No content

No content

Code graphology definition Case study on an LPE: CVE-2021-1732 Extracting relevant artifacts Creating a hunting Yara rule

Particularly useful in exploit hunting as exploit writers tend to use similar mechanisms throughout multiple exploits. First discussed by CheckPoint researchers in 2020 at VirusBulletin, @megabeets_ and @EyalItkin.

CVE-2021-1732 is a Local Privilege Escalation (LPE) exploit on Windows 10. This exploit has been reported by Dbapp Security in February 2021 and allegedly used by the Bitter APT. This kernel exploit is a Win32k window object type confusion leading to an OOB write (out-of-bounds).

No content

Leaking Technique Strings Exploit Primitives OS Fingerprinting Token Swapping

Another uniq string part of the binary: "T$hH9T$ptf" PDB Path: “C:\Users\Win10\source\repos\KSP_EPL\x64\Release\ ConsoleApplication13.pdb” Kaspersky process fingerprinted at the beginning: "avp.exe" Strings to create the class and the window: “normalClass” “magicClass” “somewnd”

IsWOW64Process function to check if it is a 64-bit or 32-bit version. Common mechanism in exploit development to correctly setup the exploitation. The running version must be larger than 0x3FE1 and 0x471C (Windows10 build 16353 and Windows 10 build 18204) to continue the execution.

Many exploits are using a kernel leak primitive that utilizes the known technique HMValidateHandle to get a kernel memory address. The online documentation refers to this technique as leveraging the function IsMenu and then parsing it to find the HMValidateHandle function.

ClientAllocWinClassExtraByte NtUserConsolControl GetMenuBarInfo

In most LPE, the exploit will swap the token of the current process to elevate privileges. At the end of the exploitation this is exactly the case for our sample.

No content

187 SAMPLES CVE-2021-1732 CVE-2022-21882

Hash 914b6125f6e39168805fdf57be61cf20dd11acd708d7db7fa37ff75bf1abfc29 PDB C:\Users\Win10\source\repos\KSP_EPL\x64\Release\ConsoleApplication13.pdb Compile TimeStamp 2020-05-05 05:10:29 UTC Version x64 Bit ee2d53303e2c5a2787dad11e3a0abce5ea0ff9a4219e963e69a4054a11efc628 C:\Users\Win10\source\repos\SOPHOS_EPL\Release\sophos.pdb 2020-07-10 06:30:28 UTC x32 bit First Sample Second Sample

To exploit vulnerability attackers relies on known techniques. Identifying those techniques and studying the structure of the exploit may help to build a relevant hunting or detection rule. In this presentation, we uncovered an unknown new sample that uses the same strings convention as the original one.

https://research.checkpoint.com/2020/graphology-of-an-exploit-volodya/ https://vblocalhost.com/uploads/VB2020-04.pdf https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/technical-analysis-of-cve- 2021-1732/ https://ti.dbappsecurity.com.cn/blog/articles/2021/02/10/windows-kernel-zero-day-exploit- is-used-by-bitter-apt-in-targeted-attack/ https://securelist.com/zero-day-vulnerability-in-desktop-window-manager-cve-2021-28310- used-in-the-wild https://www.avira.com/en/blog/anatomy-of-an-exploit-in-windows-win32k-cve-2022-21882

No content