Win32k Elevation of Privilege Vulnerability

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka ‘Win32k Elevation of Privilege Vulnerability’. This CVE ID is unique from CVE-2019-0797.

Recent assessments:

tekwizz123 at February 21, 2020 7:34pm UTC reported:

Wrote up a technical analysis of this bug for Exodus Intelligence at <https://blog.exodusintel.com/2019/05/17/windows-within-windows/&gt;. The bug itself is relatively easy to trigger if you understand how Window messages work, but is a bit tricky to understand if your not familiar with this. Exploit reliability is high unless exploiting from the Chrome sandbox; in these scenarios it is still possible to exploit the target on older versions of Windows (Windows 7 and prior) however we did find that there was some interesting behavior going on with the Chrome sandbox escape shellcode as while it would disassociate the current process with the Chrome sandbox job (and henceforth the job’s limitations), it would occasionally trigger APC_INDEX_MISMATCH errors under certain conditions, particularly if the target user was an administrator.

TLDR: This exploit does takes a bit of knowledge of Win32k.sys and Windows internals to exploit, but provided an attacker has this knowledge, or has access to the public exploit, they can easily escalate their privileges to a SYSTEM user from any privilege level.

gwillcox-r7 at June 11, 2020 5:58pm UTC reported:

Wrote up a technical analysis of this bug for Exodus Intelligence at <https://blog.exodusintel.com/2019/05/17/windows-within-windows/&gt;. The bug itself is relatively easy to trigger if you understand how Window messages work, but is a bit tricky to understand if your not familiar with this. Exploit reliability is high unless exploiting from the Chrome sandbox; in these scenarios it is still possible to exploit the target on older versions of Windows (Windows 7 and prior) however we did find that there was some interesting behavior going on with the Chrome sandbox escape shellcode as while it would disassociate the current process with the Chrome sandbox job (and henceforth the job’s limitations), it would occasionally trigger APC_INDEX_MISMATCH errors under certain conditions, particularly if the target user was an administrator.

TLDR: This exploit does takes a bit of knowledge of Win32k.sys and Windows internals to exploit, but provided an attacker has this knowledge, or has access to the public exploit, they can easily escalate their privileges to a SYSTEM user from any privilege level.

busterb at September 17, 2019 6:03pm UTC reported:

Wrote up a technical analysis of this bug for Exodus Intelligence at <https://blog.exodusintel.com/2019/05/17/windows-within-windows/&gt;. The bug itself is relatively easy to trigger if you understand how Window messages work, but is a bit tricky to understand if your not familiar with this. Exploit reliability is high unless exploiting from the Chrome sandbox; in these scenarios it is still possible to exploit the target on older versions of Windows (Windows 7 and prior) however we did find that there was some interesting behavior going on with the Chrome sandbox escape shellcode as while it would disassociate the current process with the Chrome sandbox job (and henceforth the job’s limitations), it would occasionally trigger APC_INDEX_MISMATCH errors under certain conditions, particularly if the target user was an administrator.

TLDR: This exploit does takes a bit of knowledge of Win32k.sys and Windows internals to exploit, but provided an attacker has this knowledge, or has access to the public exploit, they can easily escalate their privileges to a SYSTEM user from any privilege level.

Assessed Attacker Value: 5
Assessed Attacker Value: 5Assessed Attacker Value: 2