- A use-after-free vulnerability (CVE-2023-28229).
Exploiting these vulnerabilities involved loading outdated, vulnerable versions of both keyiso.dll and ncryptprov.dll into LSASS.
The exploit involved several steps, including altering registry settings to load a vulnerable keyiso.dll, extracting and signing the DLL, and registering a custom Key Storage Provider to load a vulnerable ncryptprov.dll.
This method bypassed Windows security without requiring a system reboot, revealing the delicate balance between securing systems and addressing exploitable areas.
Successfully executing this exploit underscores the ongoing challenges in defending critical processes like LSASS against advanced attack vectors targeting credential theft.
To bypass PPL restrictions that block unsigned DLLs, the exploit replaced the original LoadLibraryW
call with OutputDebugStringW
, allowing execution confirmation via DebugView instead of relying on Process Monitor to detect filesystem events
The exploit involved restarting the KeyIso service and registering a custom Key Storage Provider. Upon executing the proof-of-concept code, the debug message “I’m in LSASS!!!” confirmed successful arbitrary code execution within this secure environment.
This demonstration showed that using a vulnerable DLL can effectively exploit high-security patches, paving the way for more advanced attacks within secured processes.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment