Windows has recently released a patch for a vulnerability exploit in the windows operating system which was unknown to many people until last week. The vulnerability would allow a hacker to open a door for full system control.
Discovered by Vasily Berdnikov and Boris Larin of Kaspersky Lab on St. Patrick’s Day this year, the flaw (CVE-2019-0859) is a use-after-free issue in the Windows kernel that allows local privilege escalation (LPE). It’s being used in advanced persistent threat (APT) campaigns targeting 64-bit versions of Windows (from Windows 7 to older builds of Windows 10).
The exploit we found in the wild was targeting 64-bit versions of Windows (from Windows 7 to older builds of Windows 10) and exploited the vulnerability using the well-known HMValidateHandle technique to bypass ASLR.
After a successful exploitation, the exploit executed PowerShell with a Base64 encoded command. The main aim of this command was to download a second-stage script from https//pastebin.com. The second stage PowerShell executes the final third stage, which is also a PowerShell script.
The third script is very simple and does the following:
- Unpacks shellcode
- Allocates executable memory
- Copies shellcode to allocated memory
- Calls CreateThread to execute shellcode
The main goal of the shellcode is to make a trivial HTTP reverse shell. This helps the attacker gain full control over the victim’s system.
Thankfully there is an update for this vulnerability at the Microsoft website
Details provided from SecureList