Digging Into a Windows Kernel Privilege Escalation Vulnerability: CVE-2016-7255

The Windows kernel privilege escalation vulnerability CVE-2016-7255 has received a lot of media attention. On November’s Patch Tuesday, Microsoft released a fix for this vulnerability as part of bulletin MS16-135. CVE-2016-7255 was used to perform a targeted attack and a sample was found in the wild, according to Microsoft. Google and Microsoft have already confirmed the Russian hacker group APT28 used a Flash vulnerability (CVE-2016-7855) along with this kernel privilege escalation flaw to perform a targeted attack. Google has also discussed this vulnerability.

The vulnerability research team at McAfee Labs has spent a significant amount of time analyzing this vulnerability. In this post we will briefly discuss some of our findings.

We started our analysis with the patch of MS16-135, and very soon we noticed that MS16-135 updated win32k.sys on the target system. Our investigation continued with the comparison (via binary diffing) of the two win32k.sys files (before and after installing the patch). Our test system ran Windows 7 Version 6.1.7601.23584.

Looking at the binary diffing results, we noticed the following functions were modified.


Figure 1: The changed function xxxNextWindow in win32k.sys.

After some preliminary investigation we concluded the patch for CVE-2016-7255 was applied solely in the function xxxNextWindow in win32k.sys.

The following screenshot shows a very high-level overview of the changes made to xxxNextWindow(x,x):


Figure 2: High-level diffing results in the function xxxNextWindow.

We can see some new logic has been added (highlighted in red) to the middle of the patched function. Zooming into the first newly inserted basic block, we can see that the newly introduced code compares the value of eax+0x23.


Figure 3: The first inserted basic block in xxxNextWindow.

We see similar logic in next newly inserted basic block.


Figure 4: The second inserted basic block in xxxNextWindow.

Google has stated the vulnerability “can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD.”

In fact, NtSetWindowLongPtr only helps trigger this vulnerability, while the root cause lies in xxxNextWindow. More specifically, the inappropriate parameters set by NtSetWindowLongPtr can trigger an “arbitrary address write” scenario in xxxNextWindow.

Now let’s take a look at the decompiled version of the unpatched xxxNextWindow(x,x…).


Figure 5: The decompiled version of the unpatched xxxNextWindow.

After the patch is applied, xxxNextWindow (x,x…) looks like this:


Figure 6: The decompiled version of the patched xxxNextWindow.

The code after the patch has enhanced the parameter verification with the conditional branch statement “(*(_BYTE *)(v8 + 0x23) & 0xC0) != 0x40.”

In this new statement, variable v8 (in eax) is the return value of a previous GetNextQueueWindow call. (See following figure.)


Figure 7: Variable v8 comes from a call to GetNextQueueWindow: “v8 = _GetNextQueueWindow(v7, v31, 1);”

A quick look at the implementation of _GetNextQueueWindow(x,x,x,…) reveals that the function actually returns a pointer to the tagWND structure.

The following screen shows the tagWND structure in windbg:


Figure 8: The structure of tagWND.

Analyzing this code, we know the field at offset 0x78 in the tagWND structure is relevant to the vulnerability. The following lines of decompiled code from the unpatched function illustrate that the field at offset 0x78 is relevant to the vulnerability:


Figure 9: Problematic code in the unpatched xxxNextWindow.

Now the problem becomes simple: If we can control the value at v8+0x78, we will be able to write to an arbitrary address in kernel land, and this could potentially allow the elevation of privilege. Luckily, a user-mode API (NtSetWindowLongPtr) is available to set an arbitrary value in that position.

The following screen shot shows that the value (0x41414141) we passed to NtSetWindowLongPtr is reflected in the tagWND structure, making it easy to gain an arbitrary memory write through this vulnerability.


Figure 10: An arbitrary value is set in the tagWnd structure.

To to trigger the vulnerability, the WS_CHILD attribute of the newly created window must be assigned, and the GWLP_ID attribute must be set with the help of the API NtSetWindowLongPtr(). Moreover, the last hurdle is to trigger xxxNextWindow. After some research, we found we can trigger it by pressing a combination of Alt+Tab keys or simulating the key press with the keybd_event API.

Now that we understand the root cause of this vulnerability from the high level, let’s try reproducing the vulnerability. We will create a simple window and populate some values in its tagWND structure.

