{
	"id": "674e3898-3756-42fa-b833-9a1d1c21861e",
	"created_at": "2026-04-06T00:06:44.546954Z",
	"updated_at": "2026-04-10T03:28:34.74434Z",
	"deleted_at": null,
	"sha1_hash": "a4666b7e08d1c5c60716759559274c934a464204",
	"title": "The fourth horseman: CVE-2019-0797 vulnerability",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 77709,
	"plain_text": "The fourth horseman: CVE-2019-0797 vulnerability\r\nBy Vasily Berdnikov\r\nPublished: 2019-03-13 · Archived: 2026-04-05 14:49:31 UTC\r\nIn February 2019, our Automatic Exploit Prevention (AEP) systems detected an attempt to exploit a vulnerability\r\nin the Microsoft Windows operating system. Further analysis of this event led to us discovering a zero-day\r\nvulnerability in win32k.sys. We reported it to Microsoft on February 22, 2019. The company confirmed the\r\nvulnerability and assigned it CVE-2019-0797. Microsoft have just released a patch, crediting Kaspersky Lab\r\nresearchers Vasiliy Berdnikov and Boris Larin with the discovery:\r\nThis is the fourth consecutive exploited Local Privilege Escalation vulnerability in Windows we have discovered\r\nrecently using our technologies. Just like with CVE-2018-8589, we believe this exploit is used by several threat\r\nactors including, but possibly not limited to, FruityArmor and SandCat. While FruityArmor is known to have used\r\nzero-days before, SandCat is a new APT we discovered only recently. In addition to CVE-2019-0797 and\r\nCHAINSHOT, SandCat also uses the FinFisher/FinSpy framework.\r\nKaspersky Lab products detected this exploit proactively through the following technologies:\r\n1. 1 Behavioral detection engine and Automatic Exploit Prevention for endpoint products;\r\n2. 2 Advanced Sandboxing and Anti Malware engine for Kaspersky Anti Targeted Attack Platform (KATA).\r\nKaspersky Lab verdicts for the artifacts used in this and related attacks are:\r\nHEUR:Exploit.Win32.Generic\r\nHEUR:Trojan.Win32.Generic\r\nPDM:Exploit.Win32.Generic\r\nBrief technical details – CVE-2019-0797\r\nCVE-2019-0797 is a race condition that is present in the win32k driver due to a lack of proper synchronization\r\nbetween undocumented syscalls NtDCompositionDiscardFrame and NtDCompositionDestroyConnection. The\r\nvulnerable code can be observed below on screenshots made on an up-to-date system during initial analysis:\r\nhttps://securelist.com/cve-2019-0797-zero-day-vulnerability/89885/\r\nPage 1 of 3\n\nSnippet of NtDCompositionDiscardFrame syscall (Windows 8.1)\r\nOn this screenshot with the simplified logic of the NtDCompositionDiscardFrame syscall you can see that this\r\ncode acquires a lock that is related to frame operations in the structure DirectComposition::CConnection and tries\r\nto find a frame that corresponds to a given id and will eventually call a free on it. The problem with this can be\r\nobserved on the second screenshot:\r\nhttps://securelist.com/cve-2019-0797-zero-day-vulnerability/89885/\r\nPage 2 of 3\n\nSnippet of NtDCompositionDestroyConnection syscall inner function (Windows 8.1)\r\nOn this screenshot with the simplified logic of the function DiscardAllCompositionFrames that is called from\r\nwithin the NtDCompositionDestroyConnection syscall you can see that it does not acquire the necessary lock and\r\ncalls the function DiscardAllCompositionFrames that will release all allocated frames. The problem lies in the fact\r\nthat when the syscalls NtDCompositionDiscardFrame and NtDCompositionDestroyConnection are executed\r\nsimultaneously, the function DiscardAllCompositionFrames may be executed at a time when the\r\nNtDCompositionDiscardFrame syscall is already looking for a frame to release or has already found it. This\r\ncondition leads to a use-after-free scenario.\r\nInterestingly, this is the third race condition zero-day exploit used by the same group in addition to CVE-2018-\r\n8589 and CVE-2018-8611.\r\nStop execution if module file name contains substring “chrome.exe”\r\nThe exploit that was found in the wild was targeting 64-bit operating systems in the range from Windows 8 to\r\nWindows 10 build 15063. The exploitation process for all those operating systems does not differ greatly and is\r\nperformed using heap spraying palettes and accelerator tables with the use of GdiSharedHandleTable and\r\ngSharedInfo to leak their kernel addresses. In exploitation of Windows 10 build 14393 and higher windows are\r\nused instead of palettes. Besides that, that exploit performs a check on whether it’s running from Google Chrome\r\nand stops execution if it is because vulnerability CVE-2019-0797 can’t be exploited within a sandbox.\r\nSource: https://securelist.com/cve-2019-0797-zero-day-vulnerability/89885/\r\nhttps://securelist.com/cve-2019-0797-zero-day-vulnerability/89885/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://securelist.com/cve-2019-0797-zero-day-vulnerability/89885/"
	],
	"report_names": [
		"89885"
	],
	"threat_actors": [
		{
			"id": "0f47a6f3-a181-4e15-9261-50eef5f03a3a",
			"created_at": "2022-10-25T16:07:24.228663Z",
			"updated_at": "2026-04-10T02:00:04.905195Z",
			"deleted_at": null,
			"main_name": "Stealth Falcon",
			"aliases": [
				"FruityArmor",
				"G0038",
				"Project Raven",
				"Stealth Falcon"
			],
			"source_name": "ETDA:Stealth Falcon",
			"tools": [
				"Deadglyph",
				"StealthFalcon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "77aedfa3-e52b-4168-8269-55ccec0946f7",
			"created_at": "2023-01-06T13:46:38.453791Z",
			"updated_at": "2026-04-10T02:00:02.981559Z",
			"deleted_at": null,
			"main_name": "Stealth Falcon",
			"aliases": [
				"FruityArmor",
				"G0038"
			],
			"source_name": "MISPGALAXY:Stealth Falcon",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "80cf66b8-27d2-4e87-b0d1-5bacacd9bb3d",
			"created_at": "2023-01-06T13:46:38.931567Z",
			"updated_at": "2026-04-10T02:00:03.149736Z",
			"deleted_at": null,
			"main_name": "SandCat",
			"aliases": [],
			"source_name": "MISPGALAXY:SandCat",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "67ac502c-8cf8-46cb-98e8-c249e0f0298d",
			"created_at": "2022-10-25T16:07:24.149987Z",
			"updated_at": "2026-04-10T02:00:04.882099Z",
			"deleted_at": null,
			"main_name": "SandCat",
			"aliases": [],
			"source_name": "ETDA:SandCat",
			"tools": [
				"CHAINSHOT",
				"FinFisher",
				"FinFisher RAT",
				"FinSpy"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434004,
	"ts_updated_at": 1775791714,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a4666b7e08d1c5c60716759559274c934a464204.pdf",
		"text": "https://archive.orkl.eu/a4666b7e08d1c5c60716759559274c934a464204.txt",
		"img": "https://archive.orkl.eu/a4666b7e08d1c5c60716759559274c934a464204.jpg"
	}
}