KASPERSKY LAB has uncovered yet another Windows zero-day that lets attackers take full control of a users' PC.
The flaw, which was discovered by Kaspersky's Vasily Berdnikov and Boris Larin last month and only patched last week, affects the latest 64-bit versions of Windows.
In a blog post, the researchers explained that this is the fifth consecutive local privilege escalation vulnerability in Windows that they have found in recent months.
"CVE-2019-0859 is a Use-After-Free vulnerability that is presented in the CreateWindowEx function. During execution CreateWindowEx sends the message WM_NCCREATE to the window when it's first created," they explained.
"By using the SetWindowsHookEx function, it is possible to set a custom callback that can handle the WM_NCCREATE message right before calling the window procedure."
"In win32k.sys all windows are presented by the tagWND structure which has an "fnid" field also known as Function ID. The field is used to define the class of a window; all windows are divided into classes such as ScrollBar, Menu, Desktop and many others."
The security specialists explained that when the Function ID of a window is set to 0, they could "set extra data for the window procedure from inside our hook" and "change the address for the window procedure that was executed immediately after our hook".
"Because our MENU-class window was not actually initialized, it allows us to gain control over the address of the memory block that is freed," they said.
After analysing the exploit, the researchers found that it targeted everything from Windows 7 to older builds of Windows 10, and used the HMValidateHandle technique.
"The exploit executed PowerShell with a Base64 encoded command. The main aim of this command was to download a second-stage script from https//pastebin.com. The second stage PowerShell executes the final third stage, which is also a PowerShell script," continued the researchers."
Describing this script as "very simple", Berdnikov and Boris Larin said it unpacks shellcode, allocate executable memory, copies shellcode to allocated memory and calls CreateThread to execute shellcode.
"The main goal of the shellcode is to make a trivial HTTP reverse shell. This helps the attacker gain full control over the victim's system."
Microsoft has since released a patch for the vulnerability. In a statement, it said: "An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory.
"An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
"To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.
"The update addresses this vulnerability by correcting how Win32k handles objects in memory." µ
They're kind of cute though
No code? No problem!
The wide world of whimsy from the Alphabet Castle