Full Report
Starting from the beginning with no experience whatsoever in kernel land let alone exploiting it, I was always intrigued and fascinated by reverse engineering and exploit development. The idea was simple: find a 1-day patch with an exploitable bug but with no proof of concept exploit currently available, in order to start my reverse engineering and exploit dev journey with.Now the bug discussed here was not my initial choice: I failed at that one. It is actually my second choice and it took almost 4 months to fully understand the exploit and everything related to it.
Analysis Summary
# Vulnerability: MS16-098 RGNOBJ Integer Overflow via GDI Abuse
## CVE Details
- CVE ID: **Not explicitly listed in text, but associated with MS16-098**
- CVSS Score: **Not explicitly provided in text** (Severity is implied to be high due to kernel memory corruption leading to SYSTEM token access)
- CWE: **CWE-190: Integer Overflow or Wraparound** (Inferred from "Integer Overflow")
## Affected Systems
- Products: Microsoft Windows (Kernel components, specifically `win32k.sys`)
- Versions: Windows 8.1 x64 bit (The analysis focuses on a patch provided in MS16-098). The vulnerable version is the pre-patched version before applying MS16-098.
- Configurations: Exploitation technique relies on abusing GDI objects.
## Vulnerability Description
The vulnerability resides within the `win32k!bFill` function in the Windows kernel (`win32k.sys`). The flaw is an **Integer Overflow** in the calculation that determines a memory allocation size, which is subsequently used in a `PALLOCMEM2` call. The patch involved adding an overflow check using `UlongMult3` before the allocation to prevent this condition. If an attacker can control the inputs to this calculation, the multiplication can wrap around, leading to a small allocation size but internally allocating a much larger buffer or leading to heap corruption due to insufficient size checks on input parameters, ultimately leading to memory corruption in kernel pool memory. The exploit chain focuses on controlling this size computation by leveraging the manipulation of **GDI objects** (specifically abusing Bitmap GDI objects).
## Exploitation
- Status: **PoC available** (Implied by the author's detailed write-up describing the full exploitation process aimed at learning exploit development, including token stealing. The linked GitHub repository likely contains the PoC.)
- Complexity: **High** (Requires four months of dedicated study, understanding of kernel debugging, GDI object manipulation, kernel pool feng shui, and R0 exploitation primitives.)
- Attack Vector: **Local** (Kernel exploitation typically requires initial local access or exploiting a prior vulnerability to gain local integrity.)
## Impact
- Confidentiality: **High** (Achieving SYSTEM privileges allows reading memory of any process, including lsass and kernel memory.)
- Integrity: **High** (The attacker gains kernel-level control, allowing arbitrary modification of system state and data.)
- Availability: **High** (Kernel corruption can lead to system crashes/DoS.)
## Remediation
### Patches
- **MS16-098**: This security update fixed the integer overflow in `win32k!bFill`. (The specific file version mentioned as patched is `win32k.sys` version 6.3.9600.18405, updated from 6.3.9600.17393).
### Workarounds
- No specific workarounds were mentioned in the context provided, other than applying the mandatory security patch (MS16-098). Kernel-level mitigations against GDI abuse might exist but are not detailed here.
## Detection
- **Indicators of compromise**: Observation of unusual allocations or manipulations related to `win32k.sys` or GDI object management routines.
- **Detection methods and tools**: Standard kernel debugging tools mentioned (Windbg with `!pool`, `!poolfind`) could be used post-incident to analyze pool corruption patterns. Behavioral monitoring for privilege escalation from user-mode to kernel-mode without clear OS calls might be an indicator.
## References
- Vendor Advisory: [Technet article for MS16-098 (Defanged)](https://technet.microsoft.com/library/security/MS16-098)
- Exploit Code/POC: [GitHub Repository (Defanged)](https://github.com/sensepost/ms16-098)
- Related Research: Core Security analysis on GDI object abuse (Defanged links provided in source).