Home > Cyber News > CVE-2019-0859 Zero-Day: How Did the Exploit Work in the Wild?

CVE-2019-0859 Zero-Day: How Did the Exploit Work in the Wild?

CVE-2019-0859 is a zero-day vulnerability which was part of this month‘s Patch Tuesday. The vulnerability was detected by Kaskersky Lab researchers who just released detailed technical resume of the issue.

In March 2019, Kaspersky’s Exploit Prevention (EP) systems detected an attempt to exploit a vulnerability in the Microsoft Windows operating system. Further analysis of this event led to the discovery of a zero-day flaw located in win32k.sys. It was the fifth consecutive exploited Local Privilege Escalation vulnerability in Windows discovered by the same team in the past several months, the researchers said.

Related: [wplinkpreview url=”https://sensorstechforum.com/cve-2019-0803-cve-2019-0859-exploited/”] Microsoft Bugs CVE-2019-0803, CVE-2019-0859 Exploited in the Wild.

CVE-2019-0859 Technical Details

Shortly said, CVE-2019-0859 is a Use-After-Free flaw located in the system function that handles dialog windows and their additional styles. The exploit pattern the researchers came across in the wild targeted 64-bit versions of the operating systems, ranging from Windows 7 to the latest builds of Windows 10. Note that exploitation of the vulnerability allows the malware to download and execute a script written by the attackers. The worst case scenario of this exploit is gaining full control of infected systems.

In detail, upon execution CreateWindowEx sends the message WM_NCCREATE to the window when it’s first created, the researchers explained. By using the SetWindowsHookEx function, it is possible to set a custom callback that can handle the WM_NCCREATE message right before calling the window procedure.

Furthermore, the bug is related to Function ID:

In win32k.sys all windows are presented by the tagWND structure which has an “fnid” field also known as Function ID. The field is used to define the class of a window; all windows are divided into classes such as ScrollBar, Menu, Desktop and many others.

The exploit the researchers discovered in the wild was targeting 64-bit versions of Windows (from Windows 7 to older builds of Windows 10). The flaw was leveraged by using the well-known HMValidateHandle technique utilized to bypass ASLR.

After a successful exploitation, PowerShell was executed with a Base64 encoded command. The sole purpose of the command was to download a second-stage script from https//pastebin.com. The second stage PowerShell executed the final third stage, which was also a PowerShell script.

Users should install the update addressing CVE-2019-0859 to avoid any exploitation.

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim

More Posts

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

This website uses cookies to improve user experience. By using our website you consent to all cookies in accordance with our Privacy Policy.
I Agree