$hell on Earth
shell-on-earth
shell-on-earth
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
The new functi<strong>on</strong> looks like this:<br />
result = a1;<br />
method_id = a1->method_id;<br />
if ( !method_id || (v3 = method_id - 2) == 0 || v3 == 298 )<br />
{<br />
if ( a1->argc > 0 )<br />
result = (_AS2_ARGS *)sub_441246(a1->this, (int *)a1->argv);<br />
}<br />
return result;<br />
CVE-2016-0196 – Microsoft Windows xxxEndDeferWindowPosEx<br />
Window Use-After-Free Vulnerability<br />
With code executi<strong>on</strong> within the browser due to the type c<strong>on</strong>fusi<strong>on</strong> vulnerability, it was time to escalate<br />
privileges. Again, a kernel vulnerability was used for this. The vulnerability is a use-after-free in the win32k<br />
subsystem of a WND object. This type of use-after-free vulnerability is incredibly comm<strong>on</strong> due to userland<br />
callbacks. Specifically, kernel code that does not increase reference counts to objects prior to calling a<br />
userland callback would often end up maintaining a stale reference.<br />
The issue lies in the way PostIAMShellHookMessageEx handles WND objects. The safe way of interacting<br />
with a WND object is to store the HWND, which is just a HANDLE to a WND, and use calls to ValidateHwnd<br />
to get a pointer to the actual window object. PostIAMShellHookMessageEx uses a HWND to directly grab<br />
the pointer from the kernel object table. As a result, it skips the checks that ValidateHwnd performs,<br />
such as verifying that the object is still valid. The end result is that a userland callback can be hijacked to<br />
destroy the window within the callback, leading to a use-after-free vulnerability.<br />
34 | <str<strong>on</strong>g>$hell</str<strong>on</strong>g> <strong>on</strong> <strong>Earth</strong>: From Browser to System Compromise