Hacker kicks one bit XP to 10 Windows scroll goal
Screwy GUI carried dead code for 15 YEARS
Windows operating systems from XP to version 10 can be popped with a single bit, researcher Udi Yavo says.
The hacker, formerly chief of the electronic warfare unit for Israeli defence contractor Rafael, detailed how the local privilege escalation vulnerability (CVE-2015-0057) fixed in this week's Patch Tuesday update could grant attackers total control of machines.
"A threat actor that gains access to a Windows machine can exploit this vulnerability to bypass all Windows security measures, defeating mitigation measures such as sandboxing, kernel segregation and memory randomisation," Yavo said.
"Interestingly, the exploit requires modifying only a single bit of the Windows operating system."
The vulnerability existed in the graphical user interface component of the the Win32k.sys module within the Windows Kernel which manages vertical and horizontal scrollbars among other things. It lay in the xxxEnableWndSBArrows function which could alter the state of scrollbars through a call, according to the enSilo co-founder.
Yavo offered a deep technical analysis of Win32k.sys in an advisory in which he said versions up to Windows 10 technical preview were affected.
The attack is useful for remote hackers with a low-privilege beachhead on a victim's machine.
For this reason Yavo did not publish code that could allow attackers to pull off the hack, but it was reasonable to expect the Microsoft patch was being reverse engineered to forge an exploit.
The attack, like previous hacks, bypassed kernel protection mechanisms including kernel address space layout randomisation and data execution prevention, and null dereference protection.
"After some work we managed to create a reliable exploit for all versions of Windows – dating back as of Windows XP to Windows 10 preview [and] have shown that even a minor bug can be used to gain complete control over any Windows operating system," Vayo said.
He also found ancient dead code in calls within the horizontal scrollbar component of the xxxEnableWndSBArrows function to the xxxWindowEvent function. This code he said had existed "for about 15-years doing absolutely nothing".
The vulnerability was part of a pack of killer bugs Redmond crushed Tuesday. That pain pack included a fix for a flaw in the fundamental design of Windows unfixable on Server 2003. That error allowed attackers to hijack a domain-configured Windows system connected to a malicious network in a hack that impacted IT pros more than home users.
It also included a seemingly bizarre vulnerability in which remote code execution was possible through malicious websites that contained embedded TrueType fonts, an attack that would be very valuable on the black market. ®