Скачать или смотреть A New CVE-2015-0057 Exploit Technology

by Yu Wang

February 10, 2015, Patch Tuesday - Microsoft corporation pushed many system-level patches including CVE-2015-0057/MS15-010. On the same day, Udi Yavo - the CTO of the enSilo company released a technology blog[1]. As the discoverer of the vulnerability, Udi described the CVE-2015-0057 exploit in detail and demonstrated the process of exploiting the vulnerability on the 64-bit Windows 10 Technical Preview operating system. Four months later, on the 17th of June, a new variant of the Dyre banking trojan was caught by FireEye[2]. This variant of Dyre will attempt to exploit CVE-2013-3660 and CVE-2015-0057 to obtain system privileges and this is the first time CVE-2015-0057 was found to be exploited in the wild. On July 8th, NCC Group published their technical blog[3]. In that blog, they described their exploit method in detail, which can work reliably on all 32/64-bit Windows - from Windows XP to Windows 8.1.

It is worth noting that, in this year, we have repeatedly captured APT class zero-day attacks[4] [5] - all of which target the Windows kernel Win32K subsystem's User Mode Callback mechanism. This leads us to re-visit this old-school kernel attack surface. This topic will focus on CVE-2015-0057 and the User Mode Callback mechanism. We will examine the User Mode Callback mechanism from two aspects: exploit methodology and vulnerability detection. Additionally, from an attacker's perspective, this talk will also reveal some new exploit techniques.

[1] http://breakingmalware.com/vulnerabil...
[2] https://www.fireeye.com/blog/threat-r...
[3] https://www.nccgroup.trust/globalasse...
[4] https://www.fireeye.com/blog/threat-r...
[5] https://www.fireeye.com/blog/threat-r...