A null pointer deference vulnerability in Win32k.sys has been disclosed to Microsoft. CVE-2018-8120 has been assigned to track this vulnerability. The attacker needs to be able to execute a crafted application on the target machine to be able to exploit this vulnerability. Upon successful exploitation the attacker can achieve arbitrary code execution with system level privileges. The vulnerability affects Windows 7 and Windows Server 2008 Service Pack 2. This CVE has been exploited in the wild in the form of malicious PDF file which exploits CVE-2018-4990 in Adobe Reader to escape the application sandbox to execute an embedded binary that targets CVE-2018-8120.
Vulnerability
As mention earlier the vulnerability is due to null pointer de-reference in the Win32k.sys, more specifically in kernel function SetImeInfoEx(). Null pointer de-reference means that the code handling the object is trying to access a null page. In most case it results in BSOD which leads to DoS attack. However in the wild the faulty de-reference is used to gain write primitive and Elevation of privilege.
background
– NtUserSetImeInfoEx() is used to take a user defined IME information (tagIMEINFOEX) and set it as the keyboard layout object for the windows station (tagWINDOWSTATION) associated to the current process. NtUserSetImeInfoEx() calls SetImeInfoEx() to copy the user defined IME information object in to the current process’s window station (tagWINDOWSTATION.skpList.tagKL.piiex).
– We can create a new window station object by calling CreateWindowStation(), the function returns a handle to the new window station. In the new object tagWINDOWSTATION.skpList is set to null by default.
Under normal circumstances tagWINDOWSTATION.spkList points to a valid address. But if a new windows station object is created, spklist is initialized to null by default. In this case SetImeInfoEx() tries to de-reference null pointer spkList. As this null page is not mapped in to the calling process it will cause an access violation and crash (BSOD). If null page is mapped in to the process memory then it can be used to gain arbitrary write in kernel space. Windows 8 and above do not allow mapping of null pages in to process address space.
Exploitation
As mentioned in the earlier section in a newly created window station object tagWINDOWSTATION.skpList is set null. We use this behavior to trigger the vulnerable code.
- Create a new Window station object using CreateWindowStation()
- Set this object as the windows station for the current process using
SetProcessWindowStation(). - Create a dummy
tagIMEINFOEXobject and zero out its members. - Initiate a call to
NtUserSetImeInfoEx()and passtagIMEINFOEXas argument.
NtUserSetImeInfoEx() will retrieve the current window station object and pass it to SetImeInfoEx() as one of the arguments. The function will try to de-reference null pointer and crash the system due access violation.
win32k!SetImeInfoEx+17 96d20aab 395014 cmp dword ptr [eax+14h],edx READ_ADDRESS: 00000014 BUGCHECK_STR: ACCESS_VIOLATION DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE eax=00000000 ebx=96d20a07 ecx=00000000 edx=00000000 esi=898f3ab0 edi=898f3c0c eip=96d20aab esp=898f3a8c ebp=898f3a90 iopl=0 nv up ei ng nz na po nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010282
Mitigation
Please apply the latest patches provided by Microsoft to address this issue. Qualys customers can scan their network with QID:91447 to detect vulnerable targets. The QID checks for %windir%\System32\Win32k.sys version.
Please continue to follow Qualys Threat Protection for information on this vulnerability.
References
CVE-2018-8120
CVE-2018-8120 | Win32k Elevation of Privilege Vulnerability
A tale of two zero-days