[German]Currently an offer for a Windows Zero-Day-Exploit is floating within a Russian underground forum. The exploit claims to use a local privilege escalation (LPE) vulnerability to attack fully patched Windows machines, from Windows 2000 up to Windows 10 and all Windows Server versions.
Currently the topic is “not possible to verify”, because “underground offers” can’t be verified from outsiders.
The facts known so far …
A user with nick name BuggiCorp offers a zero-day-exploit for all Windows versions from Windows 2000 up to Windows 10 and all Windows Server versions for 95,000 US $ in Russian underground forum exploit[dot]in. The offer started at Mai 11, 2016 (just after Microsoft’s May 2016 patch day) and has been updated at Mai 23, 2016. The forum moderator already has translated the Russian text with the offer to English language (thanks to trustwave.com, who has published more details).
“Dear friends, I offer you a rare product.
Exploit for local privilege escalation (LPE) for a 0day vulnerability in win32k.sys. The vulnerability exists in the incorrect handling of window objects, which have certain properties, and [the vulnerability] exists in all OS [versions], starting from Windows 2000. [The] exploit is implemented for all OS architectures (x86 and x64), starting from Windows XP, including Windows Server versions, and up to current variants of Windows 10. The vulnerability is of “write-what-where” type, and as such allows one to write a certain value to any address [in memory], which is sufficient for a full exploit. The exploit successfully escapes from ILL/appcontainer (LOW), bypassing (more precisely: doesn’t get affected at all [by]) all existing protection mechanisms such as ASLR, DEP, SMEP, etc. [The exploit] relies solely on the KERNEL32 and USER32 libraries [DLLs]. The [source code] project of the exploit and a demo example are written in C and assembly with MSVC 2005. The output is a “lib”-file which can later be linked to any other code, and [additional output from the source code project] is a demo EXE file which launches CMD EXE and escalates the privileges to SYSTEM account. The resulting EXE file size is between 7KB to 12KB depending on OS architecture. The exploit was tested on all versions of Windows, starting from XP, and on at least 20 different variants of Windows OS, including Windows Server versions.
The exploit is offered in two variants:
- Simple escalation of privileges to SYSTEM account for any given process.
- Escalation of privileges for any given process and the ability to execute code in Ring0. When exploiting the vulnerability, you can pass a pointer to a piece of code you want to execute in Ring0 (kernel mode). The method in use [to execute in kernel mode] basically modifies the PTE record of the [memory] page, specifically the ownership flag, changing it from “User” to “Kernel”. Next, we will allocate memory from a non-paged pool, copy the pointed “user code” to the newly allocated memory, then pass the execution to it [the “user code”] and eventually restore the PTE record [to its original values]. This method doesn’t rely on unstable tricks like ROP and doesn’t conflict with SMEP and other protection mechanisms.
The buyer will receive:
- Source code project based on MSVC2005, with all the source code of the exploit and a demo for the exploit.
- Free of charge updates to address any Windows version that the exploit might not work on (Might be the case with Windows 10 as there is a large number of different builds).
- A detailed write up of the vulnerability details (including the specific vulnerable code in win2k).
- Complementary consultation on integrating the exploit according to your needs (within reason).
- On request – convert the source code project to a different MSVC version.
Willing to accept offers starting from 95k [USD]
Do not offer revenue sharing as payment. Respect your and my time.
Escrow – the forum admin.
Very bad news for Windows users
Reading the offer, indicates, that the exploit can bypass all Windows security features and offers methods to grant each process SYSTEM privileges. So Adobe Flash Player, Microsoft’s Silverlight, Adobe Reader and many more applications are at risk to be used for attacks. Also users having access rights to SQL server or apps running on Windows Server can use the exploit to gain SYSTEM rights.
And there are more bad news: Another exploit enables an attacker to execute any code in Ring0 – which means kernel mode. This allows it to create a root kit. Really bad news for victims of ransom ware or Trojan horses.
The hope, that the offer is nothing than a bad joke is really small. As security blogger Brian Krebs wrote here, “cybercrime forums run on reputation-based systems”. And the user with the nick name BuggiCorp names forum administrator as Escrow. BuggiCorp has also published two YouTube videos (video1, video2) howing the exploit in action.
The first video demonstrates the exploit on a fully patches Windows 10, enabling cmd to gain SYSTEM privileges. A second video shows, how Enhanced Mitigation Experience Toolkit (EMET) protection will be eliminated.
What can we do?
Currently there are no further details are known about the vulnerability. So all users and administrators can do, is to take care that their systems are fully patched. And they shall instruct users not to trust e-mail attachments or web links. But overall, this is a poor approach, so let’s hope, the the exploit never make it to the wild. Maybe Microsoft will be able to buy the zero-day-exploit and issue a patch to close the vulnerability.