An Elevation of Privilege vulnerability in the Windows GDI component was reported to Microsoft by Lockheed Martin Computer Incident Response Team. The vulnerability is assigned Id – CVE-2017-0005 “Windows GDI Elevation of Privilege Vulnerability”. The bug was addressed in MS17-0013 along with other GDI targeted EoP vulnerabilities. According to Microsoft this exploit is used by the ZIRCONIUM group.
A trusted third party has disclosed an exploit targeting CVE-2017-0005 to Microsoft. The exploit targets 64 bit Windows 7 and 8 versions only, It is delivered as an executable. The exploit works in stages and requires a password for successful exploitation.
Exploit:
The exploit decrypts the initial AES-256 encrypted code using a password. After which it tries to locate address for kernel32!GetProcAddress, next it performs environment checks to obtain operating system data and version number. Assembly code review shows that exploit targets Major release version 5 and Major release version 6 and minor version 0, 1, or 2. Following the checks the exploit calls win32k!XLATEOBJ_iXlatem via NtGdiEngBitBlt API, the function call uses a corrupted pointer PALETTE.pfnGetNearestFromPalentry which passes control to the shellcode to perform token swapping and gain SYSTEM level privilege.
Token is descriptive object associated with an object that describes it privileges and other details. By obtaining the right token an object can fake privileges to execute higher level operations.
Mitigation:
- The Windows 10 Anniversary Update contains checks for the validity of PALETTE function pointers. It ensures that only a predefined set of functions are called.
- SMEP is an Intel feature adopted by Microsoft since Windows 8. Additional flags User/Supervisor (U/S) in the page table prevents user mode executable pages from running shellcode in kernel mode. SMEP generates an access violation error upon detection.
- Stronger SMEP with randomized kernel addresses. Device Guard blocks code execution in non-signed memory space in kernel pools
- With advent of the Creators update, Windows Defender ATP will be monitoring CR4.SMEP bit and detect token-swapping by monitoring token field in process structures.
Qualys Detection:
We request our customers to scan their network with QID 91331 to detect vulnerable OS versions. Please follow ThreatProtect for more information regarding this vulnerability.
References:
Detecting and mitigating elevation-of-privilege exploit for CVE-2017-0005
Kernel Hacking With HEVD Part 3 – The Shellcode