Moderate
CVE-2019-1169
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
Moderate
(1 user assessed)Moderate
(1 user assessed)Unknown
Unknown
Unknown
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.
The update addresses this vulnerability by correcting how the Windows kernel-mode driver handles objects in memory.
Add Assessment
Ratings
-
Attacker ValueMedium
-
ExploitabilityMedium
Technical Analysis
Wrote up a full analysis of this bug in two parts at https://versprite.com/blog/security-research/cve-2019-1169-vulnerability-windows/. I believe that in reality CVE-2019-1169 actually covers several vulnerabilities, as if one looks at ZDI’s advisory at https://www.zerodayinitiative.com/advisories/ZDI-19-709/ they can see that one of the bugs covered by CVE-2019-1169 is actually an information leak.
My blog post covers this information leak which is exploitable by attackers who have some knowledge of how Windows messages work and how windows hooks and event hooks operate. Exploiting the vulnerability is only possible on Windows 7 x86 and prior as it is a NULL pointer dereference vulnerability, however successful exploitation results in the ability to read a DWORD worth of information at two arbitrary addresses in kernel memory per exploitation attempt.
I have also written up exploit code which will trigger this info leak vulnerability, which is available at https://github.com/VerSprite/research/tree/master/exploits/Ndays/CVE-2019-1169
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- microsoft
Products
- windows 7 -,
- windows server 2008 -,
- windows server 2008 r2
References
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: