CVE-2015-0057: The 1-Bit that will Bring Windows Down
enSilo’s research team has identified an exploitable privilege escalation vulnerability which enables a threat actor to run code of their liking on the Windows kernel. (enSilo really, really knows endpoint security!)
The vulnerability was patched today as part of Microsoft’s Patch Tuesday. The vulnerability, CVE-2015-0057, is rated as IMPORTANT. This is certainly not a vulnerability to ignore.
A threat actor exploiting this vulnerability can perform a complete take-over of a Windows machine.
With this exploit in hand, a threat actor can bypass any Windows security measure - defeating Microsoft’s own Enhanced Mitigation Experience Toolkit (EMET), Supervisor Mode Execution Protection (SMEP, one of Microsoft’s latest significant protections) and other mitigation measures such as sandboxing, kernel segregation and memory randomization.
This vulnerability is exploitable and affects ALL Microsoft Windows’ versions.
This vulnerability affects last month’s Windows 10 Technical Preview release and dates back 10 years as it already existed in Windows XP.
The vulnerability appears in the kernel’s GUI library, the win32k.sys module.
Specifically, the buggy code appears in a kernel function, called xxxEnableWndSBArrows, which handles changes to the user’s scrollbar.
The vulnerability is a Use-After-Free code flaw where the program uses freed memory.
The Exploitability Factor
The fact that a vulnerability is found does not necessarily mean it can be used. In other words, a vulnerability must be exploitable to actually be significant.
The reason is that Operating System makers (in this case, Microsoft) place many security mechanisms to protect the kernel. These measures are not just gatekeepers or hurdles to running code on the kernel. These measures double act as shields so that even when buggy code does appear in the kernel (i.e. a vulnerability) it would be nearly impossible to reach it (i.e. build an actual exploit).
Once an exploit is found, the question then becomes how significant is the exploit. Meaning, what can a threat actor do with this vulnerability.
As mentioned earlier, we were able to build a proof-of-concept which shows how a restricted application can run arbitrary code on the Windows’ kernel.
Interestingly, we found that to exploit this vulnerability all that is required is to simply modify one bit. To paraphrase Tolkien, this is certainly One Bit to Rule Them All.
As can be imagined, these privilege escalation exploitable vulnerabilities are very rare — and highly attractive on the underground cyber-crime markets. We roughly estimate that this vulnerability, similarly to others of its kind, fetch 6-figures.
How Does a Threat Actor Use this Exploit?
An advanced threat actor would need to develop a program containing the exploit code and run it on the victim’s machine.
Running code on the victim’s machine is typically carried out through a crime kit. These crime kits are usually unknowingly downloaded by the user when surfing to a site hosting the kit (a.k.a. “drive-by-download”) or when clicking on a disguised file in an enticing phishing email. Once the kit is installed, the program containing the exploit code is then automatically run.
In this video, we demonstrate how the program running exploit code receives the system privileges of a 64-bit Windows 10 Technical Preview.
We left out the prelude of a crime kit being downloaded and installed. While this video shows visible signs of code execution, the crime kit will silently run the exploit code.
It should go without saying that we urge you all to apply Microsoft’s most recent patch.
Yet, we’re also practical. We too are wary of the righteous “patch, patch, patch” mantra. This mantra has become an infeasible task in today’s enterprises. We are inundated by systems that need to be maintained and secured. We have numerous operating systems, servers, endpoints, databases, thousands of applications (speaking of which, 15 critical Adobe vulnerabilities were released just last week. That’s just a single application and a single monthly patch…) The list goes on.
Unfortunately, there are always going to be vulnerabilities, bypasses and work-arounds. With threat actors continuing to sneak their way into enterprise networks, there are bound to be a continuous stream of exploits traded in underground forums and actively incorporated in advanced targeted attack campaigns.
We’d like to suggest a new approach. Let’s come to terms with the fact that no matter how much we try to protect our systems, they are eventually going to be compromised. With that in mind, we should place our focus and energies into protecting our data given that we already have a compromised system.
For those technical folks interested in delving into the bit and bytes, our research team has published a detailed blog post which discusses the vulnerability breakdown and exploit.
We’d like to note that although that entry is technical, we do not reveal any code, or a fully-working exploit to prevent readers from being able to easily reproduce it.