Allele Security Alert
ASA-2018-00047
Identifier(s)
ASA-2018-00047, CVE-2018-8589
Title
Race condition in win32k!xxxMoveWindow due to improper locking of messages sent synchronously between threads
Vendor(s)
Microsoft
Product(s)
Windows 7
Windows Server 2008
Affected version(s)
Windows 7 for 32-bit Systems Service Pack 1
Windows 7 for x64-based Systems Service Pack 1
Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
Windows Server 2008 for Itanium-Based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
Fixed version(s)
All products with November 2018 Patch Tuesday applied or the following updates:
Windows 7 for 32-bit Systems Service Pack 1 KB4467106
Windows 7 for x64-based Systems Service Pack 1 KB4467106
Windows Server 2008 for 32-bit Systems Service Pack 2 KB4467700
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) KB4467700
Windows Server 2008 for Itanium-Based Systems Service Pack 2 KB4467700
Windows Server 2008 for x64-based Systems Service Pack 2 KB4467700
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) KB4467700
Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1 KB4467106
Windows Server 2008 R2 for x64-based Systems Service Pack 1 KB4467106
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) KB4467106
Proof of concept
Unknown
Description
An elevation of privilege vulnerability exists when Windows improperly handles calls to Win32k.sys.
Technical details
An attacker who successfully exploited this vulnerability could run arbitrary code in the security context of the local system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take control over an affected system.
The vulnerability is a race condition present in win32k!xxxMoveWindow due to improper locking of messages sent synchronously between threads. The vulnerability can be exploited by creating two threads with a class and associated window and moves the window of the opposite thread inside the callback of a WM_NCCALCSIZE message in a window procedure that is common to both threads. Termination of the opposite thread on the maximum level of recursion inside the WM_NCCALCSIZE callback will cause asynchronous copyin of the lParam structure controlled by the attacker. A possible exploit might populates lParam with pointers to the shellcode and after being successfully copied to kernel inside win32k!SfnINOUTNCCALCSIZE, the kernel jumps to the user level.
Credits
Igor Soumenkov (2igosha) (Kaspersky Lab)
Boris Larin (Oct0xor) (Kaspersky Lab)
Reference(s)
CVE-2018-8589 | Windows Win32k Elevation of Privilege Vulnerability
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8589
CVE-2018-8589: Another day, another OS vulnerability
https://www.kaspersky.com/blog/cve-2018-8589-vulnerability-detected/24597/amp/
A new exploit for zero-day vulnerability CVE-2018-8589
https://securelist.com/a-new-exploit-for-zero-day-vulnerability-cve-2018-8589/88845/
CVE-2018-8589
https://cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2018-8589
CVE-2018-8589
https://nvd.nist.gov/vuln/detail/ CVE-2018-8589
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 1, 2019