Kaspersky Lab has uncovered a zero-day vulnerability in versions 8 to 10 of the Microsoft Windows operating system that allowed attackers to exploit a flaw in Windows’ graphic subsystem to gain full control over a victim's computer.
Even though exploitation of the said vulnerability required an attacker to log on to the system first, exploiting it could enable the attacker to install programs, view, change, or delete data, or create new accounts with full user rights.
According to Kaspersky Lab, the Privilege Escalation vulnerability arose due to a lack of proper synchronisation between undocumented syscalls NtDCompositionDiscardFrame and NtDCompositionDestroyConnection in the win32k driver. When both syscalls were executed simultaneously, the function DiscardAllCompositionFrames could be executed when the NtDCompositionDiscardFrame syscall was already looking for a frame to release or had already found it, resulting in a use-after-free scenario.
The firm said that the said zero-day vulnerability persisted in Microsoft Windows operating systems ranging from Windows 8 to Windows 10 version 1703 which was released in November 2017. In order to exploit it, an attacker had to use heap spraying palettes and accelerator tables with the use of GdiSharedHandleTable and gSharedInfo to leak their kernel addresses.
Assigning it the vulnerability code CVE-2019-0797, Microsoft said that attackers successfully exploiting it could run arbitrary code in kernel mode and could then install programs, view, change, or delete data, or create new accounts with full user rights.
"To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control of an affected system. The update addresses this vulnerability by correcting how Win32k handles objects in memory," the company said when releasing a patch for the zero-day flaw.
The most worrying fact about this vulnerability is that, according to Kaspersky Lab, it was actively being exploited by threat actors such as FruityArmor and SandCat before it was discovered and subsequently patched, signifying that hacker groups may be aware of a large number of vulnerabilities in commonly-used platforms that may not have been discovered yet by researchers or software developers.
When asked how organisations can prevent attackers from exploiting undiscovered privilege escalation vulnerabilities in Microsoft Windows to infiltrate their IT systems, Dan Pitman, principal security architect at Alert Logic, told SC Magazine UK that traditional endpoint detection systems struggle to detect unknown exploits simply because they are usually based on signatures or hashes of the malware file that is capitalising on the exploit.
"The only way to ensure detection is to deploy modern advanced endpoint detection that uses behavioural analytics and machine learning to detect anomalous behaviour at the user and lower operating system level, ie the Windows Kernel. Ideally, the detection technology will use methods to sandbox and block the attack before it can get any further, especially in the case of privileged escalation like this one," he said.
"By using these methods, the endpoint detection solution would also not suffer from any lapse in organisations’ processes when it comes to updating the database; meaning that even if the file is opened after the user is offline for a period of time before opening the malicious payload, protection would still be in place," he added.
Martin Jartelius, CSO at Outpost24, also said that to elevate privileges, an attacker needs to gain local access via another exploit or via manipulation of a user. Therefore, to prevent an attacker from doing the same, an organisation must perform extensive hardening of the endpoints and decrease the risk of the initial foothold of an attacker.