HWND hwnd = CreateWindowEx(0, L”TestWnd”, 0, WS_OVERLAPPEDWINDOW | WS_VISIBLE | WS_CHILD, 5, 5, 1, 1, hWndParent, 0/*hMenu */, h, 0);

SetWindowLongPtr(hwnd, GWLP_ID,/*0xfffffff4=GWLP_ID*/ 0x41414141);


Figure 11: Debugging the vulnerable function xxxNextWindow.

The preceding screenshot shows the live debugging output. Here the ebx register is holding the pointer to the tagWND structure, and a write violation will occur very soon. As you can see in the following figure, the destination of the offending instruction is just the address (adding 0x14) that we previously passed in via the NtSetWindowLongPtr API, and this perfectly illustrates an arbitrary address write attack.


Figure 12: Scenario for an arbitrary address write attack.

Let’s return to Microsoft’s patch, which starts by checking the value at offset 0x23 of the tagWND structure. In the patched code, we can see the newly introduced statement

(*(_BYTE *)(v8 + 0x23) & 0xC0) != 0x40

When it comes to the patched version of the function, ebx points to the tagWND of the structure ebx + 0x23 = 0x54;

0x54 & 0xc0 = 0x40 ;(1)  ,  0x40 != 0x40 (2) ;

Now this statement becomes false. Therefore, the program skips the following code lines that attempt to modify memory, and avoids the program crash (the write access violation).

*(_DWORD *)(*(_DWORD *)(v30 + 0x78) + 0x14) &= 0xFFFFFFFB;

*(_DWORD *)(*(_DWORD *)(v8 + 0x78) + 0x14) |= 4u;

How can this vulnerability be exploited to achieve a privilege escalation? Instead of allowing the writing of an arbitrary value to an arbitrary address, this vulnerability can change only one bit; that is, the value on the address will be logically OR-ed with 0x04 (or its multiples) as shown below:

Value = Value | 0x04;

Value = Value | 0x0400;

Value = Value | 0x040000

Value = Value | 0x04000000

In this case, if the attacker can find a certain array of objects in kernel land and enlarge the index of the objects array (such as tagWnd->cbWndExtra) with this logical OR primitive to cause an out-of-bound access, the attacker will be able to gain arbitrary address read/write ability from user mode (by using some user mode APIs). We currently know some exploitation skills of this kind, such as GetBitmapbits/SetBitmapbits (first discovered by KeenTeam) or SetWindowText/GetWindowText.


Today, privilege escalation using a kernel mode vulnerability is still the primary vector to break application sandboxes (Internet Explorer’s EPM or Edge’s AppContainer). This path has been well demonstrated by most successful in-the-wild exploits targeting Internet Explorer/Edge/Adobe Reader and Flash that we have seen. Against current versions of Windows, with multilayer defenses, escaping the sandbox with a kernel escalation of privilege is still the attacker’s first choice. KeUsermodeCallback used to be a very popular type of Windows kernel mode vulnerability that can lead to kernel mode code execution, as we saw in CVE-2014-4113 and CVE-2015-0057. Microsoft’s work on addressing kernel vulnerabilities and adding more mitigation security features has led to a decline in this type of attack. In response, attackers have begun to look into kernel font and GDI vulnerabilities. Windows 10 has already restricted win32k calls in Edge, which significantly reduces the attack surface. And Microsoft has also fixed the kernel memory information disclosure issue that leverages the GDI-shared handle table. No doubt, kernel exploitation will become more and more difficult. However, we foresee that attackers will still use win32k as the main attack surface to exploit the kernel to achieve code execution or elevation of privilege. The battle will continue around this hot spot for both attackers and defenders. 

I thank my colleagues Bing Sun and Debasish Mandal for their help with this post.

The post Digging Into a Windows Kernel Privilege Escalation Vulnerability: CVE-2016-7255 appeared first on McAfee Blogs.

Next Targets for Cybercriminals: the Long Term (Part 2)


In the previous post in this series, I outlined how cybercriminals will use the holiday season to victimize unwary consumers and target businesses. They will also dive deeper into leveraging devices connected to the Internet of Things (IoT). The long-term outlook expands their reach to more bold and potentially more lucrative pastures.


