Vulnerabilities > CVE-2018-8120 - Improper Resource Shutdown or Release vulnerability in Microsoft Windows 7 and Windows Server 2008

047910
CVSS 7.2 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
local
low complexity
microsoft
CWE-404
nessus
exploit available
metasploit

Summary

An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka "Win32k Elevation of Privilege Vulnerability." This affects Windows Server 2008, Windows 7, Windows Server 2008 R2. This CVE ID is unique from CVE-2018-8124, CVE-2018-8164, CVE-2018-8166.

Vulnerable Configurations

Part Description Count
OS
Microsoft
4

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Flooding
    An attacker consumes the resources of a target by rapidly engaging in a large number of interactions with the target. This type of attack generally exposes a weakness in rate limiting or flow control in management of interactions. Since each request consumes some of the target's resources, if a sufficiently large number of requests must be processed at the same time then the target's resources can be exhausted. The degree to which the attack is successful depends upon the volume of requests in relation to the amount of the resource the target has access to, and other mitigating circumstances such as the target's ability to shift load or acquired additional resources to deal with the depletion. The more protected the resource and the greater the quantity of it that must be consumed, the more resources the attacker may need to have at their disposal. A typical TCP/IP flooding attack is a Distributed Denial-of-Service attack where many machines simultaneously make a large number of requests to a target. Against a target with strong defenses and a large pool of resources, many tens of thousands of attacking machines may be required. When successful this attack prevents legitimate users from accessing the service and can cause the target to crash. This attack differs from resource depletion through leaks or allocations in that the latter attacks do not rely on the volume of requests made to the target but instead focus on manipulation of the target's operations. The key factor in a flooding attack is the number of requests the attacker can make in a given period of time. The greater this number, the more likely an attack is to succeed against a given target.
  • Excessive Allocation
    An attacker causes the target to allocate excessive resources to servicing the attackers' request, thereby reducing the resources available for legitimate services and degrading or denying services. Usually, this attack focuses on memory allocation, but any finite resource on the target could be the attacked, including bandwidth, processing cycles, or other resources. This attack does not attempt to force this allocation through a large number of requests (that would be Resource Depletion through Flooding) but instead uses one or a small number of requests that are carefully formatted to force the target to allocate excessive resources to service this request(s). Often this attack takes advantage of a bug in the target to cause the target to allocate resources vastly beyond what would be needed for a normal request. For example, using an Integer Attack, the attacker could cause a variable that controls allocation for a request to hold an excessively large value. Excessive allocation of resources can render a service degraded or unavailable to legitimate users and can even lead to crashing of the target.
  • Resource Leak Exposure
    An attacker utilizes a resource leak on the target to deplete the quantity of the resource available to service legitimate requests. Resource leaks most often come in the form of memory leaks where memory is allocated but never released after it has served its purpose, however, theoretically, any other resource that can be reserved can be targeted if the target fails to release the reservation when the reserved resource block is no longer needed. In this attack, the attacker determines what activity results in leaked resources and then triggers that activity on the target. Since some leaks may be small, this may require a large number of requests by the attacker. However, this attack differs from a flooding attack in that the rate of requests is generally not significant. This is because the lost resources due to the leak accumulate until the target is reset, usually by restarting it. Thus, a resource-poor attacker who would be unable to flood the target can still utilize this attack. Resource depletion through leak differs from resource depletion through allocation in that, in the former, the attacker may not be able to control the size of each leaked allocation, but instead allows the leak to accumulate until it is large enough to affect the target's performance. When depleting resources through allocation, the allocated resource may eventually be released by the target so the attack relies on making sure that the allocation size itself is prohibitive of normal operations by the target.

Exploit-Db

fileexploits/windows/local/45653.rb
idEDB-ID:45653
last seen2018-11-30
modified2018-10-22
platformwindows
port
published2018-10-22
reporterExploit-DB
sourcehttps://www.exploit-db.com/download/45653
titleMicrosoft Windows - SetImeInfoEx Win32k NULL Pointer Dereference (Metasploit)
typelocal

Metasploit

descriptionThis module exploits elevation of privilege vulnerability that exists in Windows 7 and 2008 R2 when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. This module is tested against windows 7 x86, windows 7 x64 and windows server 2008 R2 standard x64.
idMSF:EXPLOIT/WINDOWS/LOCAL/MS18_8120_WIN32K_PRIVESC
last seen2020-06-13
modified2018-10-18
published2018-10-10
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/local/ms18_8120_win32k_privesc.rb
titleWindows SetImeInfoEx Win32k NULL Pointer Dereference

Nessus

  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS18_MAY_4103718.NASL
    descriptionThe remote Windows host is missing security update 4103712 or cumulative update 4103718. It is, therefore, affected by multiple vulnerabilities : - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8897) - A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8178) - An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8120, CVE-2018-8124, CVE-2018-8164, CVE-2018-8166) - A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-0954, CVE-2018-1022) - A security feature bypass vulnerability exists in .Net Framework which could allow an attacker to bypass Device Guard. An attacker who successfully exploited this vulnerability could circumvent a User Mode Code Integrity (UMCI) policy on the machine. (CVE-2018-1039) - An information disclosure vulnerability exists when Chakra improperly discloses the contents of its memory, which could provide an attacker with information to further compromise the users computer or data. (CVE-2018-8145) - A remote code execution vulnerability exists in the way that Windows handles objects in memory. An attacker who successfully exploited the vulnerability could execute arbitrary code with elevated permissions on a target system. (CVE-2018-8136) - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2018-8127) - An elevation of privilege vulnerability exists when the Windows Common Log File System (CLFS) driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2018-8167) - A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. (CVE-2018-0959) - An information disclosure vulnerability exists when affected Microsoft browsers improperly handle objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2018-1025) - A remote code execution vulnerability exists in Microsoft COM for Windows when it fails to properly handle serialized objects. An attacker who successfully exploited the vulnerability could use a specially crafted file or script to perform actions. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. (CVE-2018-0824) - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-0955, CVE-2018-8114, CVE-2018-8122) - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8174) - A denial of service vulnerability exists when .NET and .NET Core improperly process XML documents. An attacker who successfully exploited this vulnerability could cause a denial of service against a .NET application. A remote unauthenticated attacker could exploit this vulnerability by issuing specially crafted requests to a .NET (or .NET core) application. The update addresses the vulnerability by correcting how .NET and .NET Core applications handle XML document processing. (CVE-2018-0765)
    last seen2020-06-01
    modified2020-06-02
    plugin id109604
    published2018-05-08
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109604
    titleKB4103712: Windows 7 and Windows Server 2008 R2 May 2018 Security Update
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the Microsoft Security Updates API. The text
    # itself is copyright (C) Microsoft Corporation.
    #
    include("compat.inc");
    
    if (description)
    {
      script_id(109604);
      script_version("1.10");
      script_cvs_date("Date: 2019/11/08");
    
      script_cve_id(
        "CVE-2018-0765",
        "CVE-2018-0824",
        "CVE-2018-0954",
        "CVE-2018-0955",
        "CVE-2018-0959",
        "CVE-2018-1022",
        "CVE-2018-1025",
        "CVE-2018-1039",
        "CVE-2018-8114",
        "CVE-2018-8120",
        "CVE-2018-8122",
        "CVE-2018-8124",
        "CVE-2018-8127",
        "CVE-2018-8136",
        "CVE-2018-8145",
        "CVE-2018-8164",
        "CVE-2018-8166",
        "CVE-2018-8167",
        "CVE-2018-8174",
        "CVE-2018-8178",
        "CVE-2018-8897"
      );
      script_xref(name:"MSKB", value:"4103718");
      script_xref(name:"MSKB", value:"4103712");
      script_xref(name:"MSFT", value:"MS18-4103718");
      script_xref(name:"MSFT", value:"MS18-4103712");
    
      script_name(english:"KB4103712: Windows 7 and Windows Server 2008 R2 May 2018 Security Update");
      script_summary(english:"Checks for rollup.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Windows host is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote Windows host is missing security update 4103712
    or cumulative update 4103718. It is, therefore, affected by
    multiple vulnerabilities :
    
      - An elevation of privilege vulnerability exists when the
        Windows kernel fails to properly handle objects in
        memory. An attacker who successfully exploited this
        vulnerability could run arbitrary code in kernel mode.
        An attacker could then install programs; view, change,
        or delete data; or create new accounts with full user
        rights.  (CVE-2018-8897)
    
      - A remote code execution vulnerability exists in the way
        that Microsoft browsers access objects in memory. The
        vulnerability could corrupt memory in a way that could
        allow an attacker to execute arbitrary code in the
        context of the current user. An attacker who
        successfully exploited the vulnerability could gain the
        same user rights as the current user.  (CVE-2018-8178)
    
      - An elevation of privilege vulnerability exists in
        Windows when the Win32k component fails to properly
        handle objects in memory. An attacker who successfully
        exploited this vulnerability could run arbitrary code in
        kernel mode. An attacker could then install programs;
        view, change, or delete data; or create new accounts
        with full user rights.  (CVE-2018-8120, CVE-2018-8124,
        CVE-2018-8164, CVE-2018-8166)
    
      - A remote code execution vulnerability exists in the way
        the scripting engine handles objects in memory in
        Microsoft browsers. The vulnerability could corrupt
        memory in such a way that an attacker could execute
        arbitrary code in the context of the current user. An
        attacker who successfully exploited the vulnerability
        could gain the same user rights as the current user.
        (CVE-2018-0954, CVE-2018-1022)
    
      - A security feature bypass vulnerability exists in .Net
        Framework which could allow an attacker to bypass Device
        Guard. An attacker who successfully exploited this
        vulnerability could circumvent a User Mode Code
        Integrity (UMCI) policy on the machine.  (CVE-2018-1039)
    
      - An information disclosure vulnerability exists when
        Chakra improperly discloses the contents of its memory,
        which could provide an attacker with information to
        further compromise the users computer or data.
        (CVE-2018-8145)
    
      - A remote code execution vulnerability exists in the way
        that Windows handles objects in memory. An attacker who
        successfully exploited the vulnerability could execute
        arbitrary code with elevated permissions on a target
        system.  (CVE-2018-8136)
    
      - An information disclosure vulnerability exists when the
        Windows kernel improperly handles objects in memory. An
        attacker who successfully exploited this vulnerability
        could obtain information to further compromise the users
        system.  (CVE-2018-8127)
    
      - An elevation of privilege vulnerability exists when the
        Windows Common Log File System (CLFS) driver improperly
        handles objects in memory. An attacker who successfully
        exploited this vulnerability could run processes in an
        elevated context.  (CVE-2018-8167)
    
      - A remote code execution vulnerability exists when
        Windows Hyper-V on a host server fails to properly
        validate input from an authenticated user on a guest
        operating system.  (CVE-2018-0959)
    
      - An information disclosure vulnerability exists when
        affected Microsoft browsers improperly handle objects in
        memory. An attacker who successfully exploited this
        vulnerability could obtain information to further
        compromise the users system.  (CVE-2018-1025)
    
      - A remote code execution vulnerability exists in
        Microsoft COM for Windows when it fails to
        properly handle serialized objects. An attacker who
        successfully exploited the vulnerability could use a
        specially crafted file or script to perform actions. In
        an email attack scenario, an attacker could exploit the
        vulnerability by sending the specially crafted file to
        the user and convincing the user to open the file.
        (CVE-2018-0824)
    
      - A remote code execution vulnerability exists in the way
        that the scripting engine handles objects in memory in
        Internet Explorer. The vulnerability could corrupt
        memory in such a way that an attacker could execute
        arbitrary code in the context of the current user. An
        attacker who successfully exploited the vulnerability
        could gain the same user rights as the current user.
        (CVE-2018-0955, CVE-2018-8114, CVE-2018-8122)
    
      - A remote code execution vulnerability exists in the way
        that the VBScript engine handles objects in memory. The
        vulnerability could corrupt memory in such a way that an
        attacker could execute arbitrary code in the context of
        the current user. An attacker who successfully exploited
        the vulnerability could gain the same user rights as the
        current user.  (CVE-2018-8174)
    
      - A denial of service vulnerability exists when .NET and
        .NET Core improperly process XML documents. An attacker
        who successfully exploited this vulnerability could
        cause a denial of service against a .NET application. A
        remote unauthenticated attacker could exploit this
        vulnerability by issuing specially crafted requests to a
        .NET (or .NET core) application. The update addresses
        the vulnerability by correcting how .NET and .NET Core
        applications handle XML document processing.
        (CVE-2018-0765)");
      # https://support.microsoft.com/en-us/help/4103718/windows-7-update-kb4103718
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9cd8d3d4");
      # https://support.microsoft.com/en-us/help/4103712/windows-7-update-kb4103712
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0cbb798a");
      script_set_attribute(attribute:"solution", value:
    "Apply Security Only update KB4103712 or Cumulative Update KB4103718.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-8136");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Microsoft Windows POP/MOV SS Local Privilege Elevation Vulnerability');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/05/08");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/05/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/05/08");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows : Microsoft Bulletins");
    
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("smb_check_rollup.nasl", "smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
      script_require_keys("SMB/MS_Bulletin_Checks/Possible");
      script_require_ports(139, 445, "Host/patch_management_checks");
    
      exit(0);
    }
    
    include("audit.inc");
    include("smb_hotfixes_fcheck.inc");
    include("smb_hotfixes.inc");
    include("smb_func.inc");
    include("misc_func.inc");
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = "MS18-05";
    kbs = make_list('4103718', '4103712');
    
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
    
    if (hotfix_check_sp_range(win7:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
    
    share = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);
    if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
    
    if (
      smb_check_rollup(os:"6.1",
                       sp:1,
                       rollup_date:"05_2018",
                       bulletin:bulletin,
                       rollup_kb_list:[4103718, 4103712])
    )
    {
      replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
      hotfix_security_hole();
      hotfix_check_fversion_end();
      exit(0);
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, hotfix_get_audit_report());
    }
    
  • NASL familyWindows : Microsoft Bulletins
    NASL idSMB_NT_MS18_MAY_WIN2008.NASL
    descriptionThe remote Windows host is missing security updates. It is, therefore, affected by multiple vulnerabilities : - A remote code execution vulnerability exists in the Credential Security Support Provider protocol (CredSSP). An attacker who successfully exploits this vulnerability could relay user credentials and use them to execute code on the target host. (CVE-2018-0886) - An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8897) - An elevation of privilege vulnerability exists when the Windows Common Log File System (CLFS) driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2018-8167) - An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-8120, CVE-2018-8124, CVE-2018-8164, CVE-2018-8166) - A remote code execution vulnerability exists in &quot;Microsoft COM for Windows&quot; when it fails to properly handle serialized objects. An attacker who successfully exploited the vulnerability could use a specially crafted file or script to perform actions. In an email attack scenario, an attacker could exploit the vulnerability by sending the specially crafted file to the user and convincing the user to open the file. (CVE-2018-0824) - A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-8174) - A remote code execution vulnerability exists when Windows Hyper-V on a host server fails to properly validate input from an authenticated user on a guest operating system. (CVE-2018-0959)
    last seen2020-06-01
    modified2020-06-02
    plugin id109651
    published2018-05-09
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109651
    titleSecurity Updates for Windows Server 2008 (May 2018)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the Microsoft Security Updates API. The text
    # itself is copyright (C) Microsoft Corporation.
    #
    include("compat.inc");
    
    if (description)
    {
      script_id(109651);
      script_version("1.13");
      script_cvs_date("Date: 2019/11/08");
    
      script_cve_id(
        "CVE-2018-0824",
        "CVE-2018-0886",
        "CVE-2018-0959",
        "CVE-2018-8120",
        "CVE-2018-8124",
        "CVE-2018-8164",
        "CVE-2018-8166",
        "CVE-2018-8167",
        "CVE-2018-8174",
        "CVE-2018-8897"
      );
      script_bugtraq_id(
        103998,
        104030,
        104031,
        104033,
        104034,
        104037,
        104063,
        104071
      );
      script_xref(name:"MSKB", value:"4056564");
      script_xref(name:"MSKB", value:"4094079");
      script_xref(name:"MSKB", value:"4101477");
      script_xref(name:"MSKB", value:"4130944");
      script_xref(name:"MSKB", value:"4131188");
      script_xref(name:"MSKB", value:"4134651");
      script_xref(name:"MSFT", value:"MS18-4056564");
      script_xref(name:"MSFT", value:"MS18-4094079");
      script_xref(name:"MSFT", value:"MS18-4101477");
      script_xref(name:"MSFT", value:"MS18-4130944");
      script_xref(name:"MSFT", value:"MS18-4131188");
      script_xref(name:"MSFT", value:"MS18-4134651");
    
      script_name(english:"Security Updates for Windows Server 2008 (May 2018)");
      script_summary(english:"Checks for Microsoft security updates.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote Windows host is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The remote Windows host is missing security updates. It is,
    therefore, affected by multiple vulnerabilities :
    
      - A remote code execution vulnerability exists in the Credential
        Security Support Provider protocol (CredSSP). An attacker who
        successfully exploits this vulnerability could relay user
        credentials and use them to execute code on the target host.
        (CVE-2018-0886)
    
      - An elevation of privilege vulnerability exists when the
        Windows kernel fails to properly handle objects in
        memory. An attacker who successfully exploited this
        vulnerability could run arbitrary code in kernel mode.
        An attacker could then install programs; view, change,
        or delete data; or create new accounts with full user
        rights.  (CVE-2018-8897)
    
      - An elevation of privilege vulnerability exists when the
        Windows Common Log File System (CLFS) driver improperly
        handles objects in memory. An attacker who successfully
        exploited this vulnerability could run processes in an
        elevated context.  (CVE-2018-8167)
    
      - An elevation of privilege vulnerability exists in
        Windows when the Win32k component fails to properly
        handle objects in memory. An attacker who successfully
        exploited this vulnerability could run arbitrary code in
        kernel mode. An attacker could then install programs;
        view, change, or delete data; or create new accounts
        with full user rights.  (CVE-2018-8120, CVE-2018-8124,
        CVE-2018-8164, CVE-2018-8166)
    
      - A remote code execution vulnerability exists in
        &quot;Microsoft COM for Windows&quot; when it fails to
        properly handle serialized objects. An attacker who
        successfully exploited the vulnerability could use a
        specially crafted file or script to perform actions. In
        an email attack scenario, an attacker could exploit the
        vulnerability by sending the specially crafted file to
        the user and convincing the user to open the file.
        (CVE-2018-0824)
    
      - A remote code execution vulnerability exists in the way
        that the VBScript engine handles objects in memory. The
        vulnerability could corrupt memory in such a way that an
        attacker could execute arbitrary code in the context of
        the current user. An attacker who successfully exploited
        the vulnerability could gain the same user rights as the
        current user.  (CVE-2018-8174)
    
      - A remote code execution vulnerability exists when
        Windows Hyper-V on a host server fails to properly
        validate input from an authenticated user on a guest
        operating system.  (CVE-2018-0959)");
      # https://support.microsoft.com/en-us/help/4056564/security-update-for-vulnerabilities-in-windows-server-2008
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b5f5c446");
      # https://support.microsoft.com/en-us/help/4094079/security-update-for-vulnerabilities-in-windows-server-2008
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?772e96fe");
      # https://support.microsoft.com/en-us/help/4134651/description-of-the-security-update-for-vulnerabilities-in-windows
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5ebb568d");
      # https://support.microsoft.com/en-us/help/4131188/win32k-elevation-of-privilege-vulnerability
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3f9bcdfa");
      # https://support.microsoft.com/en-us/help/4130944/windows-common-log-file-system-driver-vulnerability
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?28ae25e4");
      # https://support.microsoft.com/en-us/help/4101477/microsoft-com-for-windows-remote-code-execution-vulnerability
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?90a897a3");
      script_set_attribute(attribute:"solution", value:
    "Microsoft has released security updates for Windows Server 2008.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-8174");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"exploited_by_malware", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Microsoft Windows POP/MOV SS Local Privilege Elevation Vulnerability');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2018/05/08");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/05/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/05/09");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows : Microsoft Bulletins");
    
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("smb_check_rollup.nasl", "smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl", "wmi_enum_server_features.nbin");
      script_require_keys("SMB/MS_Bulletin_Checks/Possible");
      script_require_ports(139, 445, "Host/patch_management_checks");
    
      exit(0);
    }
    
    include("audit.inc");
    include("smb_func.inc");
    include("smb_hotfixes.inc");
    include("smb_hotfixes_fcheck.inc");
    include("misc_func.inc");
    
    get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
    
    bulletin = 'MS18-05';
    
    kbs = make_list(
      "4056564",
      "4094079",
      "4101477",
      "4130944",
      "4131188",
      "4134651"
    );
    
    if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
    
    get_kb_item_or_exit("SMB/Registry/Enumerated");
    get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
    
    # KBs only apply to Windows 2008
    if (hotfix_check_sp_range(vista:'2') <= 0)
      audit(AUDIT_OS_SP_NOT_VULN);
    
    productname = get_kb_item_or_exit("SMB/ProductName", exit_code:1);
    if ("Vista" >< productname) audit(AUDIT_OS_SP_NOT_VULN);
    
    systemroot = hotfix_get_systemroot();
    if (!systemroot) audit(AUDIT_PATH_NOT_DETERMINED, 'system root');
    
    arch = get_kb_item_or_exit('SMB/ARCH', exit_code:1);
    
    port   = kb_smb_transport();
    login  = kb_smb_login();
    pass   = kb_smb_password();
    domain = kb_smb_domain();
    
    if(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');
    
    winsxs = ereg_replace(pattern:'^[A-Za-z]:(.*)', replace:"\1\WinSxS", string:systemroot);
    winsxs_share = hotfix_path2share(path:systemroot);
    
    rc = NetUseAdd(login:login, password:pass, domain:domain, share:winsxs_share);
    if (rc != 1)
    {
      NetUseDel();
      audit(AUDIT_SHARE_FAIL, winsxs_share);
    }
    
    the_session = make_array(
      'login',    login,
      'password', pass,
      'domain',   domain,
      'share',    winsxs_share
    );
    
    vuln = 0;
    
    # KB4056564
    files = list_dir(basedir:winsxs, level:0, dir_pat:"security-schannel_31bf3856ad364e35", file_pat:"^schannel\.dll$", max_recurse:1);
    vuln += hotfix_check_winsxs(os:'6.0',
                                sp:2,
                                files:files,
                                versions:make_list('6.0.6002.24383'),
                                max_versions:make_list('6.0.6002.99999'),
                                bulletin:bulletin,
                                kb:"4056564", session:the_session);
    
    
    # KB4094079 (hyper-v ; 64bit only)
    files = list_dir(basedir:winsxs, level:0, dir_pat:"hyper-v-storage_31bf3856ad364e35", file_pat:"^synthstor\.dll$", max_recurse:1);
    if (
      arch == "x64" &&
      (get_kb_item('WMI/server_feature/20') || report_paranoia == 2 ) &&
      hotfix_check_winsxs(os:'6.0',
                                sp:2,
                                files:files,
                                versions:make_list('6.0.6002.24362'),
                                max_versions:make_list('6.0.6002.99999'),
                                bulletin:bulletin,
                                kb:"4094079", session:the_session)
    )
    {
      vuln++;
    }
    
    # KB4101477
    files = list_dir(basedir:winsxs, level:0, dir_pat:"catsrvut-comsvcs_31bf3856ad364e35", file_pat:"^catsrvut\.dll$", max_recurse:1);
    vuln += hotfix_check_winsxs(os:'6.0',
                                sp:2,
                                files:files,
                                versions:make_list('2001.12.6932.24363'),
                                max_versions:make_list('2001.12.6932.99999'),
                                bulletin:bulletin,
                                kb:"4101477", session:the_session);
    
    
    # KB4130944
    files = list_dir(basedir:winsxs, level:0, dir_pat:"commonlog_31bf3856ad364e35", file_pat:"^clfs\.sys$", max_recurse:1);
    vuln += hotfix_check_winsxs(os:'6.0',
                                sp:2,
                                files:files,
                                versions:make_list('6.0.6002.24361'),
                                max_versions:make_list('6.0.6002.99999'),
                                bulletin:bulletin,
                                kb:"4130944", session:the_session);
    
    # KB4131188
    files = list_dir(basedir:winsxs, level:0, dir_pat:"win32k_31bf3856ad364e35", file_pat:"^win32k\.sys$", max_recurse:1);
    vuln += hotfix_check_winsxs(os:'6.0',
                                sp:2,
                                files:files,
                                versions:make_list('6.0.6002.24363'),
                                max_versions:make_list('6.0.6002.99999'),
                                bulletin:bulletin,
                                kb:"4131188", session:the_session);
    
    # KB4134651
    files = list_dir(basedir:winsxs, level:0, dir_pat:"ntdll_31bf3856ad364e35", file_pat:"^ntdll\.dll$", max_recurse:1);
    vuln += hotfix_check_winsxs(os:'6.0',
                                sp:2,
                                files:files,
                                versions:make_list('6.0.6002.24367'),
                                max_versions:make_list('6.0.6002.99999'),
                                bulletin:bulletin,
                                kb:"4134651", session:the_session);
    
    if (vuln > 0)
    {
      replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
      hotfix_security_hole();
      hotfix_check_fversion_end();
      exit(0);
    }
    else
    {
      hotfix_check_fversion_end();
      audit(AUDIT_HOST_NOT, 'affected');
    }
    

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/149880/ms18_8120_win32k_privesc.rb.txt
idPACKETSTORM:149880
last seen2018-10-20
published2018-10-19
reporterunamer
sourcehttps://packetstormsecurity.com/files/149880/Microsoft-Windows-SetImeInfoEx-Win32k-NULL-Pointer-Dereference.html
titleMicrosoft Windows SetImeInfoEx Win32k NULL Pointer Dereference

