cbcvebase.
CVE-2019-1132
published 2019-07-15

CVE-2019-1132: An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of…

PriorityP181high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-04-05
Exploited in the wild
EPSS
9.79%
94.9th percentile
An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'.

Affected

18 ranges
VendorProductVersion rangeFixed in
microsoftwindows
microsoftwindows
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server
microsoftwindows_server_2008
msrcwindows_7_for_32-bit_systems_service_pack_1
msrcwindows_7_for_x64-based_systems_service_pack_1
msrcwindows_server_2008_for_32-bit_systems_service_pack_2
msrcwindows_server_2008_for_itanium-based_systems_service_pack_2
msrcwindows_server_2008_for_x64-based_systems_service_pack_2
msrcwindows_server_2008_r2_for_itanium-based_systems_service_pack_1
msrcwindows_server_2008_r2_for_x64-based_systems_service_pack_1

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/47176.zip
otherMN_SELECTITEM=0x1E5
otherMN_OPENHIERARCHY=0x01E3
otherMN_CANCELMENUS=0x1E6
otherWM_EX_TRIGGER=0x6789
otherMN_BUTTONDOWN=0x1ed
otherMN_SELECTFIRSTVALIDITEM=0x1E7
  • Exploit targets Windows 7 build 7601 (x86) via Win32k NULL page dereference; monitor for NtAllocateVirtualMemory calls mapping the NULL page (BaseAddress near 0x0, RegionSize 0x1000) from user-mode processes on 32-bit Windows 7 / Server 2008 systems.
  • Exploit sends undocumented/custom window message 0x6789 (WM_EX_TRIGGER) and 0x1234 as part of the privilege escalation chain; alert on SendMessage calls using these non-standard message values.
  • Exploit uses MN_CANCELMENUS (0x1E6) sent to a popup menu window to trigger the use-after-free in win32k!tagPOPUPMENU; monitor for SendMessage to menu windows with this message value during TrackPopupMenuEx sequences.
  • Exploit resolves xxHMValidateHandle by scanning USER32.DLL's IsMenu export at runtime; monitor for unusual LoadLibrary of USER32.DLL followed by GetProcAddress('IsMenu') from low-privilege processes.
  • Successful exploitation spawns a new elevated cmd.exe console (CREATE_NEW_CONSOLE); monitor for cmd.exe processes spawned from unexpected low-privilege parent processes on Windows 7 / Server 2008.
  • CVE-2019-1132 was actively exploited in the wild at time of patch release and is confirmed in CISA KEV; prioritize detection on Windows 7 and Server 2008 endpoints.
  • ·Exploit is specific to 32-bit (x86) Windows 7 build 7601 and Server 2008; the NULL page allocation technique (NtAllocateVirtualMemory at address ~0x1) is not applicable to 64-bit systems where NULL page mapping is blocked by default.
  • ·The other actively exploited zero-day patched the same Patch Tuesday (CVE-2019-0880) affects Windows 8.1, Server 2012 and later — distinct from CVE-2019-1132 which is limited to Windows 7 / Server 2008.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_msrc7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.