ESET research discovers a zero-day exploit that takes advantage of a local privilege escalation vulnerability in Windows
In June 2019, ESET researchers identified a zero-day exploit being used in a highly targeted attack in Eastern Europe.
The exploit abuses a local privilege escalation vulnerability in Microsoft Windows, specifically a NULL pointer dereference in the win32k.sys component. Once the exploit was discovered and analyzed, it was reported to the Microsoft Security Response Center, who promptly fixed the vulnerability and released a patch.
The vulnerability affects the following Windows versions:
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for Itanium-Based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
This blog post focuses on the technical details of the vulnerability and its exploitation. Another post, tomorrow, will delve into the malware sample and its broader implications.
Exploitation
As with a number of other Microsoft Windows win32k.sys vulnerabilities disclosed in recent years, this exploit uses popup menu objects. For example, the Sednit group’s local privilege escalation exploit that we analyzed in 2017 used menu objects and techniques very similar to the current exploit.
This exploit creates two windows; one for the first stage and another one for the second stage of the exploitation. For the first window, it creates popup menu objects and appends menu items using the CreatePopupMenu and AppendMenu functions. In add ..
Support the originator by clicking the read the rest link below.
