According to the latest Kaspersky Lab Report, a Windows Zero-Day vulnerability is serving as a backdoor for hackers to take control of users’ PCs.
The latest exploit utilizes a use-after-free attack and has a technical name CVE-2019-0895. The exploit is found in win32k.sys and grants hackers Local Privilege meaning they’re able to access resources usually outside of users’ capabilities.
How Windows Zero-Day Vulnerability Works?
A normal program functions in the following way:
- allocating the memory
- loading the program in memory
- then assigning the memory a pointer
When the task is finished, the connection between pointer and memory separates and the program inside memory is deleted.
The anomaly occurs when the pointer becomes a dangling pointer, which keeps pointing to one particular memory even when the task is finished. Hackers exploit these dangling pointers to plant custom programs by replacing the existing program in the said memory with malicious code.
This process constitutes a use-after-free attack and the concerned exploit works as follows:
- When a window is created it sends WM_NCCREATE as a message
- Hackers use SetWindowsHookEx function to send WM_NCCREATE before a window is created
- winsys32k.sys has exploitable function ID corresponding to several parts of a window
- During the custom call back, the function ID is set to 0 allowing hackers to assign more data to the window
- This executes xxxMenuWindowProc which sets Function ID to FNID_MENU
- The extra data inside can be altered to force xxxMenuWindowProc to stop this initialization and return to FALSE.
- This creates a free memory block that can be exploited.
Who Are Affected?
The use-after-free attack is a type of buffer overflow attack and operating systems have security in place to deal with such discrepancies. Windows utilizes the process of Address Space Layout Randomization (ASLR) for the same.
However, the exploit was targeting 64 bits of Windows 7, 8 and older versions of 10 using HMValidateHandle technique and bypassing ASLR.
The Windows Zero-day vulnerability, in a nutshell, allows the hackers to run code in the kernel, thus giving them elevated access
Since the time of being reported by Kaspersky Labs, Microsoft has taken action against this vulnerability and pushed an update.