Attacker Value
Moderate
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Local
0

CVE-2019-1436

Disclosure Date: November 12, 2019
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

An information disclosure vulnerability exists when the win32k component improperly provides kernel information, aka ‘Win32k Information Disclosure Vulnerability’. This CVE ID is unique from CVE-2019-1440.

Add Assessment

4
Ratings
  • Attacker Value
    Medium
  • Exploitability
    Very High
Technical Analysis

This is a vulnerability within NtGdiEnsureDpiDepDefaultGuiFontForPlateau() on Windows 10 which I wrote up an analysis of at https://versprite.com/blog/security-research/silently-patched-information-leak/. Originally I thought this was a silently patched bug, but Matt Miller corrected me on this (see https://twitter.com/epakskape/status/1215698153346744321) The bug occurs due to the fact that GreEnsureDpiDepDefaultGuiFontForPlateau() naturally leaks the value of the win32kbase!gahDpiDepDefaultGuiFonts pointer under certain conditions. which can allow attackers to potentially bypass KASLR under certain conditions.

To the best of my knowledge, this was fixed by Microsoft patching NtGdiEnsureDpiDepDefaultGuiFontForPlateau() so that it always returns 0 by adding an extra instruction which does:

xor eax, eax

This is shown in the screenshots in the article. As NtGdiEnsureDpiDepDefaultGuiFontForPlateau() was only added within Windows 10 v1709 (see j00ru’s system call list at https://j00ru.vexillium.org/syscalls/win32k/64/ and search for NtGdiEnsureDpiDepDefaultGuiFontForPlateau() ) , this bug is unique to Windows 10 hosts despite the fact that this CVE actually covers several related bugs (see Matt Millers comment on this at https://twitter.com/epakskape/status/1217189528806412288).

CVSS V3 Severity and Metrics
Base Score:
5.5 Medium
Impact Score:
3.6
Exploitability Score:
1.8
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector (AV):
Local
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
None
Availability (A):
None

General Information

Vendors

  • microsoft

Products

  • windows 10 -,
  • windows 10 1607,
  • windows 10 1709,
  • windows 10 1803,
  • windows 10 1809,
  • windows 10 1903,
  • windows server 2016 -,
  • windows server 2016 1803,
  • windows server 2016 1903,
  • windows server 2019 -

Additional Info

Technical Analysis