Microsoft Windows system has a serious 0day vulnerability that may endanger Web3 security

Recently, Microsoft released a security patch that fixed a Windows system privilege escalation vulnerability being exploited by hackers. This vulnerability mainly exists in earlier versions of the Windows system and cannot be triggered on Windows 11.

This type of win32k privilege escalation vulnerability has a long history. In the context of continuously improving security measures, it is worth noting how attackers continue to exploit this vulnerability. We conducted an in-depth analysis of this vulnerability in a Windows Server 2016 environment.

A 0day vulnerability refers to a system vulnerability that has not yet been publicly disclosed or patched, which can be silently exploited by hackers and has great destructive potential. Through this Windows system-level 0day vulnerability, hackers may gain complete control of the system.

Once the system is controlled by hackers, the consequences include but are not limited to personal information leakage, system crashes and data loss, financial losses, and the implantation of malicious software. For individual users, cryptocurrency private keys may be stolen, and digital assets may be transferred; on a larger scale, this vulnerability could even affect the entire Web3 ecosystem running on Web2 infrastructure.

By analyzing the patch code, we found that the problem was caused by an object's reference count being processed one time too many. According to earlier source code comments, the previous code only locked the window object and did not lock the menu object within the window object, leading to the possibility of the menu object being incorrectly referenced.

We constructed a special multi-layer nested menu structure to trigger this vulnerability. By carefully designing the menu properties and reference relationships, we can successfully release specific menu objects when certain functions return to the user layer, leading to subsequent code referencing invalid objects.

The key to exploiting this vulnerability lies in how to control the cbwndextra parameter to a particularly large value. We ultimately chose to achieve this goal by manipulating memory layout to control the memory data of adjacent objects.

To build a stable exploit, we designed a special memory layout that includes multiple contiguous window objects and window class objects. By releasing and reoccupying specific objects, control over key parameters can be achieved.

In terms of reading and writing primitives, we use GetMenuBarInfo() to achieve arbitrary reads and SetClassLongPtr() to achieve arbitrary writes. Except for the write operation that replaces TOKEN, other writes are completed using offsets with the class object of the first window object.

Although Microsoft is trying to refactor the win32k-related code using Rust, such vulnerabilities still pose a serious threat to existing Windows systems. The exploitation process is relatively simple and mainly relies on the leakage of the desktop heap handle address.

We speculate that the discovery of this vulnerability may be attributed to improved code coverage detection techniques. In the future, detection of such vulnerabilities should not only focus on the critical points of the functions that trigger the vulnerabilities but also emphasize the detection of abnormal memory layouts and data read/write operations.