A NEW CVE-2015-0057 EXPLOIT TECHNOLOGY presented at BlackHatAsia 2016

by Yu Wang,

Summary : February 10, 2015, Patch Tuesday - Microsoft corporation pushed many system-level patches including CVE-2015-0057/MS15-010. On the same day, Udi Yavo - the CTO of the enSilo company released a technology blog[1]. As the discoverer of the vulnerability, Udi described the CVE-2015-0057 exploit in detail and demonstrated the process of exploiting the vulnerability on the 64-bit Windows 10 Technical Preview operating system. Four months later, on the 17th of June, a new variant of the Dyre banking trojan was caught by FireEye[2]. This variant of Dyre will attempt to exploit CVE-2013-3660 and CVE-2015-0057 to obtain system privileges and this is the first time CVE-2015-0057 was found to be exploited in the wild. On July 8th, NCC Group published their technical blog[3]. In that blog, they described their exploit method in detail, which can work reliably on all 32/64-bit Windows - from Windows XP to Windows 8.1.
It is worth noting that, in this year, we have repeatedly captured APT class zero-day attacks[4] [5] - all of which target the Windows kernel Win32K subsystem's User Mode Callback mechanism. This leads us to re-visit this old-school kernel attack surface. This topic will focus on CVE-2015-0057 and the User Mode Callback mechanism. We will examine the User Mode Callback mechanism from two aspects: exploit methodology and vulnerability detection. Additionally, from an attacker's perspective, this talk will also reveal some new exploit techniques.
[1] http://breakingmalware.com/vulnerabilities/one-bit-rule-bypassing-windows-10-protections-using-single-bit
[2] https://www.fireeye.com/blog/threat-research/2015/07/dyre_banking_trojan.html
[3] https://www.nccgroup.trust/globalassets/newsroom/uk/blog/documents/2015/07/exploiting-cve-2015.pdf
[4] https://www.fireeye.com/blog/threat-research/2015/04/probable_apt28_useo.html
[5] https://www.fireeye.com/blog/threat-research/2015/09/attack_exploitingmi.html