Attacker Value
Moderate
(1 user assessed)
Exploitability
Moderate
(1 user assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Local
0

CVE-2019-1169

Disclosure Date: August 14, 2019
CVE-2019-1169 CVSS v3 Base Score: 7.8
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory, aka ‘Win32k Elevation of Privilege Vulnerability’.

Add Assessment

1
Ratings
  • Attacker Value
    Medium
  • Exploitability
    Medium
Common in enterpriseVulnerable in default configurationDifficult to weaponize
Technical Analysis

Wrote up a full analysis of this bug in two parts at https://versprite.com/blog/security-research/cve-2019-1169-vulnerability-windows/. I believe that in reality CVE-2019-1169 actually covers several vulnerabilities, as if one looks at ZDI’s advisory at https://www.zerodayinitiative.com/advisories/ZDI-19-709/ they can see that one of the bugs covered by CVE-2019-1169 is actually an information leak.

My blog post covers this information leak which is exploitable by attackers who have some knowledge of how Windows messages work and how windows hooks and event hooks operate. Exploiting the vulnerability is only possible on Windows 7 x86 and prior as it is a NULL pointer dereference vulnerability, however successful exploitation results in the ability to read a DWORD worth of information at two arbitrary addresses in kernel memory per exploitation attempt.

I have also written up exploit code which will trigger this info leak vulnerability, which is available at https://github.com/VerSprite/research/tree/master/exploits/Ndays/CVE-2019-1169

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
7.8 High
Impact Score:
5.9
Exploitability Score:
1.8
Vector:
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Local
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Core installation)
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 for 32-bit Systems Service Pack 2 (Core installation)
Windows Server 2008 for Itanium-Based Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2 (Core installation)
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • microsoft

Products

  • windows 7 -,
  • windows server 2008 -,
  • windows server 2008 r2

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis