Windows Zero-Day is being actively exploited
A vulnerability in the Windows operating system that was recently patched is being actively exploited. It opens the door for full system takeover. The Windows kernel bug was just patched last week. Vasily Berdnikov and Boris Larin of Kaspersky Lab discovered the bug on St. Patrick’s Day. The flaw, < a target="_blank" href="https://nvd.nist.gov/vuln/detail/CVE-2019-0859">CVE-2019-0859, is a bug in the Windows kernel that allows local privilege escalation. It’s being used in advanced persistent threat attacks that target 64-bit versions of Windows.
The hackers are using the bug to establish persistent backdoors to machines, gaining the access to run arbitrary code in kernel mode. A hacker could then install programs, view, change or delete data or create new accounts with full user rights. Fortunately, there’s a patch, which Microsoft pushed out in the most recent Patch Tuesday last week, so users should update their systems as soon as possible.
In the win32k.sys kernel, the Function ID field is used to define the class of a window, such as ScrollBar, Menu, and others. The bug allows a hacker to manipulate the process of creating a window by sending malicious code that sets to the Function ID field. During execution, CreateWindowEx sends the message WM_NCCREATE to the window when it's first created. By using the SetWindowsHookEx function, it is possible to set a custom callback that can handle the WM_NCCREATE message right before calling the window procedure.
During that WM_NCCREATE callback, the Function ID is set to 0, which allows a hacker to set extra data for the window. Researchers were able to change the address for the window procedure that was executed immediately after the hook. The change of window procedure to the menu window procedure leads to the execution of xxxMenuWindowProc and the function initiates Function ID to FNID_MENU because the current message is equal to WM_NCCREATE. The most important part is that it has the ability to manipulate extra data prior to setting Function ID to FNID_MENU can force the xxxMenuWindowProc function to stop initialization of the menu and return FALSE. Because of this, sending the NCCREATE message is considered a failed operation, so the MENU-class window is not actually initialized, which allows the hacker to gain control over the address of freed-up memory block.
A hacker who is already logged into the system can run malicious code to exploit the vulnerability. In the observed attacks, malicious code uses the legitimate PowerShell framework with a Base64-encoded command, which then fetches a second-stage PowerShell script from a Pastebin site. That in turn executes a third and final stage, which is also a PowerShell script, which unpacks lightweight shellcode. The main goal of the shellcode is to make a trivial HTTP reverse shell. This helps the hacker gain full control over the system. The use of PowerShell, which is built into Windows, along with simple encoding techniques, helps obfuscate malicious activity and keep anti-virus detections at bay.
This is the fifth consecutive exploited zero-day vulnerability discovered in Windows recently. The others are CVE-2018-8453, CVE-2018-8589, CVE-2018-8611 and the CVE-2019-0797 vulnerability. The latter was seen being exploited by at least two hacking groups, including a recently discovered APT group calling themselves SandCat, and the FruityArmor group.