In April 2020, security researcher Gil Dabah published a paper on a set of vulnerabilities he had discovered within the Win32k subsystem of the Windows operating system. These vulnerabilities demonstrated instances of a new class of bugs, dubbed “Smash the Ref.” Dabah’s research included 13 test cases and later four proof-of-concept (PoC) code samples chronicled in a GitHub repository.
Windows vulnerabilities that use kernel mode execution for privilege escalation are often of interest to Metasploit’s research team. The win32k subsystem is included on all versions of Windows, and it offers reliable attack surface that is not configuration-dependent. More generally, local privilege escalation (LPE) exploits continue to maintain high relevance in the modern attack landscape; Metasploit has noted several times over the past two years that LPEs have featured prominently in community module contributions, and their prevalence has spurred us to expand support for local exploitation APIs and mixins that make LPE exploit development easier across a number of platforms.
Fellow Metasploit researcher Grant Willcox and I examined the test cases delineated in Dabah’s Smash the Ref research with the goals of evaluating the bug class’s overall exploitability and identifying any candidates that might provide reliable utility for Metasploit Framework users looking to obtain an initial foothold in the context of a standard user account. The rest of this blog post details our experience and findings throughout several cycles of reproduction attempts and crash analysis.
