Very High
Win32k Elevation of Privilege Vulnerability
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
Very High
(3 users assessed)
Low
(3 users assessed)Unknown
Unknown
Unknown
Win32k Elevation of Privilege Vulnerability
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka ‘Win32k Elevation of Privilege Vulnerability’. This CVE ID is unique from CVE-2019-0797.
Add Assessment
Ratings
-
Attacker ValueVery High
-
ExploitabilityLow
Technical Analysis
Wrote up a technical analysis of this bug for Exodus Intelligence at https://blog.exodusintel.com/2019/05/17/windows-within-windows/. The bug itself is relatively easy to trigger if you understand how Window messages work, but is a bit tricky to understand if your not familiar with this. Exploit reliability is high unless exploiting from the Chrome sandbox; in these scenarios it is still possible to exploit the target on older versions of Windows (Windows 7 and prior) however we did find that there was some interesting behavior going on with the Chrome sandbox escape shellcode as while it would disassociate the current process with the Chrome sandbox job (and henceforth the job’s limitations), it would occasionally trigger APC_INDEX_MISMATCH errors under certain conditions, particularly if the target user was an administrator.
TLDR: This exploit does takes a bit of knowledge of Win32k.sys and Windows internals to exploit, but provided an attacker has this knowledge, or has access to the public exploit, they can easily escalate their privileges to a SYSTEM user from any privilege level.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild Report
Ratings
Technical Analysis
Just an update to my previous assessment (@tekwizz123), but this was in fact exploited in the wild as noted at https://blogs.360.cn/post/RootCause_CVE-2019-0808_EN.html and https://securityaffairs.co/wordpress/82428/hacking/cve-2019-0808-win-flaw.html.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild Report
Ratings
-
Attacker ValueVery High
-
ExploitabilityLow
Technical Analysis
This bug is interesting because it was being used in the wild to install software without user permissions: https://krebsonsecurity.com/tag/cve-2019-0797/. It had intrinsic value to attackers already. Whether you are really at risk depends on whether you like to run malicious binaries. Do you?
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportGeneral Information
Exploited in the Wild
Would you like to delete this Exploited in the Wild Report?
Yes, delete this reportReferences
Additional Info
Technical Analysis
Report as Emergent Threat Response
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Oh I should also mention the code is available at https://github.com/exodusintel/CVE-2019-0808, although the public version is purely just for both the Chrome sandbox escape and the Win32k exploit combined. Its possible to take the DLL code and remove the Chrome sandbox escape parts to just have a plain DLL without the sandbox escape bits that will grant privilege escalation under normal conditions.