This paper details how I ported the CVE-2015-2426 (a.k.a. MS15-078) vulnerability, as originally exploited by Eugene Ching of Qavar Security on the January 2015 version of Windows 8.1 64-bit to the more recent July 2015 version of Windows 8.1 64-bit, the last version of Windows still vulnerable to this issue before it got patched by Microsoft. By exploiting this vulnerability, an attacker can corrupt memory within the kernel pool to elevate his/her privileges.
The original exploit is part of the Hacking Team (HT) data leaked in July 2015. E-mails from January 2015 available on WikiLeaks show Eugene Ching sold this exploit to HT, which, at the time of the leak, was actually a zero-day. While this sale was occurring, j00ru also found the same bug in May 2015. The original exploit from HT only worked for an old version of Windows 8.1 64-bit (January 2015). Some very good technical details are available in a Chinese blog post written by MJ0011 and pgboy from the 360 Vulcan Team, which covers the vulnerability in more detail along with the steps needed to recreate the crash.
The vulnerability resides in the ATMFD.DLL kernel driver. “ATMFD” stands for Adobe Type Manager Font Driver. This driver is developed by Adobe and is present on default Windows installations. Although the extension is .DLL, this is actually a kernel driver running in kernel space. This driver allows the rendering of an OpenType font file. As detailed in the OpenType specification, OpenType is a very complex format that includes support for a lot of features and as thus quite a few bugs have been found in this format.
If you want to read this paper alongside the source code of this exploit, I would recommend that you use the code from original e-mail’s attachment or use this GitHub repository.
To follow this paper, you need to know what a vtable is and have some basic knowledge on what return-oriented programming (ROP) is. You also need to be aware of the Windows 8 mitigations such as SMEP and Kernel ASLR. Throughout this paper, I will be using the WinDbg debugger. You can refer to this page for a description of the commands being used.
If you are interested in repeating the steps of this paper, this is the environment I have used:
- Windows 8.1 64-bit up-to-date in July 2015, KB3079904 removed (ATMFD.DLL 188.8.131.52, 14/07/2015)
- ntoskrnl.exe: 6.3.9600.17736 (23/03/2015)
- win32k.sys: 6.3.9600.17915 (25/06/2015)
- ATMFD.DLL: 184.108.40.206 (29/10/2014)
Getting the Paper
Questions, Feedback and Corrections
I appreciate any questions, feedback or corrections, so please do not hesitate to can contact me over email at cedric<dot>halbronn<@>ncc<nothing>group<anotherdot>trust or via twitter @saidelike.
Published date: 01 September 2015
Written by: Cedric Halbronn