Rise of blockchain

During the next year, blockchains are poised to take on the world of finance, commerce, health care, and potentially government services—in which transactions must have a permanent record and can be seen by the masses. Originally started as the backbone for the emergence of cryptocurrencies like Bitcoin, blockchains can be used for so much more. Imagine purchasing items and having a permanent record of your investments. Land titles in parts of the world where governments come and go with frequency will persist even after a regime change, as they are part of an unalterable distributed public record. Stock trading by individuals could happen at lightning speed, not requiring an account at one of the big trading houses to process your order and take a fee. Your entire personal medical profile and records may be encrypted, but available to any doctor at a moment’s notice if you need them to be. Blockchains will likely be important in India, where government bank and spending accounts for each citizen could be protected from fraud and quickly process transactions.

The benefits are huge, motivating organizations to adopt the technology, which is already being explored in several sectors such as finance, commerce, digital contracts, and health care. Once embraced, blockchains will control and protect a mind-boggling amount of resources and power, guaranteeing they will be targeted by thieves, fraudsters, organized criminals, hacktivists, and even nation-states. This is where the true test of technology will be tempered. Like encryption before it, the math is solid, but we’ll see the vulnerabilities in implementations. Adopters will feel growing pains, as not all blockchains will be equal when it comes to cybersecurity. The attackers will hunt the weakest in the herd for easy and profitable meals.


Social media rules our attention

The attention market has changed so much over the past few generations. Newspapers and magazines gave way to radio, then television, the Internet, and now social media platforms. There is massive value in capturing people’s attention. It shapes our perceptions of justice, tempts us with purchases, cajoles us into trust, fuels the fame of celebrities, and is the lens we see the world through. It is powerful on so many levels, which it is why it will be targeted by all manner of digital threats.

Cyber threats recognize that social media is now seen as a tool to shift public sentiment. Expect terrorists, hacktivists, and nation-states to explore various exploits to support their objectives. The first battles will be around the ability to promote content, appear atop search results, shutter opposing views, and hack accounts of influential people. I also expect more campaigns to embarrass individuals and expose their private online activities. This will be done for profit and control, as well as for amusement.


Ransomware will continue to bring in tremendous amounts of money for cybercriminals. The number of ransomware engines will likely decrease, but the overall impact will go up. Like any software, every generation gets better and adds more features, which drives consolidation to the very best vendors. This trend will also play out with ransomware. Very soon, just a handful of engines will dominate the field. The result will be a greater overall impact as the best tools expand to target businesses, which are more lucrative when it comes to the extortion. Unfortunately, ransomware and extortion is a long-term problem.

Stressful holidays and New Year

Criminals, like the rest of us, enjoy having extra money to spend during the holidays. Expect more malicious activity during this end-of-year season, especially for those who are careless in their trust, as well as a sharp rise in fraudulent e-commerce, credit/debit card fraud, and identity thefts. Ransomware will expand from a mostly consumer scourge to also impact businesses for a much greater payoff. Social media will be both a target of attackers as well as an emotional sounding board on which we can express our discontent. Long-term attacks of a more strategic nature will test early blockchain implementations and explore ways to monetize pathetically weak IoT devices. Banks, ATMs, global financial transactions, and cryptocurrency will continue to be targeted for the foreseeable future, with ever bigger and bolder schemes.


Interested in more? Follow me on Twitter (@Matt_Rosenquist) and LinkedIn to hear insights and what is going on in cybersecurity.

The post Next Targets for Cybercriminals: the Long Term (Part 2) appeared first on McAfee Blogs.

Next Targets for Cybercriminals: the Short Term (Part 1)



Knowing what cybercriminals are targeting today is easy. Their attacks are loud, impactful, and have the elegance of a herd of bulls crashing through a china shop. The tougher challenge is figuring out where they will take aim tomorrow. Knowing where cyber threats will arise gives us the necessary insights to remain one step ahead of their mayhem.

In the short term

The current focus is on lucrative e-commerce: online shopping, email ransomware, phishing for credentials, and infection by holiday-lurking malware. It is also a time for dark markets to thrive, selling unmentionables to those looking for illegal items for the holiday celebrations.

We must all expect malware-ridden holiday sale emails and websites. Look for the fake shipping invoice or an urgent message from some merchant. All bogus. Shady e-commerce sites, advertising insane deals as bait, aim to harvest credit card accounts, emails, and maybe convince you to install some “helpful” software. Phishing increases this time of year: Look for a new wave of ransomware to hold family pictures, personal files, and entire systems for extortion. Identity theft will add to the rise of new credit card applications for unauthorized shopping. In the next couple of months, all of these financially motivated threats will increase, so now is a time to be on your guard.


