Moderate
CVE-2019-1436
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2019-1436
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
An information disclosure vulnerability exists when the win32k component improperly provides kernel information, aka ‘Win32k Information Disclosure Vulnerability’. This CVE ID is unique from CVE-2019-1440.
Add Assessment
Ratings
-
Attacker ValueMedium
-
ExploitabilityVery High
Technical Analysis
This is a vulnerability within NtGdiEnsureDpiDepDefaultGuiFontForPlateau() on Windows 10 which I wrote up an analysis of at https://versprite.com/blog/security-research/silently-patched-information-leak/. Originally I thought this was a silently patched bug, but Matt Miller corrected me on this (see https://twitter.com/epakskape/status/1215698153346744321) The bug occurs due to the fact that GreEnsureDpiDepDefaultGuiFontForPlateau() naturally leaks the value of the win32kbase!gahDpiDepDefaultGuiFonts pointer under certain conditions. which can allow attackers to potentially bypass KASLR under certain conditions.
To the best of my knowledge, this was fixed by Microsoft patching NtGdiEnsureDpiDepDefaultGuiFontForPlateau() so that it always returns 0 by adding an extra instruction which does:
xor eax, eax
This is shown in the screenshots in the article. As NtGdiEnsureDpiDepDefaultGuiFontForPlateau() was only added within Windows 10 v1709 (see j00ru’s system call list at https://j00ru.vexillium.org/syscalls/win32k/64/ and search for NtGdiEnsureDpiDepDefaultGuiFontForPlateau() ) , this bug is unique to Windows 10 hosts despite the fact that this CVE actually covers several related bugs (see Matt Millers comment on this at https://twitter.com/epakskape/status/1217189528806412288).
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- microsoft
Products
- windows 10 -,
- windows 10 1607,
- windows 10 1709,
- windows 10 1803,
- windows 10 1809,
- windows 10 1903,
- windows server 2016 -,
- windows server 2016 1803,
- windows server 2016 1903,
- windows server 2019 -
References
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: