This Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. This vulnerability gives an attacker the capability to elevate their privileges to NT Authority\System.
- The local authenticated attacker executes malicious binary on the vulnerable windows server.
The server grants the attacker privileges ‘NT AUTHORITY\SYSTEM’.
- The attacker executes commands with elevated privileges.
As this is a local privilege exploit, the attacker must already have minimal access to the victim host.
This Windows vulnerability is a local privilege escalation in the Windows kernel that can be used as a security sandbox escape. It can be triggered via the win32k.sys system call NtSetWindowLongPtr() for the index GWLP_ID on a window handle with GWL_STYLE set to WS_CHILD. This vulnerability gives an attacker the capability to set one bit to an arbitrary kernel address, allowing them to elevate their privileges to NT Authority\System.
Alert Logic Coverage
Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.
Detection of this threat is provided via the Alert Logic ActiveWatch™ for Log Manager™ service. Log messages are produced by the vulnerable system when an exploit of this type is leveraged. An incident will be generated in the Alert Logic console if these log messages are observed.
Recommendations for Mitigation
Microsoft implemented new exploit mitigations in the Windows 10 Anniversary update version of the win32k kernel component. These Windows 10 Anniversary update mitigations, which were developed based on proactive internal research, stop all observed in-the-wild instances of this exploit.