Analyzing the Recent Windows Zero-Day Escalation of Privilege Exploit

By on

Recently we caught a malicious sample that exploits a PDF vulnerability–CVE-2013-3346, we believe–and executes after a use-after-free condition occurs. During our analysis we noticed that this PDF sample also exploits a zero-day local Windows vulnerability–CVE-2013-5065–to escalate privilege. This zero-day occurs in NDProxy.sys under Windows XP and 2003. The exploitation of this flaw is similar to CVE-2010-2743, known as the Win32k keyboard layout vulnerability. Let’s take a closer look.

After the PDF exploit succeeds and shellcode executes, it fills the first page in memory, starting from address 0, with hundreds of NOP instructions and then fills with kernel shellcode. Next it gets a handle to \\.\NDProxy via the API CreateFileA, and then uses this handle by calling the API DeviceIoControl with the IOCTL code 0x8fff23c8. Next the execution flaw goes into the NDProxy!PxIoDispatch function in Ring 0. (PxIoDispatch is the function that handles input-output control coming from user mode.)   20131206 PDF exploit 1

While coming to the branch that handles IOCTL code 0x8fff23c8, PxIoDispatch processes the input buffer supplied by the attacker:

20131206 PDF exploit 2

The esi register points to the input buffer coming from user mode, and the content of input buffer is set like this:

20131206 PDF exploit 3

After calculating, the eax value is (0x7030125-0x7030101)*3*4=0x1b0, which will be used as an index to a function table later:

20131206 PDF exploit 4

Now for the vulnerability: Let’s see how long the function table is that resides at off_18008. The beginning of the table:

20131206 PDF exploit 5

The end of the table:

20131206 PDF exploit 6

The end offset, 0x181b0, minus the beginning offset, 0x18008, gives us 0x1a8. In our case the index is 0x1b0, which is already out of the table, and references the second dword at the next table, with the value 0x38. So the execution flaw now goes to address 0x38 thanks to the call instruction, and everything is under the attacker’s control.

In the kernel shellcode, the exploit replaces the current process’ token with the SYSTEM process’ token, which should escalate its privilege as SYSTEM, and return to the caller. Now the following user mode shellcode will run at privileged level. The exploit then drops a temp file with a random name such as xxx.tmp, a Trojan, in the temporary directory, and launches it by calling the API WinExec.

Thanks to my colleagues Vinay Karecha, Bing Sun, and Lijun Cheng for their support and help with this analysis.

Leave a Comment

Similar articles

Messaging apps are a common form of digital communication these days, with Facebook’s WhatsApp being one of the most popular options out there. The communication platform boasts over 1.5 billion users – who now need to immediately update the app due to a new security threat. In fact, WhatsApp just announced a recently discovered security ...
Read Blog
Over the years, our lives have become more and more digital. Think about it: 20 years ago, no one was using banking apps and social media had just barely begun coming to fruition. Now, many of us are reliant on mobile banking to pay our bills and we check our favorite social media platforms multiple ...
Read Blog