An elevation of privilege vulnerability has been disclosed in the Windows OS. The issue affects Windows 7, Server 2008 (R2) both core and non-core versions. CVE-2018-8589 has been assigned to track this vulnerability. Microsoft has addressed this issue in November 2018 patch release. However a patched target may still crash (BSOD) if the exploit is triggered. For exploiting CVE-2018-8589, an attacker needs to be able to execute a custom crafted application on the target machine. Upon successful exploitation an attacker would arbitrary code executing and gain privileges. The zero day was being exploited in the wild by malware that targets x86 version of Windows 7. As per the advisory x64 versions are also affected.
Vulnerability
The vulnerability is present in win32k.sys. A race condition is used to corrupt the stack and populated with attacker defined values. WindowProc or WndProc is callback function that is defined to handle messages received by a window based application. We use two window threads. Both threads point to the same call back function. The call back function is invoked via WM_NCCALCSIZE message. Under the right conditions it will result in recursive call and corrupt LParam.
LParam is one of the arguments for WindowProc. The interpretation of LParam is dependent on the type of message received. In case of WM_NCCALCSIZE, it is treated as a pointer to a tagNCCALCSIZE_PARAMS structure. This structure will point to attacker defined addresses (shellcode) in user land. The structure is validated by NtUserfnINOUTNCCALCSIZE in the kernel space and win32k!SfnINOUTNCCALCSIZE makes a user land call. This code is executed with kernel privileges.
Mitigation
We request organizations to apply the latest patches from Microsoft to address CVE-2018-8589. Qualys customers can scan using QID:91481 to detect vulnerable machines.
Please continue to follow Qualys Threat Protect for more information on vulnerabilities.
References
CVE-2018-8589
A new exploit for zero-day vulnerability CVE-2018-8589
CVE-2018-8589 | Windows Win32k Elevation of Privilege Vulnerability
tagNCCALCSIZE_PARAMS
Writing the Window Procedure