• Linkedin
  • Reddit

Summary

What is Buhtrap group? It is actually a group famous for its targeting of financial institutions and businesses in Russia. Buhtrap group uses a zero-day exploit in June 2019 to conduct cyber-espionage. Many people become victim of zero-day CVE-2019-1132; even Windows responded this and offered patch for it.

Zero‑day 2019: CVE-2019-1132

The Buhtrap group uses the new Zero‑day 2019 to take advantage of a local privilege escalation exploit (CVE-2019-1132) in Windows so as to attack computers. A NULL pointer dereference in the win32k.sys component was used by the exploit.

Zero‑day 2019

Report will be sent to Microsoft Security Response Center as long as the exploit was discovered and analyzed. Microsoft Windows responded to this security bug in time and released a patch for fixing it.

Windows Patches Zero-day Vulnerability, But Windows Still Vulnerable.

What Is Zero Day Exploit

In fact, the zero-day exploit refers to the exploit that uses the vulnerability which is publicly disclosed or undisclosed before the vendor acknowledgment or patch release. It is a cyber-attack and there is no available fixes when it’s exploited.

Generally, the cybercriminals will take advantage of these exploits, which will enhance the risk of vulnerable systems getting attacked.

In fact, the zero-day exploit refers to the exploit that uses the vulnerability which is publicly disclosed or undisclosed before the vendor acknowledgment or patch release. It is a cyber attack and there is no available fixes when it’s exploited.

Generally, the cybercriminals will take advantage of these exploits, which will enhance the risk of vulnerable systems getting attacked.

Which Versions of Windows Will Be Affected

The following Windows versions may be affected by zero‑day CVE‑2019‑1132:

  • Windows 7 for 32-bit Systems Service Pack 1
  • Windows 7 for x64-based Systems Service Pack 1
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 for Itanium-Based Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for Itanium-Based Systems Service Pack 1

If any data get lost due to the zero-day exploit, how to recover?

How the Exploit Works

Buhtrap Never Used a Zero-day before

The obscure hacker group Buhtrap was found to be responsible for the recent Windows OS zero-day vulnerability. The result of ESET research shows that the notorious crime group has been conducting espionage campaigns mainly in Eastern Europe and Central Asia for the past five years. This was the first time that Buhtrap group uses a zero-day exploit as part of a campaign.

Buhtrap activities

Exploitation Process

Like other similar Microsoft Windows win32k.sys vulnerabilities discovered in recent years, the zero‑day exploit also takes advantage of the popup menu objects. It creates two windows for the exploitation: one for the first stage and the other for the second stage.

What will it do in the first window?

It often does two things: create popup menu objects and add menu items through CreatePopupMenu and AppendMenu functions. Apart from this, the exploit will set up WH_CALLWNDPROC and EVENT_SYSTEM_MENUPOPUPSTART hooks.

What happens next?

A menu will be listed by exploit via the TrackPopupMenu function. Now, the code hooked to EVENT_SYSTEM_MENUPOPUPSTART will be executed. This code will then send a sequence of MN_SELECTITEM, MN_SELECTFIRSTVALIDITEM and MN_OPENHIERARCHY messages to the menu, trying to open as the first available item.

What triggers the vulnerability?

If the initial menu has already been created while the sub-menu is only about to be created, the exploit have to seize the moment. Otherwise, the exploit won’t be able to get the code that copes with the WM_NCCREATE message in the WH_CALLWNDPROC hook. The MN_CANCELMENUS (0x1E6) message will be sent to the first menu whenever the exploit code finds your system is in this state. This will cancel the initial menu, but the sub-menu will still be kept.

The fact is the tagPOPUPMENU‑>ppopupmenuRoot equals 0 if you check the sub-menu object in kernel mode. What does this mean? Generally, it means your system is in a state where the attackers are allowed to use that element in the kernel structure to be a NULL pointer dereference. Then, a new page at address 0x0 will be allocated; the kernel will regard it as a tagPOPUPMENU object.

tagPOPUPMENU object

What will it do in the second window?

The main exploit will locate the tagWND structure of the second window and lip the bServerSideWindowProc bit in it. This will finally execute a WndProc procedure in kernel mode. The kernel memory address of the tagWND structure of the second window will be leaked by attackers if they call the non-exported HMValidateHandle function in the user32.dll library.

What will the exploit do next?

Indeed, it will create a fake tagPOPUPMENU object at the NULL page. Then, a MN_BUTTONDOWN message will be sent to a MN_BUTTONDOWN message by the exploit. After that, the win32k!xxxMNOpenHierarchy function will be executed by the kernel. Therefore, a crafted object at the NULL page will be passed to win32k!HMAssignmentLock.

Where is the bServerSideWindowProc bit?

It is set inside the win32k!HMDestroyUnlockedObject function. Where is this function? It is a few calls deeper inside win32k!HMAssignmentLock.

Now, the zero-day 2019 exploit can send a specific message to the second window. That’s how the WndProc in kernel mode be executed. In the end, the token of the current process will be replaced by the system token.

  • Linkedin
  • Reddit