Attacker Value
High
(4 users assessed)
Exploitability
Moderate
(4 users assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
1

CVE-2019-1132

Disclosure Date: July 15, 2019 Last updated February 13, 2020
Exploited in the Wild
Reported by gwillcox-r7
View Source Details
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Privilege Escalation on Windows 7, Server 2008, and Server 2008 R2 targeting win32k.sys

Add Assessment

6
Ratings
  • Attacker Value
    High
  • Exploitability
    Medium
Easy to weaponizeGives privileged accessUnauthenticatedRequires user interaction
Technical Analysis

This vulnerability takes advantage of a null pointer dereference within the Windows win32k.sys driver, win32k.sys is notorious for including GDI objects and other objects that can be abused and utilized for various types of exploitation. This vulnerability takes advantage of pop-up menu objects, and exploitation of this vulnerability can grant the user system access, AKA Escalation of privilege. This vulnerability displays a menu using the TrackPopupMenu function, And code that is hooked to EVENT_SYSTEM_MENUPOPUPSTART gets executed.

This vulnerability also flips the bServerSideWindowProc bit within the tagWND data structure, Also it utilizes the tagWND structure to leak kernel memory addresses.

This vulnerability seems to be mitigated on the newer versions of windows, within Windows 8.1 with the introduction of various mitigations, null pointer dereference vulnerabilities stopped existing. And on some newer and more previous windows 10 security updates, there have been mitigations to prevent kernel address leakage from the tagWND structure.

Log in to Add Reply
3
Ratings
  • Attacker Value
    Medium
  • Exploitability
    Low
Technical Analysis

This is a priv esc being used in the wild. It targets older versions of Windows, with part of the path to execution stopped in recent Workstation OS internal changes. If you are running the affected OS, you should patch and think about upgrading the OS to something released in the last decade.

Log in to Add Reply
1
Technical Analysis

Reported as exploited in the wild as part of Google’s 2020 0day vulnerability spreadsheet they made available at https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=1869060786. Original tweet announcing this spreadsheet with the 2020 findings can be found at https://twitter.com/maddiestone/status/1329837665378725888

Log in to Add Reply
0
Technical Analysis

This is another priv esc in the win32k.sys system. It leverages windows popup windows to craft a race condition to overwrite an allocated section of memory, then hand that memory location to a funtion that executes it in Kernel mode.

It is being actively used in the wild.

The mitigations are pretty strong. Microsoft released a patch, and internal security controls on Windows 8 and above prevent writing to the allocated memory, so while the exploit might be present on later systems, it is not usable. In the writeup by the discoverer, (s)he claims that the fix in Windows 8 was backported to Windows 7x64 systems, but lists SP1 as vulnerable. I assume this means the fix was in a patch release.

Log in to Add Reply

General Information

Offensive Application
exploit
Utility Class
privesc
Ports
Unknown
OS
Windows
Vulnerable Versions
Windows 7, 2008, 2008 R2
Prerequisites
Unknown
Discovered By
Anton Cherepanov, ESET
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Exploited in the Wild

Reported by:
Technical Analysis