At the time of the public disclosure, Google did not reveal technical information about the Windows zero-day.
The CVE-2019-0808 vulnerability affects the windows Win32k component and could be exploited by an authenticated attacker to elevate privileges and execute arbitrary code in kernel mode. An attacker can chain the flaw with a web browser vulnerability to escape sandboxes.
The vulnerability only affects Windows 7 and Windows Server 2008 because Windows 10 includes implements mitigations that don’t allow its exploitation.
Now the researchers at Qihoo 360 shed the light on the flaw and the way to exploit it, they described the root cause with the following statement:
“After receiving the menu window object returned by the window procedure function, the xxxMNFindWindowFromPoint function does not effectively check the validity of its member tagPOPUPMENU, causing the subsequent MNGetpItemFromIndex function to trigger the NULL pointer deference.”
The experts explained how to trigger the flaw and provided details on how Microsoft has fixed the problem.
The researchers also developed a PoC exploit that have only partially disclosed. Anyway, the analysis published by the researchers includes step-by-step instructions on the main phases of the exploitation process.
Experts believe that the availability of this information could allow other threat actors to exploit the CVE-2019-0808 flaw in more attacks.
“Through the constructed POC, it is found that the vulnerability is triggered when the NtUserMNDragOver function is called under certain circumstances, causing NULL pointer dereference in win32k!MNGetpItemFromIndex.” concludes the experts. “The vulnerability uses the Windows kernel driver module win32k.sys to perform local privilege escalation. Afterwards, it can break through the restrictions of user privilege. In the meanwhile, it can also help attackers to escape sandbox to completely control the victim’s computer. ”
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.