Monday, October 18, 2010

Technical Analysis of the Windows Win32K.sys Keyboard Layout Stuxnet Exploit

This time we will share very interesting technical details on how Stuxnet authors have achieved reliable code execution while exploiting one of the two Windows privilege escalation 0-Day vulnerabilities. This one was patched last week with the MS10-073 update, and a remaining Task Scheduler vulnerability is still unpatched.

While we deeply analyzed Stuxnet and its behaviors, we will not explain its architecture or features as two detailed documents have already been published by our friends from Symantec and ESET.

We will focus here on the Windows Win32K.sys keyboard layout vulnerability (CVE-2010-2743) and how it was exploited by Stuxnet using custom Portable Executable (PE) parsing tricks to achieve a reliable code execution.


The Stuxnet developers did a fair amount of work to ensure the exploit worked on all service pack versions of Windows 2000 and Windows XP

ESET has updated their "Stuxnet under the Microscope” whitepaper to include information about the recently-patched win32k.sys vulnerability (MS10-073, or CVE-2010-2743), and just a little about the Task Scheduler issue that hasn't been patched yet.

Dave Aitel, CTO of Immunity, wrote and informed me the still unpatched Task Scheduler 0day was released in the last version of CANVAS, along with improved version of the Win32K.sys keyboard exploit. He stated the "ESET paper does not really go into the details of making it reliable on cross-language versions, which STUXNET did do."

No comments:

Post a Comment