VerSprite Security Researchers are often learning new technologies and products to perform security testing for client. Part of this work involves researching past vulnerabilities to understand how various products, such as Windows, can be attacked.
As part of these efforts, VerSprite recently investigated CVE-2019-1169, a NULL pointer dereference vulnerability in win32k.sys that Microsoft fixed in the August 2019 patch update. This led to the creation of a working exploit that can successfully leak data from arbitrary kernel addresses on affected Windows 7 machines.
This report will walk through how VerSprite created this exploit, starting with setting up a testing environment, before then moving on to analyzing the patches with Diaphora, and finally creating the exploit using C++ code. At the end of this report, readers should have a solid understanding of CVE-2019-1169.
Access part one of the report here: Investigating Microsoft Windows Vulnerability CVE-2019-1169 [Part 1].
Access part two of the report here: Investigating Microsoft Windows Vulnerability CVE-2019-1169 [Part 2].
VerSprite set up a testing environment to validate this vulnerability in win32k.sys, the analysis of the vulnerability itself using Diaphora and patch diffing, and the steps which were required to create a working exploit that allows attackers to read arbitrary kernel memory from a user mode process.