Moderate
CVE-2020-1143: Win32k Use-After-Free
Add Reference
Description
URL
Type
Moderate
(1 user assessed)
Very Low
(1 user assessed)Unknown
Unknown
Unknown
CVE-2020-1143: Win32k Use-After-Free
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Description
An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Add Assessment
Ratings
-
Attacker ValueMedium
-
ExploitabilityVery Low
Technical Analysis
A vulnerability exists within the Win32k subsystem (provided by the win32k.sys, win32kbase.sys, and win32kfull.sys drivers) on Windows 10 that can be leveraged to trigger a Use-After-Free condition where by freed memory is used by win32kbase!GreUnlockRegion.
From my testing of the public PoC, I found this bug unreliable to trigger. Even with Driver Verifier enabled and standard settings (including SpecialPool) enabled, no exception and Blue Screen occurred. From reading through the PoC it looks like there is some kind of edge condition (possibly a race) that requires the PoC to re-execute itself (via CreateProcessA) to attempt to trigger the vulnerability.
Do to the unreliable nature of the PoC and the difficulty of replacing the freed memory within the heap, I believe this vulnerability would be difficult to exploit reliably. Successful execution however would take place within the Windows Kernel, effectively offering a complete compromise of the affected system.
General Information
References
Additional Info
Technical Analysis
Report as Exploited in the Wild
What do we mean by "exploited in the wild"?
By selecting this, you are verifying to the AttackerKB community that either you, or a reputable source (example: a security vendor or researcher), has observed an active attempt by attackers, or IOCs related, to exploit this vulnerability outside of a research environment.
A vulnerability should also be considered "exploited in the wild" if there is a publicly available PoC or exploit (example: in an exploitation framework like Metasploit).
