A use after free vulnerability exists in the `NtGdiResetDC()` function of Win32k which can be leveraged by
an attacker to escalate privileges to those of `NT AUTHORITY\SYSTEM`. The flaw exists due to the fact
that this function calls `hdcOpenDCW()`, which performs a user mode callback. During this callback, attackers
can call the `NtGdiResetDC()` function again with the same handle as before, which will result in the PDC object
that is referenced by this handle being freed. The attacker can then replace the memory referenced by the handle
with their own object, before passing execution back to the original `NtGdiResetDC()` call, which will now use the
attacker's object without appropriate validation. This can then allow the attacker to manipulate the state of the
kernel and, together with additional exploitation techniques, gain code execution as NT AUTHORITY\SYSTEM.
This module has been tested to work on Windows 10 x64 RS1 (build 14393) and RS5 (build 17763), however previous versions
of Windows 10 will likely also work.
- Costin Raiu
- Boris Larin
- Red Raindrop Team of Qi'anxin Threat Intelligence Center
- Grant Willcox