Exploiting the win32k!xxxEnableWndSBArrows use-after-free (CVE-2015-0057) bug on both 32-bit and 64-bit

tl;dr

Earlier this year I worked on an exploit for an interesting use-after-free vulnerability in win32k.sys (CVE-2015-0057) and was able to develop a reliable exploit on both 32-bit and 64-bit, affecting XP through Windows 8.1 (with a few exceptions). This writeup describes in detail how I approached exploitation on both architectures, which ended up being somewhat different. I also describe how exploitation works on Windows 8.1 with SMEP and in a low integrity environment.

The post is quite long, but I try to provide a lot of detail to demonstrate what is involved in exploiting this bug instead of glazing over details, although I do still glaze over some. Hopefully the level of detail is helpful.

Introduction

On February 10, 2015, Microsoft released MS15-10 to address a number of vulnerabilities. The bug was found by Udi Yavo of enSilo. Udi released a nice analysis of the vulnerability on the breaking malware blog. I recommend reading it to better understand the bug, although I do try to explain most of the details here, as I had to overcome a few hurdles to get it to trigger. This bug was really interesting to exploit, but there are a lot of details omitted from the blog post by Udi, which he acknowledges:

“Responsible disclosure: although this blog entry is technical, we won’t reveal any code, or the complete details, to prevent any tech master from being able to reproduce an exploit.”

As an added bonus to exploiting this bug we get to evolve into our next Pokémon form: tech wizard. I want to give Udi credit for finding the bug, providing the information he did, and exploiting the bug, which he demonstrates on his blog. It was really helpful.

I had never exploited a win32k.sys vulnerability before, and was not familiar with usermode callbacks or many of the APIs I was using, so I would also like acknowledge the amazing resources made available online by a few well-known security researchers: Skywing, Tarjei Mandt, Alex Ionescu, j00ru, etc. All of these people deserve massive kudos for providing so much technical information publicly. One of the papers I used extensively was Tarjei Mandt’s Win32k.sys exploitation paper. I highly recommend reading that if you have no familiarity with win32k.sys.

Since I wrote my exploit, a nice reverse-engineered exploit was made available for CVE-2015-1701, which is useful for seeing an actual code example of how to hook usermode callbacks. Kudos to those who reversed that and made it available.

It’s probably worth noting that most of my analysis below was done on a Windows 7 installation, because it appears to be the only version that has corresponding symbols available for most of the win32k.sys structures. Microsoft pulled the information out again as of 8, for an unknown reason.

Lastly I want to say that the way I approach exploiting this bug is quite complicated. It’s entirely possible that there is a much easier way to do it that I just overlooked. I’d love to hear if someone did it a different way. Either way I hope what’s described is still useful for people researching win32k.sys bugs.

Download the blog post here

Published date:  08 July 2015

Written by:  Aaron Adams