Win32k.sys Kernel Object Use-After-Free

XLAB ID: XLAB-15-005     

CVE ID: CVE-2015-1720     

Patch Status: Fixed

Vulnerability Details:
The specific flaw exists within the function NtUserTrackPopupMenu. The issue lies in the failure to propery handle reference counting of the MENU objects. An attacker can leverage this vulnerability to raise privileges and execute code under the context of SYSTEM.

Disclosure Timeline:

2015/03/18 Provide vulnerability detail to Micorsoft via
2015/03/19 Micorsoft responded that they had opened case 21767 for the issuse
2015/04/16 Micorsoft responded that they had successfully reproduced the issue,
and asked for the source code of PoC
2015/04/16 Rejected Micorsoft’s request with the consideration of respecting intellectual property
2015/04/28 Micorsoft responded that they had been working closer to the fix
2015/06/09 Microsoft responded that they had assigned CVE-2015-1720 to the issue

This vulnerability was discovered by:   Kai Kang