Analysis and Exploitation of Microsoft Windows System 0day Vulnerabilities

Recently, a Windows kernel privilege escalation vulnerability exploited by hackers in the wild was fixed in a Microsoft security patch. This vulnerability primarily exists in earlier versions of Windows systems, rather than Windows 11. This article will analyze how attackers continue to exploit this vulnerability in the context of continuously improving current security measures.

Vulnerability Background

This is a Windows system-level 0day vulnerability that allows attackers to gain complete control over Windows. The consequences of being compromised include personal information leakage, system crashes, data loss, financial losses, and malware implantation. For Web3 users, private keys may be stolen, and digital assets face the risk of being transferred. On a larger scale, this vulnerability may affect the Web3 ecosystem that operates on Web2 infrastructure.

Patch Analysis

Analyzing the patch code reveals that this seems to be an issue with the object reference count being handled too many times. Early source code comments indicate that the previous code only locked the window object and did not lock the menu object within the window object, which may lead to the menu object being incorrectly referenced.

Vulnerability Reproduction

We constructed a special four-layer menu structure to trigger vulnerabilities. These menus need to meet certain specific conditions to pass the detection of related functions. Ultimately, when returning to the user layer, the target menu object is released by removing the reference relationships between the menus, rendering subsequent references to that object invalid.

Exploit

The main idea of exploiting this vulnerability is to modify the token address through read and write primitives. The entire exploitation process can be divided into two key steps: first, how to control the value of cbwndextra using the UAF vulnerability, and second, how to establish stable read and write primitives based on the controlled value of cbwndextra.

We successfully achieved the first data write by carefully designing the memory layout and leveraging the relationship between the window object and the HWNDClass object. Subsequently, we constructed the required memory structure by continuously allocating three HWND objects and releasing the middle one.

In terms of reading and writing primitives, we use GetMenuBarInfo() for arbitrary reading and SetClassLongPtr() for arbitrary writing. Except for the TOKEN replacement operation, other writes are completed by utilizing the class object of the first window object through offsets.

Summary

1. Microsoft is attempting to refactor the win32k related code using Rust, and such vulnerabilities may be eliminated in the new system in the future.

2. The exploitation process of this vulnerability is relatively simple, with the main difficulty being how to control the first write.

3. The discovery of vulnerabilities may rely on more comprehensive code coverage detection.

4. For vulnerability detection, in addition to focusing on key function points, targeted detection of abnormal memory layouts and data read/write operations should also be conducted.