MS Patch Tuesday: A Look into 4 Vulnerabilities in the Windows Kernel
Today’s Microsoft Patch Tuesday includes a patch for CVE-2015-2363, an IMPORTANT-rated exploitable privilege escalation vulnerability which we have responsibly disclosed to Microsoft. CVE-2015-2363 is a nearly 20 year-old vulnerability, located in most Windows systems since Windows NT 4.0 and up to Windows 8.
It’s interesting to consider today’s released CVE-2015-2363 as complementary to CVE-2015-2360 released last month. While last month’s release included fixes to three vulnerabilities (two uncovered by enSilo’s researchers), we found that the two CVEs together – both last month’s and todays - include four similar privilege escalation vulnerabilities.
A threat actor exploiting any of the four vulnerabilities can cause a system-level compromise of the underlying Windows’ machine. This includes:
- Receiving elevated privileges on the Windows’s machine to that of administrator level
- Bypassing all Windows’ security measures, such as sandboxing, memory randomization and kernel segregation
- Running kernel code on the victim’s machine
All of the four vulnerabilities date back to the old and unsupported Windows NT 4.0, released in 1996. However, each affects various newer supported versions.
Our blog post from last month describes the affected Windows machines for the vulnerabilities in last month’s patch.
The vulnerability released in today’s patch fixes:
- Microsoft Windows XP professional 32 bit (All Service Packs)
- Microsoft Windows Vista
- Microsoft Windows 7
- Windows 8
- Microsoft Windows Server 2003
- Microsoft Windows Server 2008
- Microsoft Windows Server 2008 R2
- Windows Server 2012 and Windows Server 2012 R2
- Windows RT
Each of the four vulnerabilities are of type Use-After-Free (UAF) which references the memory after it was freed. Ultimately, these particular UAF vulnerabilities can each lead to executing arbitrary code in the Windows’ kernel memory.
These vulnerabilities appear in the kernel’s GUI library, the win32k.sys module. Specifically, the issue we found resides within how win32k.sys manages the reference counts for Class objects’.
In a nutshell, Class objects are a template for creating a window (whether an actual graphical window, or some virtual non-displayed window). The Class also counts how many window instances of its own were created. We found that the underlying assumption regarding freeing the Class memory according to its count does not always hold up.
The Exploitability Factor
Each of the four vulnerabilities were found to be exploitable.
This is highly significant since a vulnerability represents a hole in the system – but not necessarily one that can be leveraged by the threat actor. In fact, Microsoft places many security measures such as randomization and kernel segregation so that even when a vulnerability is uncovered, it would be very difficult for a threat actor to actually leverage it.
As mentioned, our researchers were able to demonstrate the exploitation of the vulnerabilities which lead to a restricted application running arbitrary code on the Windows’ kernel.
Given their attractiveness, exploitable vulnerabilities are in high demand in the underground cybercrime market. Yet, finding an exploit is rare and complex in nature. Supply and demand principles run this market as well – we estimate that each of these exploitable vulnerabilities would fetch 6-figures.
Threat actors require access to the victim’s Windows machine in order to run the code which exploits any of the four vulnerabilities.
To gain this type of access, a threat actor will typically contain the exploitable code within a phishing email for the victim to open, or deliver it via a drive-by-download – say, when visiting an attacker-controlled site.
Proof of Concept Video
This video demonstrates a program running the exploit code of today’s released CVE-2015-2363 to receive the system privileges of a 64-bit Windows 7.
We left out the prelude of a crime kit being downloaded and installed. While this video shows visible signs of code execution, the crime kit will silently run the exploit code.
The only way to mitigate these four vulnerabilities is through applying the relevant patches. Unfortunately, as the industry has come to realize, this advice is far from being practical.
Industry estimates place the time to patch a Windows as a few months. Worse yet, unsupported Windows versions have no patch to begin with. Considering that Windows XP has a nearly 12% market share and is unsupported, it’s easy to understand the gravity of the situation.
As advanced attacks have shown, these 0-day or known-yet-unpatched vulnerabilities are precisely the type of vulnerabilities that threat actors are sure to leech on.
With this in mind, it’s pertinent to consider virtual patching against advanced targeted attacks. The idea is to ensure that even were a threat actor able to infiltrate the organization through an exploitable vulnerability, the threat actor wouldn’t be able to gain any value from it. Since the threat actor’s intention is to eventually steal information, the virtual patching assures that the actual theft of data is blocked.
A deep dive into these vulnerabilities appears in a technical blog post by our research team.
While the aforementioned blog post is highly technical, we’d like to take this opportunity to state that we follow all responsible disclosure practices. We do not reveal any code, or a fully-working exploit which will allow readers to easily reproduce the issue.
Get the bits & bytes at BreakingMalware – http://breakingmalware.com/vulnerabilities/class-dismissed-4-use-after-free-vulnerabilities-in-windows/