Attacker Value
Moderate
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Local
0

CVE-2019-1436

Disclosure Date: November 12, 2019
CVE-2019-1436 CVSS v3 Base Score: 5.5
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

An information disclosure vulnerability exists when the win32k component improperly provides kernel information, aka ‘Win32k Information Disclosure Vulnerability’. This CVE ID is unique from CVE-2019-1440.

Add Assessment

4
Ratings
  • Attacker Value
    Medium
  • Exploitability
    Very High
Common in enterpriseEasy to weaponizeVulnerable in default configuration
Technical Analysis

This is a vulnerability within NtGdiEnsureDpiDepDefaultGuiFontForPlateau() on Windows 10 which I wrote up an analysis of at https://versprite.com/blog/security-research/silently-patched-information-leak/. Originally I thought this was a silently patched bug, but Matt Miller corrected me on this (see https://twitter.com/epakskape/status/1215698153346744321) The bug occurs due to the fact that GreEnsureDpiDepDefaultGuiFontForPlateau() naturally leaks the value of the win32kbase!gahDpiDepDefaultGuiFonts pointer under certain conditions. which can allow attackers to potentially bypass KASLR under certain conditions.

To the best of my knowledge, this was fixed by Microsoft patching NtGdiEnsureDpiDepDefaultGuiFontForPlateau() so that it always returns 0 by adding an extra instruction which does:

xor eax, eax

This is shown in the screenshots in the article. As NtGdiEnsureDpiDepDefaultGuiFontForPlateau() was only added within Windows 10 v1709 (see j00ru’s system call list at https://j00ru.vexillium.org/syscalls/win32k/64/ and search for NtGdiEnsureDpiDepDefaultGuiFontForPlateau() ) , this bug is unique to Windows 10 hosts despite the fact that this CVE actually covers several related bugs (see Matt Millers comment on this at https://twitter.com/epakskape/status/1217189528806412288).

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
5.5 Medium
Impact Score:
3.6
Exploitability Score:
1.8
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector (AV):
Local
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
None
Availability (A):
None

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Windows 10 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1709 for 32-bit Systems
Windows 10 Version 1709 for x64-based Systems
Windows 10 Version 1803 for 32-bit Systems
Windows 10 Version 1803 for x64-based Systems
Windows 10 Version 1803 for ARM64-based Systems
Windows 10 Version 1809 for 32-bit Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 1709 for ARM64-based Systems
Windows Server 2016
Windows Server 2016 (Core installation)
Windows Server version 1803 (Core Installation)
Windows Server 2019
Windows Server 2019 (Core installation)
Windows 10 Version 1903 for 32-bit Systems
Windows 10 Version 1903 for x64-based Systems
Windows 10 Version 1903 for ARM64-based Systems
Windows Server, version 1903 (Server Core installation)
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • microsoft

Products

  • windows 10 -,
  • windows 10 1607,
  • windows 10 1709,
  • windows 10 1803,
  • windows 10 1809,
  • windows 10 1903,
  • windows server 2016 -,
  • windows server 2016 1803,
  • windows server 2016 1903,
  • windows server 2019 -

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis