Google’s Threat Analysis Group found a zero-day vulnerability – CVE-2016-7855, notified Adobe and Microsoft on October 21st and released it after a short period. This is yet another zero-day regarding flash software on Windows.

Adobe patched it on October 26th while Microsoft said Windows patch will be ready on November 8th.

Vulnerability was publicly disclosed on October 31st which means there is still a window of one week in which Windows users are vulnerable. Google stated that it was already being exploited in the wild which is why they published it.

Affected systems are Windows Vista and newer. All users are advised to update their Flash and browser software, and Windows as soon as the patch arrives.

According to this document by Google, Chrome’s sandbox blocks win32k.sys system calls using the Win32k lockdown mitigation on Windows 10, which prevents exploitation of this sandbox escape vulnerability. Also, Microsoft published that users of Microsoft are safe on Windows 10 and Microsoft Edge browser.

What you need to know to understand this vulnerability

When you watch a video in your browser, it is viewed in a sandbox environment. It enables security restrictions for iframe elements that contain untrusted content. These restrictions enhance security by preventing untrusted content from performing actions that can lead to potentially malicious behavior. Sandboxes usually restrict calls to system functions that are not needed to non-malicious files.

System call is the programmatic way in which a program requests a service from the kernel of the operating system it is executed on. This may include hardware-related services (for example, accessing a hard disk drive), creation and execution of new processes, and communication with integral kernel services such as process scheduling. System calls provide an essential interface between a process and the operating system.

System calls can be roughly grouped into five major categories:

  1. Process Control – create, execute, terminate, get/set attributes.
  2. File management – create, delete, open, close, read, write, get/set attributes.
  3. Device Management – request, detach device, get/set attributes.
  4. Information Maintenance – get/set time, date, control system data.
  5. Communication – create/cancel connection, send and receive messages etc.

On Windows, system calls are broadly split into two main types, implemented by two separate subsystems in the kernel. First, there are the NT calls, which are implemented by ntoskrnl.exe, then there are the win32k calls, which are implemented by Win32k.sys. Win32k calls tend to be associated with the graphics subsystem (which runs in the kernel on Windows, for performance and historical reasons), while ntoskrnl calls are more for the Windows NT API e.g. file access, network, POSIX.

On Windows, there is no fine grained system call filtering, but each system call is responsible for verifying the access token of the caller that allows the call to be made.

The Vulnerability

The Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD.

Previous paragraph is all internet news say, so I decided to take a deeper look.

In C++ this function calls the system call that escapes the sandbox:

LONG_PTR WINAPI SetWindowLongPtr(
_In_ HWND hWnd,
_In_ int nIndex,
_In_ LONG_PTR dwNewLong
);

Function call example looks like this:
//hWnd is the handle of current window
//set GWL_STYLE to WS_CHILD
SetWindowLongPtr( hWnd , GWL_STYLE , WS_CHILD );
//pick any ID different from current
//pick any ID different from current
LONG_PTR *id = GetWindowLongPtr( hWnd, GWL_ID ) + 1;
//call win32k.sys via SetWindowLongPtr()
SetWindowLongPtr( hWnd , GWLP_ID , id );
//payload

That sets a new identifier of the child (current) window which is not restricted by the sandbox. Once a malicious flash player file is out of the sandbox it can execute arbitrary code on victim’s computer.

Russian Hackers are actively exploiting this Windows kernel bug

Group called Strontium (aka FancyBear) is an activity group that usually targets government agencies, diplomatic and military organizations as well as public research institutes. Recently they were leaking US athletes’ doping records.

They are once again labeled by Microsoft to be using Windows 0-day, this time they used previously described exploit in ActionScript. Following successful elevation of privilege, a backdoor is downloaded, written to the file system and executed into the browser process.

There were enough vulnerabilities with the Flash software for the internet community to get rid of Flash Player in favor of the newer, more secure HTML5 standard for multimedia web content. Web publishers have already largely begun migrating to HTML5 apps from Flash, even though HTML5 is not flawless itself.

How to be safe?

Don’t use Windows. If you still use Windows, Adobe and Chrome security measures are effective, but the vulnerability will be exploited in all other environments before Windows team fixes it. Until then, use Adobe and Chrome or don’t run media files on sketchy websites.