CVE-2019-1436

An information disclosure vulnerability exists when the win32k component improperly provides kernel information, aka ‘Win32k Information Disclosure Vulnerability’. This CVE ID is unique from CVE-2019-1440.

Recent assessments:

tekwizz123 at February 21, 2020 8:00pm UTC reported:

This is a vulnerability within NtGdiEnsureDpiDepDefaultGuiFontForPlateau() on Windows 10 which I wrote up an analysis of at <https://versprite.com/blog/security-research/silently-patched-information-leak/&gt;. Originally I thought this was a silently patched bug, but Matt Miller corrected me on this (see <https://twitter.com/epakskape/status/1215698153346744321&gt;) The bug occurs due to the fact that GreEnsureDpiDepDefaultGuiFontForPlateau() naturally leaks the value of the win32kbase!gahDpiDepDefaultGuiFonts pointer under certain conditions. which can allow attackers to potentially bypass KASLR under certain conditions.

To the best of my knowledge, this was fixed by Microsoft patching NtGdiEnsureDpiDepDefaultGuiFontForPlateau() so that it always returns 0 by adding an extra instruction which does:

xor eax, eax

This is shown in the screenshots in the article. As NtGdiEnsureDpiDepDefaultGuiFontForPlateau() was only added within Windows 10 v1709 (see j00ru’s system call list at <https://j00ru.vexillium.org/syscalls/win32k/64/&gt; and search for NtGdiEnsureDpiDepDefaultGuiFontForPlateau() ) , this bug is unique to Windows 10 hosts despite the fact that this CVE actually covers several related bugs (see Matt Millers comment on this at <https://twitter.com/epakskape/status/1217189528806412288&gt;).

Assessed Attacker Value: 3
Assessed Attacker Value: 3Assessed Attacker Value: 5