Hacking Team Leak Uncovers Another Windows Zero-Day, Fixed In Out-Of-Band Patch

Another zero-day vulnerability has been found by Trend Micro researchers from the Hacking Team trove of data. We reported this vulnerability to Microsoft, and it has been designated as CVE-2015-2426. It has also been patched in an unusual out-of-band patch. It could be used to carry out a Windows local privilege escalation (LPE). By exploiting this vulnerability, attackers could infect the victims’ systems with rootkits or bootkits under unexpected system privilege without any notification. The vulnerability can allow attackers remote control over the affected system.

The leaked documents stated that the memory corruption of atmfd.dll (an Adobe kernel module) would lead to privilege escalation on Windows 8.1 x64. This is a complete exploit which allows even an escape of the Chrome sandbox through a kernel bug; the proof of exploit code runs the Windows calculator calc.exe with system privileges under winlogon.exe.

Microsoft has released an out-of-band patch for this vulnerability, with the bulletin designated as MS15-078. All supported Windows versions (Windows Vista/Server 2008 and later) are affected. The bulletin also makes it clear that the underlying flaw could be used to run arbitrary code as well, not just privilege escalation. In addition, the fixes in this bulletin supersede those in MS15-077, which included Windows Server 2003 (which is not a part of this patch). Therefore, it is likely that the now-unsupported server OS is also at risk.

Figure 1 below shows an overview, based on information found in the document and our own source code analysis.

Figure 1. Attack vector overview

A maliciously constructed OTF font data file embedded with a binary payload could either be injected into or triggered from the target victim process, such as Chrome browser. The essential Out-Of-Boundary (OOB) Write bug exists in the atmfd.dll in kernel mode, which would be triggered by ZwGidAddFondMemReosurceEx to resolve the maliciously constructed OTF font data. Leveraging on this OOB bug, the controlled kernel GUI related object (CHWndTargetProp) could be overwritten including its virtual table in kernel mode.

The ROP chain containing the kernel mode gadget address of both win32k.sys and the kernel is prepared in user mode in advance. To gain the address of win32k.sys, another kernel information leakage bug is used in the POC. These ROP chains could be easily triggered by the faked virtual function from the user mode call. By turning off the Supervisor Mode Execution Protection (SMEP) mechanism from the ROP stage, the escalation of privilege (EOP) shellcode in user mode could be executed in kernel to grant any process with system privilege.

As for OOB write bug, it is triggered when atmfd.dll, handling the inner structure of OTF font resources in the system, calls NtGdiAddFondResrouceW in kernel mode. Below is the call-stack backtrack when the kernel heap buffer first overflows in Windows 7 (x64, build 7601 of my testing environment).

ATMFD+0x3f071:

fffff960`009af071 4c8951e8 mov qword ptr [rcx-18h],r10 ds:84af:d000=????????????????

Figure 2. OOB write callstack

Figure 3. Version of atmfd.dll

This bug is another critical zero-day in the Adobe component (atmfd.dll) leading to LPE, which especially useful for escaping browser sandboxes. The previous one is an integer overflow, which could be triggered by calling one inner function of atmfd.dll, whereas this bug is an OOB write when handling maliciously constructed OTF font data.

While there is a proof-of-concept sample from Hacking Team, there are no known samples in the wild. We will update this entry as soon as more information is available.

Microsoft has just released a security bulletin (MS16-078) for this vulnerability. We advise users to install the patch as soon as possible. Vulnerability protection in Trend Micro Deep Security protects user systems from threats that may leverage this vulnerability with the following DPI rule: