[German]Cybercriminals use an exploit chain to attack a patched 0-day vulnerability in the chrome browser (Edge) and an unpatched 0-day vulnerability in the Windows kernel. The vulnerability has just been disclosed by Google Project Zero.
Advertising
In this release, Google Project Zero inform about two vulnerabilities in Chromium browser (patched) and in Windows kernel (unpatched), andthat they have evidence that the disclosed vulnerabilities are already being exploited in the wild.
According to the above tweet, in addition to the chrome/freetype 0-day exploit (CVE-2020-15999) discovered by Project Zero last week, there is also the Windows kernel bug (CVE-2020-17087). The Chrome 0-day exploit (CVE-2020-15999) is now patched (see Google Chrome 86.0.4240.111: Critical Security Update and Security update: Edge 86.0.622.51 released).
The Windows kernel bug (CVE-2020-17087)
The Windows kernel bug (CVE-2020-17087) can be used to escape from the sandbox (sandbox escape). The technical details of CVE-2020-17087 are now available. The Windows kernel cryptography driver (cng.sys) provides a \Device\CNG device for user mode programs and supports a variety of IOCTLs with non-trivial input structures. It represents a locally accessible attack surface that can be exploited for privilege escalation (e.g. sandbox escape).
The Project Zero team was able to provoke an integer overflow in such a function, which was successfully tested as proof of concept (PoC) on Windows 10 1903 (64-bit). A crash is easiest to reproduce when special pools are enabled for cng.sys, but even in the default configuration, 64kB of kernel data corruption will almost certainly crash the system shortly after the exploit is executed.
Advertising
Windows 7 through Windows 10 affected
Even though the PoC was tested with Windows 10 1903 (64-bit), the people at Google Project Zero assume that the vulnerability exists at least since Windows 7. This would make all Windows systems up to Windows 10 20H2 including the server counterparts vulnerable. It is expected that the 0-day vulnerability will be fixed with an update on November 10, 2020 (patchday). (via)
