Microsoft Windows system suffers from serious security vulnerabilities

Last month, Microsoft's security patch included a Windows privilege escalation vulnerability that is being exploited by hackers. This vulnerability mainly affects earlier versions of Windows, while Windows 11 appears to be unaffected. Despite Microsoft's ongoing efforts to strengthen system security measures, attackers may still exploit such vulnerabilities for attacks. This article will analyze the specific details of this vulnerability and potential attack methods.

The analysis process was conducted in a Windows Server 2016 environment.

Vulnerability Background

This is a zero-day vulnerability, which is a system flaw that has not yet been disclosed or patched. Zero-day vulnerabilities tend to be extremely destructive because attackers can exploit them without being detected. Through this Windows system-level vulnerability, hackers can gain complete control of the system.

Compromised systems controlled by hackers can lead to a variety of serious consequences, including but not limited to: theft of personal information, system crashes and data loss, financial losses, and the implantation of malware. For individual users, cryptocurrency private keys may be stolen, putting digital assets at risk of being transferred. From a broader perspective, this vulnerability could even affect the entire Web3 ecosystem based on Web2 infrastructure.

Vulnerability Analysis

After analyzing the patch, it was found that the problem was due to a reference count of an object being handled one extra time. Further research into the early source code comments revealed that the previous code only locked the window object, but did not lock the menu object within the window object, which could lead to incorrect referencing of the menu object.

Exploiting Vulnerabilities

We constructed a special multi-layer menu structure to trigger vulnerabilities. These menus have specific ID types and reference relationships to pass through various checks of the system. The key is to remove the reference relationships between specific menus when a certain function returns to the user layer, thereby releasing a critical menu object. In this way, when the system attempts to reference that menu object again, an error will occur.

Implementation of Exploit

Exploitation mainly consists of two steps: first, controlling the value of a key parameter, and then using this control to establish stable read/write primitives. We achieved arbitrary read/write access to the system through a carefully designed memory layout, utilizing the specific structure of window objects and window class objects.

Conclusion

1. Microsoft is attempting to refactor win32k related code using Rust, and future systems may no longer have such vulnerabilities.

2. The exploitation process of this type of vulnerability is relatively simple, mainly relying on the disclosure of the desktop heap handle address.

3. The discovery of this vulnerability may be attributed to more advanced code coverage detection techniques.

4. For vulnerability detection, in addition to focusing on the functions that trigger vulnerabilities, attention should also be paid to abnormal memory layouts and data read/write behaviors.

Overall, although the security of the Windows system is continuously improving, such vulnerabilities in outdated systems still pose a serious security risk. Timely updates of system patches and raising security awareness remain key measures to protect system security.