Exploiting MS15-061 Use-After-Free Windows Kernel Vulnerability
In June 2015, Microsoft released the MS15-61 advisory, to address a number of vulnerabilities. Today we’ve released a detailed analysis of one of these vulnerabilities, in the win32k.sys driver, and documented the necessary details for exploiting this class of vulnerability on Microsoft Windows 7 Service Pack 1.
This is a use-after-free vulnerability in the win32k.sys driver. The issue arises due to the lack of window kernel class locking for the user-mode callback, and can be triggered by the xxxSetClassLong function in the win32k.sys driver. The exploitation of this issue results in elevation of privilege to ‘NT AUTHORITYSYSTEM’.
The vulnerability affects Windows versions from XP to Windows 7 Service Pack 1 and thus is a forever bug on certain platforms (denoted by *):
- Windows 7
- Windows Vista
- Windows XP*
- Windows Server 2008 R2
- Windows Server 2008
- Windows Server 2003
To give an idea of the overall effort spent exploiting this vulnerability was in the three to four week region including exploratory research and refinements.
We hope you enjoy