Analysis and Exploitation of Microsoft Windows System 0day Vulnerabilities

Recently, a security patch released by Microsoft fixed a win32k elevation of privilege vulnerability that is actively being exploited. This vulnerability primarily affects earlier versions of Windows systems, and it seems that it cannot be triggered on Windows 11. This article will analyze how attackers may continue to exploit such vulnerabilities in the current security environment. The following analysis is based on the Windows Server 2016 environment.

Vulnerability Background

A 0day vulnerability refers to a security flaw that is not publicly disclosed and remains unpatched, similar to the T+0 trading concept in financial markets. Such vulnerabilities, if exploited maliciously, can cause serious harm. The recently discovered 0day vulnerability in the Windows system allows attackers to gain complete control over the system, enabling them to carry out attacks such as information theft, system destruction, and malware implantation. From a Web3 perspective, this could lead to stolen private keys, transferred digital assets, and even endanger the entire Web3 ecosystem built on Web2 infrastructure.

Patch Analysis

Analysis of the patch code reveals that it mainly fixes an issue with object reference counting. Combining this with early win32k source code comments, it can be seen that the original code only locked the window object and did not lock the menu object within the window, which could lead to incorrect references to the menu object.

Proof of Concept for Exploitation ( PoC )

Analysis shows that the MenuItemState in the xxxEnableMenuItem function may return the main menu or a submenu. We constructed a special four-layer menu structure with the following features:

1. The ID of the bottom-level menu D must be of the system menu type.
2. The top-level menu A must also be a system menu, but the item with the same ID as menu D needs to be removed.
3. Remove the reference to Menu C in Menu B.
4. The existence of Menu B seems to facilitate the release of Menu C.

When a vulnerability is triggered, the association between menu C and B is removed when xxxRedrawTitle returns to the user layer, releasing menu C. This leads to an invalid reference to the menu C object in subsequent calls to the xxxEnableMenuItem function.

Exploiting Vulnerability ( Exp ) Implementation

Overall idea

Consider two possible utilization directions:

1. Execute shellcode: Refer to earlier vulnerabilities such as CVE-2017-0263, but may face many obstacles in the newer versions of Windows.

2. Modify the token using read-write primitives: In recent years, there are still public exps that can be referenced, mainly needing to address the issue of how to control the cbwndextra value for the first time.

We adopt the second scheme, splitting exp into two steps: controlling the cbwndextra value and establishing stable read-write primitives.

First data write

Use the name object of the window class WNDClass to occupy and release the memory of the menu object. In the xxxRedrawWindow function, find the writable data location and control the memory data of the previous object to satisfy the flag check in the function.

Stable Memory Layout

Design the memory layout of three consecutive 0x250-byte HWND objects, release the middle object and occupy it with an HWNDClass object. The front and back HWND objects are used to check through functions and implement read/write primitives. Precisely locate the object arrangement through kernel handle address leakage.

Implementing Read-Write Primitives

Arbitrary read uses the GetMenuBarInfo function, and arbitrary write uses the SetClassLongPtr function. Except for TOKEN writing, other write operations are completed through the class object of the first window object.

Conclusion

1. Microsoft is using Rust to refactor the win32k code, which may completely resolve such vulnerabilities in the future.

2. Such vulnerabilities mainly rely on the leakage of desktop heap handle addresses, which still pose security risks to outdated systems.

3. The discovery of this vulnerability may benefit from improved code coverage detection.

4. Monitoring abnormal memory layouts and window data read and write operations helps to detect similar vulnerabilities.