Seebug

bulletinFamilyexploit
description作者:bigric3 作者博客:<http://bigric3.blogspot.jp/2018/05/cve-2018-8120-analysis-and-exploit.html></http://bigric3.blogspot.jp/2018/05/cve-2018-8120-analysis-and-exploit.html> 5月15日ESET发文其在3月份捕获了一个 pdf远程代码执行(cve-2018-4990)+windows本地权限提升(cve-2018-8120)的样本。ESET发文后,我从vt上下载了这样一份样本(<https://www.virustotal.com/#/file/6cfbebe9c562d9cdfc540ce45d09c8a00d227421349b12847c421ba6f71f4284/detection></https://www.virustotal.com/#/file/6cfbebe9c562d9cdfc540ce45d09c8a00d227421349b12847c421ba6f71f4284/detection>)。初步逆向,大致明确如外界所传,该漏洞处于开发测试阶段,不慎被上传到了公网样本检测的网上,由ESET捕获并提交微软和adobe修补。测试特征字符串如下 ![](https://images.seebug.org/content/images/2018/05/749f257a-c25c-46b9-823b-f94cc1b785b8.png-w331s) 定位样本中关键的代码并调试分析 ![](https://images.seebug.org/content/images/2018/05/4f5a0f4a-53c2-447f-9566-c553b9252ebe.png-w331s) 可以知道漏洞产生于系统调用号为0x1226的内核函数NtUserSetImeInfoEx中,该函数调用SetImeInfoEx,在SetImeInfoEx内对参数1校验疏忽,产生了空指针解引用漏洞,相关触发代码逻辑如下: ![](https://images.seebug.org/content/images/2018/05/36ca5838-ff35-43bf-b131-4f9b5a901eab.png-w331s) ![](https://images.seebug.org/content/images/2018/05/bfa34336-21f6-40a2-91ff-3a0f52fafad5.png-w331s) ![](https://images.seebug.org/content/images/2018/05/22f2de30-5879-4ad7-b17c-e4c767bf4e82.png-w331s) 相较于目前较为主流的gdi提权技术,该样本利用了安装系统调用门来实现内核权限提升。 首先,通过指令sgdt指令获取全局描述符表 ![](https://images.seebug.org/content/images/2018/05/733d27ba-bb6a-4fa3-98c2-0cdd10a177cf.png-w331s) 申请0x400 bytes内存,构造调用门描述符 ![](https://images.seebug.org/content/images/2018/05/c429317f-a78c-4623-bbb1-7c364ed33706.png-w331s) 调用门描述符结构如下 ![](https://images.seebug.org/content/images/2018/05/a0f45b85-e09f-453d-98dd-fff4138ddde5.png-w331s) 调用门及mapping null page构造完毕后,开始触发漏洞安装调用门 ![](https://images.seebug.org/content/images/2018/05/a482a9c8-ea48-4b70-b209-7bd67079a09b.png-w331s) 此时寄存器数据如下 ![](https://images.seebug.org/content/images/2018/05/710b4099-22b5-4330-8ca1-25f6d40e4848.png-w331s) 源数据如下 ![](https://images.seebug.org/content/images/2018/05/ba7a86be-ab9a-4baf-b93b-da7919487baa.png-w331s) 目的地址数据如下 ![](https://images.seebug.org/content/images/2018/05/38656880-5cfa-43c0-8704-34af42e10857.png-w331s) 可以看到安装了自身callgate及Ring0Function。安装完毕后(支持3环调用的CallGate),ring3程序调用调用门 ![](https://images.seebug.org/content/images/2018/05/546adddf-4ae7-44c4-af42-3cfdd4d697ea.png-w331s) 找到对应的GDT表项 ![](https://images.seebug.org/content/images/2018/05/ace41b84-adb8-40da-b677-fdfc91af582d.png-w331s) 按照GDT表项的结构,分析样本安装的调用门描述符: 段选择子cs的值为0x1a8; 对应的Ring0Function的offset低地址为0x51b4; 对应的Ring0Function的offset高地址为0x80b9; DPL为3 & Gate Valid位为1 段选择子cs对应的结构如下,RPL级别为0,特权级别 ![](https://images.seebug.org/content/images/2018/05/1f65a315-dfe0-41c9-838b-df7572646fdb.png-w331s) 根据上述结构定位gdt段描述符项 ![](https://images.seebug.org/content/images/2018/05/96be6421-c39f-4678-aee3-188ff428499b.png-w331s) 段描述符结构如下 ![](https://images.seebug.org/content/images/2018/05/f2c0a1c5-c9a1-4284-8aac-4f518b01f73d.png-w331s) 3,4,5,8个字节得到段基址为0x0,结合上面的Ring0Func,得到Ring0Func的物理地址 Ring0Function很简单,直接ret,但此时ring3代码已具有ring0权限,因为这里没有恢复cs: ![](https://images.seebug.org/content/images/2018/05/fa00bd84-43d8-4c78-8296-d981c0e4e9d5.png-w331s) 整个Far Pointer to Call Gate流程如下图: ![](https://images.seebug.org/content/images/2018/05/c23217be-2cdb-4a69-9f80-a494a8563dc5.png-w331s) 中断在call far pointer,此时cs的值为0x1b ![](https://images.seebug.org/content/images/2018/05/48e7f579-5144-4620-b6a3-59cdf45da2d9.png-w331s) 单步进入后,cs变为0x1a8(此时中断在我双机调试的windbg上) ![](https://images.seebug.org/content/images/2018/05/baf4c10e-da96-4d6e-b3f4-e6c5675f6d1a.png-w331s) 如此替换本进程的token为system的token后,完成权限提升,最后恢复cs,并平衡堆栈后,再执行更多的ring3代码,否则容易BSOD。 分析过程中,我近95%的按照样本的思路还原了提权代码。 ##### Source code: <https://github.com/bigric3/cve-2018-8120></https://github.com/bigric3/cve-2018-8120> ##### Thanks: - <https://www.f-secure.com/weblog/archives/kasslin_AVAR2006_KernelMalware_paper.pdf></https://www.f-secure.com/weblog/archives/kasslin_AVAR2006_KernelMalware_paper.pdf> - <http://vexillium.org/dl.php?call_gate_exploitation.pdf></http://vexillium.org/dl.php?call_gate_exploitation.pdf> ![](https://images.seebug.org/content/images/2018/05/d7bcc1dd-d3e0-43f0-b4c9-eeb46a768d29.gif-w331s)
idSSV:97307
last seen2018-06-26
modified2018-05-21
published2018-05-21
reporterMy Seebug
sourcehttps://www.seebug.org/vuldb/ssvid-97307
titleMicrosoft Windows Kernel 'Win32k.sys' Local Privilege Escalation Vulnerability(CVE-2018-8120)

The Hacker News