Moderate
CVE-2020-1143: Win32k Use-After-Free
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
Moderate
(1 user assessed)Very Low
(1 user assessed)Unknown
Unknown
Unknown
CVE-2020-1143: Win32k Use-After-Free
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Add Assessment
Ratings
-
Attacker ValueMedium
-
ExploitabilityVery Low
Technical Analysis
A vulnerability exists within the Win32k subsystem (provided by the win32k.sys
, win32kbase.sys
, and win32kfull.sys
drivers) on Windows 10 that can be leveraged to trigger a Use-After-Free condition where by freed memory is used by win32kbase!GreUnlockRegion
.
From my testing of the public PoC, I found this bug unreliable to trigger. Even with Driver Verifier enabled and standard settings (including SpecialPool) enabled, no exception and Blue Screen occurred. From reading through the PoC it looks like there is some kind of edge condition (possibly a race) that requires the PoC to re-execute itself (via CreateProcessA
) to attempt to trigger the vulnerability.
Do to the unreliable nature of the PoC and the difficulty of replacing the freed memory within the heap, I believe this vulnerability would be difficult to exploit reliably. Successful execution however would take place within the Windows Kernel, effectively offering a complete compromise of the affected system.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportGeneral Information
References
Additional Info
Technical Analysis
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: