День: 25.10.2021

«The only match is white clothes and glasses.»

The detective story with the participation of the 36-year-old director, Ph.D. Fedor Yermoshin had its continuation: a young man, mistakenly, but at the same time harshly detained by police officers, since the face recognition system «saw» a criminal in him, intends to understand what happened and has already taken a number of actions …

The day before, the face recognition system identified a criminal thief in Yarmoshin with a 70% probability, after which three unknown persons actually kidnapped him near the entrance of his own house in Odintsovo near Moscow. As it turned out later, these were police officers of the Strogino metropolitan area. Subsequently, they established that the director was not involved in the crime and released him, but he had to go to the emergency room. MK contacted Fyodor Ermoshin and found out what the young man was doing after such an atypical incident.

“After I recorded the beatings, I wrote a statement to the prosecutor’s office. The department said to expect a response with a legal assessment within 30 days.

I also turned to State Duma Deputy Sergei Shargunov, who made a deputy inquiry addressed to the Prosecutor General of the Russian Federation. Therefore, I am waiting for an answer from this side.

In addition, I filed a statement with the Odintsovo police, because I was detained in Odintsovo, and taken to Strogino. Yes, they were the Moscow police: as it turned out, they thought that the man they suspect of stealing the set-top boxes had appeared in Odintsovo. Although, logically, they should have taken me, as I understood later, to the Odintsovo Department of Internal Affairs, but nevertheless, for some reason, they were taken to Strogino.

And a very important point: I spoke with the employees of the internal security department, who arrived the day after the incident in Odintsovo and asked for a meeting. They were very tactful people who questioned me in detail and wrote down the minutes from my words. They said that they are conducting their own investigation, the results of which I will be notified. In addition, he conducts an inspection of the Ministry of Internal Affairs, «Fyodor Yermoshin told MK.

So far, according to the director, he has not taken any other action and has not yet hired a lawyer. However, he is sure that he will still need legal defense, therefore he is at the stage of making a decision on this issue.

Regarding the apologies from the police, who actually put an innocent person face down on the asphalt, Yermoshin commented on the following: “The only apology that sounded in the police department was:“ Well, sorry, take your passport from the window! ” I reflected this in all protocols. In my opinion, everything should have been wrong somehow.

I believe that the most important thing in this situation is that this does not happen to anyone else, so that they simply change their attitude towards people! Because the way it happened to me is lawlessness, when you simply do not understand — someone is kidnapping you or it is law enforcement officers! After all, the conversation was conducted in such a way that it is absolutely not clear what they want from you. «

Now Fedor Yermoshin asserts from his own experience how imperfect the face recognition system is and how unprofessional the actions of police officers are: “In the comments they write to me that similar incidents have happened to other people too. It turns out that 70% of me had to be left with the police, and 30% of me could go home. Because I was 70% the same in the photo with the criminal.

They told me so bluntly, they say, listen, well, straight out, the cheekbones are the same, the glasses are the same … But I saw these photos, and there, in my opinion, the only coincidence is white clothes and glasses. In principle, with the naked eye you can see that different people are, and if you wanted to, you could immediately be convinced of this. But it turned out to be absolutely insanity … In this story, I would say, there are two aspects: the first — that the computer was mistaken, and the second — that you need to have your own brains and behave adequately, ”Yermoshin summed up.

According to human rights activist Anatoly Korovin, the actions of police officers against Fyodor Yermoshin are illegal, since “it is nonsense to twist hands, handcuff and take a person away in an unknown direction.” In the commentary to MK, Korovin noted that such cases are not isolated, and that the director has certain judicial prospects: “Yermoshin needs to go to court, and he may satisfy his demands.

By the way, I have already been contacted by citizens who were mistakenly detained by the face recognition system. Just the other day, a woman who came to Moscow from the Moscow region addressed: she was detained at the Komsomolskaya metro station, confused with a missing person on the federal wanted list. They kept her for more than an hour, however, the police behaved much softer with her than with Yermoshin, because in their understanding she was not a criminal, but a missing person. She does not want to comment on this in the media. The fact that the case with the director is not an isolated one is a fact. «

Original text by ly4k

Exploit for CVE-2021-40449 (Win32k — LPE)

Description

CVE-2021-40449 is a use-after-free in Win32k that allows for local privilege escalation.

The vulnerability was found in the wild by Kaspersky.

The discovered exploit was written to support the following Windows products:

• Microsoft Windows Vista
• Microsoft Windows 7
• Microsoft Windows 8
• Microsoft Windows 8.1
• Microsoft Windows Server 2008
• Microsoft Windows Server 2008 R2
• Microsoft Windows Server 2012
• Microsoft Windows Server 2012 R2
• Microsoft Windows 10 (build 14393)
• Microsoft Windows Server 2016 (build 14393)
• Microsoft Windows 10 (build 17763)
• Microsoft Windows Server 2019 (build 17763)

However, this exploit is current only tested on the following versions:

• Microsoft Windows 10 (build 14393)
• Microsoft Windows 10 (build 17763)

Technical Writeup

I highly recommend reading Kaspersky’s technical writeup before proceeding.

As mentioned in the technical writeup by Kasperky, the vulnerability exists in 

. If an attacker hooks the user-mode callback  , which is called during  , it is possible to destroy the original device context by calling  , which causes a use-after-free in the kernel when the user-mode callback returns.

The following pseudo-code is made partially from the leaked Windows XP source code and by reverse-engineering the latest (before the patch) 

 from  . The irrelevant parts have been removed with  . Look for the  comments.

BOOL GreResetDCInternal(
    HDC hdc,
    DEVMODEW *pdmw,
    BOOL *pbBanding,
    DRIVER_INFO_2W *pDriverInfo2,
    PVOID ppUMdhpdev)
{
    // [...]
    HDC hdcNew;

    {
        // Create DCOBJ from HDC
        DCOBJ dco(hdc);

        if (!dco.bValid())
        {
            SAVE_ERROR_CODE(ERROR_INVALID_HANDLE);
        }
        else
        {
            // Create DEVOBJ from `dco`
            PDEVOBJ po(dco.hdev());

            // [...]

            // Create the new DC
            // VULN: Can result in a usermode callback that destroys old DC, which
            // invalidates `dco` and `po`
            hdcNew = hdcOpenDCW(L"",
                                pdmw,
                                DCTYPE_DIRECT,
                                po.hSpooler,
                                prton,
                                pDriverInfo2,
                                ppUMdhpdev);

            if (hdcNew)
            {
                po->hSpooler = NULL;

                DCOBJ dcoNew(hdcNew);

                if (!dcoNew.bValid())
                {
                    SAVE_ERROR_CODE(ERROR_INVALID_HANDLE);
                }
                else
                {
                    // Transfer any remote fonts

                    dcoNew->pPFFList = dco->pPFFList;
                    dco->pPFFList = NULL;

                    // Transfer any color transform

                    dcoNew->pCXFList = dco->pCXFList;
                    dco->pCXFList = NULL;

                    PDEVOBJ poNew((HDEV)dcoNew.pdc->ppdev());

                    // Let the driver know
                    // VULN: Method is taken from old (possibly destroyed) `po`
                    PFN_DrvResetPDEV rfn = po->ppfn[INDEX_DrvResetPDEV];

                    if (rfn != NULL)
                    {
                        (*rfn)(po->dhpdev, poNew->dhpdev);
                    }

                    // [...]
                }
            }
        }
    }

    // Destroy old DC
    // [...]
}

As can be seen from the pseudo-code, the old device context can be freed in a user-mode callback from the 

 call, and later on, the method   is retrieved from the old device context and called with  .

To create and hook a device context, one can do the following:

• Find an available printer with 
  EnumPrinters
• Load the printer driver into memory with 
  OpenPrinter
  , 
  GetPrinterDriver
   and 
  LoadLibraryExA
• Get the printer driver’s user-mode callback table with 
  GetProcAddress
   and 
  DrvEnableDriver
• Unprotect the printer driver’s user-mode callback table with 
  VirtualProtect
• Overwrite the printer driver’s desired user-mode callback table entries
• Create a device context for the printer with 
  CreateDC(NULL, printerName, NULL, NULL)

We should now have a device context for a printer with hooked user-mode callbacks.

We’re interested in only one hook, namely 

. This hook is interesting in two aspects: triggering the UAF and controlling the arguments, as described earlier. To trigger the UAF vulnerability, we will call   inside of the hook, which will destroy the old device context. When we return from the hook, we will still be inside the first  , which will shortly after get and call the function pointer for   from our old and destroyed device context with the two arguments that got returned from  ; the old and the new  .

If your process is running with a medium integrity level, KASLR should not be an issue with the help of 

 and  .

Kaspersky mentions that the original exploit used GDI palette objects and a single kernel function call to achieve arbitrary memory read/write. This exploit uses a technique to allocate a BitMapHeader on the big pool and 

 to enable all privileges on our current process token. The   will point to our current process token’s  . By calling  , it’s possible to enable all privileges for our current process token with a single kernel function call. From here, one can abuse the new privileges to get SYSTEM. This exploit uses   to inject shellcode into the   process.

PoC

References

• https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/
• https://github.com/siberas/CVE-2016-3309_Reloaded/
• https://www.ired.team/miscellaneous-reversing-forensics/windows-kernel-internals/how-kernel-exploits-abuse-tokens-for-privilege-escalation
• https://github.com/KaLendsi/CVE-2021-40449-Exploit
• https://mp.weixin.qq.com/s/AcFS0Yn9SDuYxFnzbBqhkQ