VerSprite Security Research Validates Windows Vulnerability in win32k.sys VerSprite Security Research Validates Windows Vulnerability in win32k.sys

Home  |  Resources  |  Microsoft Windows Vulnerabilities

Investigating Microsoft Windows Vulnerability CVE-2019-1169

Grant Willcox ● March 15, 2020

< Back to Blog Home

Security Research on Windows Vulnerabilities

VerSprite Security Researchers are often learning new technologies and products to perform security testing for client. Part of this work involves researching past vulnerabilities to understand how various products, such as Windows, can be attacked.

As part of these efforts, VerSprite recently investigated CVE-2019-1169, a NULL pointer dereference vulnerability in win32k.sys that Microsoft fixed in the August 2019 patch update. This led to the creation of a working exploit that can successfully leak data from arbitrary kernel addresses on affected Windows 7 machines.

This report will walk through how VerSprite created this exploit, starting with setting up a testing environment, before then moving on to analyzing the patches with Diaphora, and finally creating the exploit using C++ code. At the end of this report, readers should have a solid understanding of CVE-2019-1169.

Access part one of the report here: Investigating Microsoft Windows Vulnerability CVE-2019-1169 [Part 1].

Access part two of the report here: Investigating Microsoft Windows Vulnerability CVE-2019-1169 [Part 2].

Validating the Vulnerability in win32k.sys

VerSprite set up a testing environment to validate this vulnerability in win32k.sys, the analysis of the vulnerability itself using Diaphora and patch diffing, and the steps which were required to create a working exploit that allows attackers to read arbitrary kernel memory from a user mode process.

Table of Contents

Advisory Analysis

  • Analyzing the Public Advisories
  • NULL Pointer Dereference – Causes and Effect

Target Setup

  • Environment Setup – Snapshots and Folders
  • Symbol Path Setup
  • Setting up VirtualBox for Kernel Debugging

Patch Diffing and Initial Analysis

  • Diaphora Analysis
  • xxxMNDragOver() Patch Analysis

Exploitation of CVE-2019-1169

  • Step-by-Step Review of the Exploit
  • Window Classes, Window Messages, and Window Procedures
  • Starting Up – Importing GDI32.dll and Window Class Setup
  • Initializing the Popup Menus
  • Explanation of Windows Hooks and Associated Code
  • Showing the Main Window and Popup Windows
  • Explanation of Windows System Calls (aka syscalls)
  • Understanding NtUserMNDragOver()
  • xxxMNDragOver() Code Analysis
  • xxxMNMouseMove() Code Analysis
  • WindowHookProc() – Time to Trigger the Vulnerability
  • Allocating the NULL Page and Leaking the EPROCESS Address
  • xxxMNMouseOver() – Alternative Exploitation Discussion
  • Exploiting the Vulnerable Code in xxxMNDragOver()

We are an international squad of professionals working as one.

logos