How to detect and guard based on the CVE-2017-0005 vulnerability of elevation of privileges attack-vulnerability warning-the black bar safety net

One, Foreword
2017 3 on 14 September, Microsoft published a security Bulletin MS17-013, fixes CVE-2017-0005 vulnerability. CVE-2017-0005 vulnerabilities in Windows Win32k Assembly, an attacker using this vulnerability could achieve elevation of Privilege. Partners according to credible reports, we found that the vulnerability of zero-day zero-day exploit method. Exploit the target system is an old version of Windows System, the attacker can take this on the target system to enhance the process permissions.
In this article, we detail the analysis of the vulnerability using the method of technical details, an assessment of the Windows 10 anniversary of an updated version in 2016 8 month release of the vulnerability of the defense effect, but also to assess some mitigation measures of effect, such as SMEP（Supervisor Mode Execution Prevention, management, mode execution protection as well as VBS（virtualization-based security, based on virtualization of security. In addition, we also show the Windows in the creators update Creators Update that brings Windows Defender ATP Windows Defender Advanced Threat Protection enhanced functions, Windows Defender, ATP can detect the attacker embodiment of the elevated（elevation-of-privilege, EoP attack behavior, nature also can be detected with the vulnerability related to privilege escalation attacks.
Second, the elevation of Privilege attack details
After the exploit code audit analysis, we found that the EoP targets for the running of Windows 7 and Windows 8 the host. The attacker carefully constructed to use the tool, avoid it running on newer platforms.
Vulnerability to use the tool during the execution of each stage and the corresponding function is shown in Figure 1.
! [](/Article/UploadPic/2017-8/2017822193129780. png? www. myhack58. com)
2.1 Stage 1&2: The decryptor and the API parser
In order to protect the main function code, the attacker uses the AES-256 algorithm to the initial stage of the PE file are encrypted. In order to load the next stage of the code, The program needs a password passed as a parameter to the main entry function. Code using the CryptHashData this API, the incoming password as a key to decrypt the next stage of the load.
Stage 2 acts as an intermediate stage in the role of this stage is used to parse the API function. This stage the API analytical work with the shellcode or the position of the independent position-independent code to run the process is similar.
GetProcAddress API parsing process portion of the code is shown below. This part of the code seems to confuse the follow-up of the load, to prevent its security analysis.
! [](/Article/UploadPic/2017-8/2017822193129986. png? www. myhack58. com)
2.3 Stage 3: avoid the new platform running on
In Stage 3, The use of the tool will perform some of the environmental inspection process, in particular, will check theoperating systemplatform and the specific version information. The attacker thereby to ensure that exploit code is run in the presence of a vulnerability on a system, specifically, these system of Windows 7 and Windows 8, they are less enabled corresponding to the vulnerability protection feature.
! [](/Article/UploadPic/2017-8/2017822193129675. png? www. myhack58. com)
From the code we found, the tool specialized for a specific version of Windows System R & D, specifically version:
The major version number Major release version to 5; and
The major version number is 6, the minor version number minor version is 0, 1 or 2.
These corresponds to the version of Windows 2000 and Windows 8 between a Windows operating system, which does not contain the Windows 8.1 and Windows 10. In addition, careful study of which of the system architecture check that the code after we found that the exploit code is for 64 bit[operating system](<http://www.myhack58.com/Article/48/Article_048_1.htm&gt; a).
The next stage of the load through DLL reflector technology to complete the loading.
2.4 Stage 4: exploit the program
Environment Check is passed, the attack code starts to really take advantage of CVE-2017-0005 this Windows kernel vulnerability, eventually leading to memory corruption, the code for privilege elevation purposes.
By destroying the PALETTE. pfnGetNearestFromPalentry of a pointer, the program can achieve the memory space in the code execution. Microsoft Security researchers have been closely tracking this use of technology, this technique can be via a carefully constructed PALETTE of objects implemented in the kernel code execution. Previously we in the Duqu security events of a sample observed in this vulnerability the use of technology, and in the Virus Bulletin 2015 lecture introduced this technology.
The following code snippet, we can see the PALETTE function pointers in a corrupted state:
! [](/Article/UploadPic/2017-8/2017822193129412. png? www. myhack58. com)
The exploit code calls NtGdiEngBitBlt this native API to trigger win32k! XLATEOBJ_iXlate function, the latter use has been damaged of that processing function. As a result, the control flow is passed to the Before have been assigned a section of the shellcode is. The relative ratio of terms, Duqu 2. 0 in the exploit code uses the Gdi32. dll in the GetNearestPaletteIndex function, so that the program execution right is passed to the damage of the callback handler function. Although these two vulnerabilities exploit code in some places is somewhat similar, but according to this different point, we can determine both the exploit code is not relevant, such vulnerability is the use of technology has a very informative reference document, and therefore can explain the two use of code similarity.
The exploit code uses dynamically created system calls to the syscall code snippet to call native Windows API, as shown below.
! [](/Article/UploadPic/2017-8/2017822193130535. png? www. myhack58. com)
shellcode during the execution the call stack is as follows:
! [](/Article/UploadPic/2017-8/2017822193130629. png? www. myhack58. com)
shellcode execution, the use of the program will use a common token exchange token-swapping technology to the current process elevation of privileges to SYSTEM privileges. In a similar EoP exploit, we can often see this technique.
! [](/Article/UploadPic/2017-8/2017822193130672. png? www. myhack58. com)

[1] [2] next