Analyzing the Recent Windows Zero-Day Escalation of Privilege Exploit

Recently we caught a malicious sample that exploits a PDF vulnerability–CVE-2013-3346, we believe–and executes after a use-after-free condition occurs. During our analysis we noticed that this PDF sample also exploits a zero-day local Windows vulnerability–CVE-2013-5065–to escalate privilege. This zero-day occurs in NDProxy.sys under Windows XP and 2003. The exploitation of this flaw is similar to CVE-2010-2743, known as the Win32k keyboard layout vulnerability. Let’s take a closer look.

After the PDF exploit succeeds and shellcode executes, it fills the first page in memory, starting from address 0, with hundreds of NOP instructions and then fills with kernel shellcode. Next it gets a handle to \\.\NDProxy via the API CreateFileA, and then uses this handle by calling the API DeviceIoControl with the IOCTL code 0x8fff23c8. Next the execution flaw goes into the NDProxy!PxIoDispatch function in Ring 0. (PxIoDispatch is the function that handles input-output control coming from user mode.)   20131206 PDF exploit 1

While coming to the branch that handles IOCTL code 0x8fff23c8, PxIoDispatch processes the input buffer supplied by the attacker:

20131206 PDF exploit 2

The esi register points to the input buffer coming from user mode, and the content of input buffer is set like this:

20131206 PDF exploit 3

After calculating, the eax value is (0×7030125-0×7030101)*3*4=0x1b0, which will be used as an index to a function table later:

20131206 PDF exploit 4

Now for the vulnerability: Let’s see how long the function table is that resides at off_18008. The beginning of the table:

20131206 PDF exploit 5

The end of the table:

20131206 PDF exploit 6

The end offset, 0x181b0, minus the beginning offset, 0×18008, gives us 0x1a8. In our case the index is 0x1b0, which is already out of the table, and references the second dword at the next table, with the value 0×38. So the execution flaw now goes to address 0×38 thanks to the call instruction, and everything is under the attacker’s control.

In the kernel shellcode, the exploit replaces the current process’ token with the SYSTEM process’ token, which should escalate its privilege as SYSTEM, and return to the caller. Now the following user mode shellcode will run at privileged level. The exploit then drops a temp file with a random name such as xxx.tmp, a Trojan, in the temporary directory, and launches it by calling the API WinExec.

Thanks to my colleagues Vinay Karecha, Bing Sun, and Lijun Cheng for their support and help with this analysis.