SAN FRANCISCO – CrowdStrike displayed a flare for the dramatic at RSA Conference Wednesday during the company’s “Oscars” event, where it unveiled a new Meltdown exploit.
The cybersecurity vendor unveiled the exploit, dubbed “MeltiKatz,” during the company’s 2018 Hacking Exposed Oscars. The contest recognizes the most formidable flaws and impressive exploits CrowdStrike saw over the last year. This year’s nominees included techniques, such as a credential theft campaign that uses Microsoft’s Server Message Block protocol and a whitelisting bypass that abuses the InstallUtil command line tool.
But this year, Crowdstrike threw a curve ball.
“And the winner is…actually none of them,” said CrowdStrike CEO George Kurtz, naming Meltdown as the winner. Kurtz then unveiled MeltiKatz, saying “Certainly, it wouldn’t be an RSA [Conference] without developing our own tools around this.”
CrowdStrike CTO Dimitri Alperovitch outlined the Meltdown exploit, which uses the MimiKatz tool, and reassured the audience it was developed by the vendor, not threat actors in the wild. “This is something we’re not yet seeing in real-world attacks, but we had one of our ninjas, Alex Ionescu, create something really cool,” he said.
The Meltdown vulnerability essentially enables unauthorized users to read privileged kernel memory in an Intel system. Alperovitch explained that operating system vendors introduced mitigations for Meltdown that tried to reduce or prevent data from leaking out systems; those mitigations involved unmapping kernel memory from user-mode processes so intruders can’t access it.
But Alperovitch explained you can’t fully unmap kernel memory, so while the mitigations address a lot of the problems, it doesn’t fully fix Meltdown. And, he said, the situation gets more complicated on Windows systems.
“Windows actually does not fully believe that the user-mode to kernel memory border is a security border that needs to be enforced,” he said, adding that someone using a privileged user mode can still do a lot of things on a Windows system even if it’s patched.
Alperovitch said Microsoft rightly decided the cost of fully mitigating against Meltdown, which would have unmapped all kernel memory from user mode, would have been too high in terms of performance impact. However, that means that Microsoft’s mitigation for Meltdown is disabled for processes run by administrators with high integrity tokens. “Even on a fully patched machine, you can still use Meltdown as an administrative app to do really cool things,” he said.
Because of the way Windows is designed, a threat actor who gains administrative rights could access parts of the registry that contain Windows NT LAN Manager password hashes, encrypted cached passwords for Active Directory and other sensitive data.
Ionescu initially Tweeted about MeltiKatz in January shortly after Meltdown and Spectre were disclosed. Despite the Meltdown exploit approach being publicly available, Alperovitch said CrowdStrike has seen no indication threat actors have used this type of attack.
CrowdStrike did not release the technical specifications for MeltiKatz, but Alperovitch said the demo showed “the power of Meltdown” against even systems that have been patched. While CrowdStrike’s Oscars event may have been a bit over the top, the MeltiKatz demo was a chilling reminder of how far-reaching the vulnerability is.