A few months ago, technology giant Microsoft issued a fix for a flaw in the Windows operating system that allowed hackers to raise their permissions to kernel level on an affected machine; however, the patch did not stick.
The issue, which was cashed in on by progressive hackers as a zero-day in May, can still be exploited but by a different technique as security experts reveal with publicly available proof-of-concept code.
Maddie Stone, Google Project Zero security researcher, found that Microsoft’s patch in June did not fix the original flaw (CVE-2020-0986) and it can still be leveraged with some changes.
Stone says that a hacker can still trigger CVE-2020-0986 to raise their permissions to kernel level by sending an offset instead of a pointer.
On Twitter, she says that the original bug was a random pointer dereference letting a hacker control the “src” and “dest” pointers to a memcpy function.
Microsoft’s patch was inappropriate because it altered the pointers to offsets, so the function’s parameters could still be controlled.
Stone goes on to say that what the PoC does is activate the vulnerability twice: “first to leak the heap address where the message is stored and what the offset is added to generate the pointers and then to do the write-what-where.”
He adds that hackers have misused the bug previously, are familiar with it and could leverage it again when an improper fix is on hand.