Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about how to carry out a detailed analysis of CVE-2019-1132. Many people may not know much about it. In order to let you know more, Xiaobian summarized the following contents for you. I hope you can gain something according to this article.

CVE-2019-1132 Detailed Analysis

I. Background

ESET researchers have discovered samples used by Buhtrap in APT attacks targeting Eastern Europe that used Windows '0 DAY vulnerability. Microsoft has released a patch for this vulnerability, which is CVE-2019-1132. Because this vulnerability has been used in APT attacks for a long time, this incident has also caused a great impact. The main purpose of this article is to provide a detailed analysis of the vulnerability CVE-2019-1132, exploited by PoC from SHIVAM TRIVEDI.

The vulnerability was discovered by security personnel as an elevation vulnerability that exploits null pointer indirect references in win32k.sys. PoC provided by SHIVAM TRIVEDI can be successfully used on Windows 7 32 (Win7 32Bit Build 7601).

Vulnerability Description:

Vulnerability Number: CVE-2019-1132

Vulnerability Description: When Win32k components do not properly handle objects in memory, there is a privilege vulnerability in Windows, namely "Win32k privilege vulnerability"

Affected versions:

Windows 7 for 32-bit Systems Service Pack 1

Windows 7 for x64-based Systems Service Pack 1

Windows Server 2008 for 32-bit Systems Service Pack 2

Windows Server 2008 for Itanium-Based Systems Service Pack 2

Windows Server 2008 for x64-based Systems Service Pack 2

Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1

Windows Server 2008 R2 for x64-based Systems Service Pack 1

II. Behavior Flow III. Detailed Analysis

1. Basis of utilization

To accomplish this, you first need to create a multilevel menu and two windows (we call them the Main window and Hunt window).

These three parts are all the basis for the whole utilization. The two key steps of utilization are the modification of tagPopupMenu and tagWND data structures (tagPopupMenu and tagWND are the data structures representing menus and forms in kernel respectively). Let's take a look at the important code.

First, you need to create a three-level menu, the first menu we call the Root menu, and the other two menus are set as submenus of the Root menu.

Then create two forms, the Main form and the Hunt form.

After the form is created, you need to set the message Hook and event Hook of the form for the process.

For Message Hook, the important thing is to destroy the first Menu by sending the MN_CANCELMENUS message to the first Menu when the form is created.

For an event Hook, send specific menu messages to the form to ensure that specific kernel functions are triggered.

2. Process of utilization

Next, let's look at the formation and triggering of vulnerabilities.

Here we want to talk about the kernel menu data structure tagWnd, tagWnd data structure ppopmenuRoot item points to its submenu data structure, when it is destroyed, this pointer is set to null, that is, 0.

The process of triggering the vulnerability begins with the use of TrackPopMenu.

When the above basics are ready, the menu is created when the TrackPopupMenu function is called to display the menu on the Main form, so the menu form's message HOOK function is executed. When the message HOOK function detects that the WM_NCCREATE message and other conditions are met, a WM_CANCELMENUS message is sent to the ROOT menu to destroy the ROOT menu. At this point the ppopmenuRoot entry of the ROOT menu data structure becomes 0. At this point, other submenus will continue to be created.

ppopupmenuRoot = 0, which means that the submenu with address 0 can be referenced in the ROOT menu. Next, memory is allocated at address 0, where a false menu is constructed.

The important concept associated with this fake menu is tagWND, the kernel form data structure. Let's take a look at the tagWND data structure. There is a very important flag bServerSideWindowProc, if the value of this flag is set to 1, then the callback function of the form will be executed in kernel mode.

This exploit uses Hunt forms as the ultimate exploit target. To do this, first get the window data structure address.

We can see that the function named xxHMValidateHandle fetches the data structure of PTHREDSKHEAD, which contains the address of the form data structure. The prototype of this function should come from the kernel function win32k! ValidateMenu。

Then, a special address of the Hunt form's data structure is assigned to this elaborate fake menu.

We call TrackPopupMenuEx again to leverage the ROOT menu and fake menus. This time, the Hunt form's bServerSideWindowProc is set to 1.

Finally, send the message 0x1234 to the Hunt form, and the Hunt form's default callback function will execute in kernel space.

Copy the TOKEN of SYSMTEM process to itself in the default callback function of Hut form, and realize the lifting operation of process.

(The above picture is a successful promotion)

IV. Protective measures

Do not open suspicious files easily, such as emails, suspicious links, suspicious documents, etc.

2. Install system patches in time and use the latest version of software.

3. Install antivirus software and update virus database in time.

4. Use the "Iron Dome Advanced Persistent Threat Warning System"(referred to as "Iron Dome") to detect potential attacks, respond and block them in time to avoid business interruption or economic loss.

After reading the above, do you have any further understanding of how to conduct a detailed analysis of CVE-2019-1132? If you still want to know more knowledge or related content, please pay attention to the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.