Win32k NtGdiResetDC Use After Free Local Privilege Elevation

Description

A use after free vulnerability exists in the `NtGdiResetDC()` function of Win32k which can be leveraged by an attacker to escalate privileges to those of `NT AUTHORITY\SYSTEM`. The flaw exists due to the fact that this function calls `hdcOpenDCW()`, which performs a user mode callback. During this callback, attackers can call the `NtGdiResetDC()` function again with the same handle as before, which will result in the PDC object that is referenced by this handle being freed. The attacker can then replace the memory referenced by the handle with their own object, before passing execution back to the original `NtGdiResetDC()` call, which will now use the attacker's object without appropriate validation. This can then allow the attacker to manipulate the state of the kernel and, together with additional exploitation techniques, gain code execution as NT AUTHORITY\SYSTEM. This module has been tested to work on Windows 10 x64 RS1 (build 14393) and RS5 (build 17763), however previous versions of Windows 10 will likely also work.

Author(s)

• IronHusky
• Costin Raiu
• Boris Larin
• Red Raindrop Team of Qi'anxin Threat Intelligence Center
• KaLendsi
• ly4k
• Grant Willcox

Platform

Windows

Architectures

x64