Businesses beware

Businesses must worry about the increased amount of e-commerce fraud, ransomware that extorts money to unlock important files, and the ever-present risk of data breaches. Health care, retail, and financial sectors will be targeted the most, but all businesses are in jeopardy. Social media will be targeted as a springboard to reach more potential victims and influence them to download or visit sites containing malware. Some large companies that rely heavily on web traffic will suffer distributed denial of service (DDoS) extortion attempts. “Pay or be unavailable to your customers” is the threat. As always, cash is king and credit is queen. More ATM attacks are in our future. Europe will be the hotbed, given its machine density and proximity to current thieving bands who are becoming more proficient at these attacks. The United States will suffer from more credit card and debit card fraud, some in stores, but more shifting toward online sites as the chip-on-card initiative forces thieves to adapt.

Exploiting IoT devices

Hacking home devices connected to the Internet of Things (IoT) is easy for botnet herders looking to amass an army to conduct DDoS attacks. But there is little money in merely attacking. Some will adjust to provide “protection” extortion schemes. Others will move into using those simple devices to create social media accounts that can “follow” or “like” en masse for a fee. Early signs are already present as buying followers/likes is lucrative business in the ego markets of social media.

Looking down the road a bit, we will actually see fewer random attacks against IoT devices. Two factors will be at play. First, IoT device manufacturers and consumers will shift to close today’s basic weakness: the use of default passwords. The second change will occur when professional hackers, likely organized criminals and nation-states, take over the market with more professional hacking capabilities. They tend to not play nice with others. Upon compromising an IoT device, they will immediately close the vulnerability so they are not displaced by another hacker. This ensures they will keep control of their victims.

We will see more creative ways for attackers to monetize this resource by coupling with ransomware, DDoS attacks, data leakage, creation of mass accounts to facilitate fraud, and perhaps even creating specialty routing networks to obfuscate traffic. The result will be more devices exploited, but in a more organized manner, until such time as the IoT industry becomes much more secure overall.

In a subsequent post, I will look into the long-term targets of cybercriminals. There are many opportunities that could reap big payouts. They are a greedy lot and I expect them to make bold moves.


Interested in more? Follow me on Twitter (@Matt_Rosenquist) and LinkedIn to hear insights and what is going on in cybersecurity

The post Next Targets for Cybercriminals: the Short Term (Part 1) appeared first on McAfee Blogs.

Floki Bot a Sensation With International Cybercriminals


Floki Bot, new financial malware, is popular with English-, Portuguese-, and Russian-speaking underground criminal markets, winning over cybercriminals with new features and functionality. It is currently in use by a number of cybercrime groups around the world and is sold on the dark market for about US$1,000, according to Flashpoint and Cisco Talos.

Improvements abound

Floki Bot is a great example of the evolutionary release-reuse tactics of hackers. Based upon the venerable Zeus Trojan Version, which was released many years ago, this new bot variant sports many technologies to bypass detection and eradication by security tools. It has an updated engine to avoid Deep Packet Inspection, a cybersecurity method used to detect malicious software; and the extensibility to use The Onion Router (TOR) network for masking network traffic sources. Floki Bot uses a number of obfuscation techniques to hide its sensitive code. The bot also sports advanced methods to capture data from one of its primary targets, point-of-sale devices. Overall, the malware keeps many Zeus tricks while adding upgrades to stay current with the latest security controls and tactics.

Alternate engineering

Based upon communication traffic analysis, it appears that several parties, possibly with different languages, might have contributed to the creation of this malware. As hackers do often collaborate, the result brings together a capable new malware to the stage. This cooperation is becoming more common, with various experts working together to develop the next generation of malware.

In some cases, the sharing is not intentional. There are several examples of nation-states that have conducted cyberattacks as other parties intercepted their well-developed code, only to reverse engineer it and use the parts they found interesting in their own projects. This is the way of next-generation malware authors. They do not need to know everything themselves; they can leverage a community for assistance and reuse the best parts of other code for maximum effect.


Protections must adapt

If Floki Bot is any indication of the evolution of malware, we should expect faster cycles of release for more virulent code and methods. Teamwork will increase as groups work together to monetize efforts and fleece victims in more efficient and creative ways. The cybersecurity industry is fighting not only the malicious technology, but also the people who are innovating and collaborating to undermine our security and privacy.


Interested in more? Follow me on Twitter (@Matt_Rosenquist) and LinkedIn to hear insights and what is going on in cybersecurity.

The post Floki Bot a Sensation With International Cybercriminals appeared first on McAfee Blogs.