Exploiting Errors in Windows Error Reporting presented at BlueHatIL 2020

by Gal De Leon,

URL : https://youtu.be/Y1YJCKfvJEM

Summary : One of the most common types of vulnerabilities fixed in the last year or so in Microsoft Windows was insecure files access. These types of vulnerabilities represent a range of issues, where a privileged component such as a system service access files with no correct use of impersonation. Using different types of file system links, these bugs can be abused to escalate privileges.I discovered many vulnerabilities of this type in Windows Error Reporting (WER) suite. WER is a flexible event-based feedback infrastructure designed to gather information about hardware and software problems that Windows can detect, report the information to Microsoft, and provide users with any available solution. However, the way WER is designed is prone to insecure files access issues. The vulnerabilities I discovered are assigned CVE-2019-1374, CVE-2019-1319, CVE-2019-1342, CVE-2019-1037, CVE-2019-0863.In this talk I will give an overview of how WER works. Next, I’ll discuss these types of bugs and the common methods to exploit them. Lastly, I’ll go into the details of some of the vulnerabilities I discovered.​