Experts from Qihoo 360 disclosed technical details of the actively exploited Windows zero-day flaw CVE-2019-0808 recently patched by Microsoft.

Researchers at the security firm Qihoo 360 disclosed technical details of the zero-day vulnerability CVE-2019-0808 that was recently patched by Microsoft.

The vulnerability was reported to Microsoft by researchers from Google’s Threat Analysis Group that observed it had been exploited alongside CVE-2019-5786, a Chrome vulnerability patched early March.

Microsoft addressed the flaw with the release of the Patch Tuesday security updates for March 2019.

At the time of the public disclosure, Google did not reveal technical information about the Windows zero-day.

The CVE-2019-0808 vulnerability affects the windows Win32k component and could be exploited by an authenticated attacker to elevate privileges and execute arbitrary code in kernel mode. An attacker can chain the flaw with a web browser vulnerability to escape sandboxes.

The vulnerability only affects Windows 7 and Windows Server 2008 because Windows 10 includes implements mitigations that don’t allow its exploitation.

Now the researchers at Qihoo 360 shed the light on the flaw and the way to exploit it, they described the root cause with the following statement:

“After receiving the menu window object returned by the window procedure function, the xxxMNFindWindowFromPoint function does not effectively check the validity of its member tagPOPUPMENU, causing the subsequent MNGetpItemFromIndex function to trigger the NULL pointer deference.”

The experts explained how to trigger the flaw and provided details on how Microsoft has fixed the problem.

The researchers also developed a PoC exploit that have only partially disclosed. Anyway, the analysis published by the researchers includes step-by-step instructions on the main phases of the exploitation process.

Experts believe that the availability of this information could allow other threat actors to exploit the CVE-2019-0808 flaw in more attacks.

“Through the constructed POC, it is found that the vulnerability is triggered when the NtUserMNDragOver function is called under certain circumstances, causing NULL pointer dereference in win32k!MNGetpItemFromIndex.” concludes the experts. “The vulnerability uses the Windows kernel driver module win32k.sys to perform local privilege escalation. Afterwards , it can break through the restrictions of user privilege. In the meanwhile, it can also help attackers to escape sandbox to completely control the victim’s computer. ”

Pierluigi Paganini

( SecurityAffairs – CVE-2019-0808, hacking )

Share this...

Linkedin Reddit Pinterest

Share On