Zero Day Remote Code Execution Affects Older Windows OS
Older versions of windows can allow an adversary to execute remote code if a user either visits a specially crafted website or opens a rigged document.
Microsoft has released technical details on a zero-day vulnerability being exploited. It affects the Windows Win32k component in the Windows GDI (Graphics Device Interface). If exploited it could potentially allow a hacker to launch an elevation of privilege attack.
The GDI library vulnerability was patched in March with MS17-013. At the time, Microsoft did not disclose the vulnerability was being actively exploited however. The bug discloses data through memory and was revealed by a Google engineer. Microsoft originally patched the vulnerability (CVE-2017-0038) in June 2016 classifying it as important. But in February, Google’s Project Zero security researchers discovered the fix was incomplete.
Microsoft revealed the zero-day Elevation of Privilege (EoP) exploit targets computers running Windows 7 and Windows 8. There are four execution stages of the exploit package and corresponding functions.
- Stage 1 - is decrypting the initial main exploit code’s PE file using AES-256 algorithm. A hard-coded password is used as a key to decrypt the loader for the next stage
- Stage 2 - includes the API resolution routine, resembling, as Microsoft notes, how shellcode or position-independent code works
- Stage 3 - includes determining the identity of the operating system platform and version number
- Stage 4 - The actual exploit routine comprises stage 4. The attacker code begins actual exploit of the Windows kernel vulnerability CVE-2017-0005, resulting in arbitrary memory corruption and privileged code execution
Mitigation includes strategic efforts that include Supervisor Mode Execution Prevention (SMEP), supported by newer model Intel CPUs, and virtualization-based security (VBS).
Strategic mitigation like SMEP can instantly render hundreds of EoP exploits ineffective, including old-school exploitation methods that call user-mode shellcode directly from the kernel, such as the zero-day exploit for CVE-2017-0005.
In some instances, Microsoft acknowledges, that sophisticated attackers have been able to work around SMEP protections.
These bypass mechanisms include the use of kernel ROP gadgets or direct PTE modifications through read-write (RW) primitives.
To address these bypass mechanisms Microsoft said it made improvements to Windows kernel 64-bit memory-protection process ASLR it introduced with Windows 10 Anniversary Update. ASLR coupled with the OS makes SMEP stronger via randomized kernel addresses, mitigating a bypass vector resulting from direct PTE corruption.
While patches continue to provide single-point fixes for specific vulnerabilities, this attacker behaviour highlights how built-in exploit mitigations like SMEP, the ASLR improvements, and virtualization-based security are providing resiliency.