DeepDotWeb
Windows 0-day Exploited in the Wild
http://deepdot35wvmeyd5.onion/2016/11/04/windows-0-day-exploited-wild/
Posted by: Filip Jelic November 4, 2016

Google’s Threat Analysis Group found a zero-day vulnerability – CVE-2016-7855, notified Adobe and Microsoft on October 21st and released it after a short period. This is yet another zero-day regarding flash software on Windows. Adobe patched it on October 26th while Microsoft said Windows patch will be ready on November 8th. Vulnerability was publicly disclosed on October 31st which means there is still a window of one week in which Windows users are vulnerable. Google stated that it was already being exploited in the wild which is why they published it. Affected systems are Windows Vista and newer. All users are advised to update their Flash and browser software, and Windows as soon as the patch arrives. According to this document by Google, Chrome’s sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability. Also, Microsoft published that users of Microsoft are safe on Windows 10 and Microsoft Edge browser. What you need to know to understand this vulnerability When you watch a video in your browser, it is viewed in a sandbox environment. It enables security restrictions for iframe elements that contain untrusted content. These restrictions enhance security by preventing untrusted content from performing actions that can lead to potentially malicious behavior. Sandboxes usually restrict calls to system functions that are not needed to non-malicious files. System call is the programmatic way in which a program requests a service from the kernel of the operating system it is executed on. This may include hardware-related services (for example, accessing a hard disk drive), creation and execution of new processes, and communication with integral kernel services such as process scheduling. System calls provide an essential interface between a process and the operating system. System calls can be roughly grouped into five major categories: 1. Process Control – create, execute, terminate, get/set attributes. 2. File management – create, delete, open, close, read, write, get/set attributes. 3. Device Management – request, detach device, get/set attributes. 4. Information Maintenance – get/set time, date, control system data. 5. Communication – create/cancel connection, send and receive messages etc. On Windows, system calls are broadly split into two main types, implemented by two separate subsystems in the kernel. First, there are the NT calls, which are implemented by ntoskrnl.exe, then there are the win32k calls, which are implemented by Win32k.sys. Win32k calls tend to be associated with the graphics subsystem (which runs in the kernel on Windows, for performance and historical reasons), while ntoskrnl calls are more for the Windows NT API e.g. file access, network, POSIX. On Windows, there is no fine grained system call filtering, but each system call is responsible for verifying the access token of the caller that allows the call to be made. The Vulnerability The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. Previous paragraph is all internet news say, so I decided to take a deeper look...