Analysis of Serious Vulnerability in Microsoft Windows System: Potential Major Security Risks for Web3

Last month, a security patch from Microsoft fixed a Windows privilege escalation vulnerability that was being exploited by hackers. This vulnerability mainly exists in earlier versions of Windows and cannot be triggered on Windows 11. Although such vulnerabilities have existed for many years, it is still worth analyzing how attackers continue to exploit them in the context of continually improving security measures.

This analysis is based on the Windows Server 2016 system. It is an undisclosed zero-day vulnerability that allows hackers to take complete control of Windows systems. Once the system is compromised, the consequences may include personal information leakage, system crashes, data loss, financial losses, and more. For Web3 users, private keys may be stolen, and digital assets may be transferred. On a larger scale, this vulnerability could even affect the entire Web3 ecosystem running on Web2 infrastructure.

By analyzing the patch, it was found that the issue lies in the handling of object reference counting. Early source code comments indicate that the previous code only locked the window object, without locking the menu object within the window, which could lead to the menu object being incorrectly referenced.

To reproduce the vulnerability, we constructed a special multi-layer nested menu structure and set specific properties for each menu to pass the system's related checks. The key is to remove the reference relationship between menus when returning to the user layer, successfully releasing the target menu object. This way, when the kernel function references the menu again, it will access an invalid object.

In practical use, we mainly considered two schemes: executing shellcode and modifying the token address using read and write primitives. Considering the security mechanisms of higher version Windows, we chose the latter. The entire exploitation process can be divided into two steps: first, control the cbwndextra value using the UAF vulnerability, and then establish stable read and write primitives based on this.

To achieve a stable memory layout, we designed a structure of three consecutive HWND objects, releasing the middle object and occupying it with an HWNDClass object. The HWND objects at the front and back are used for system checks and as the final read/write medium, respectively. We also accurately determine whether the object arrangement meets expectations by leaking the kernel handle address.

In terms of reading and writing primitives, we use GetMenuBarInfo() for arbitrary reading and SetClassLongPtr() for arbitrary writing. Apart from TOKEN replacement operations, all other writing operations utilize the class object of the first window object.

Overall, although Microsoft is refactoring the relevant kernel code with Rust to improve security, such vulnerabilities still pose a serious threat to existing systems. The exploitation process is relatively simple, mainly relying on the leakage of desktop heap handle addresses. In the future, detecting abnormal memory layouts and window operations may help uncover similar vulnerabilities.