The article describes a Use-After-Free vulnerability in CSynchronousSuperWetInk within dwmcore.dll that can be exploited via the DirectComposition API to achieve RCE in DWM and escalate to SYSTEM by reclaiming freed objects with a RECT-buffer heap spray called GetRECT. It also details the patch (feature flag Feature_1732988217), the exploitation primitives, and a CFG-bypassing gadget chain using __fnINSTRING and CStdAsyncStubBuffer2_Disconnect to mark spray memory RWX and execute inline shellcode. #DWM #GetRECT
Keypoints
- A Use-After-Free exists in CSynchronousSuperWetInk::~CSynchronousSuperWetInk in dwmcore.dll (v10.0.26100.7309) caused by conditional removal from CSuperWetInkManager when IsSuperWetCompatible() returns FALSE.
- An attacker-controlled DirectComposition sequence (CreateDelegatedInkTrail, CMD_SET_PROPERTY to change LookupMode, CMD_RELEASE_RESOURCE) can produce a dangling pointer in CSuperWetInkManager::localStrokesVector and trigger DirtyActiveInk to dereference it.
- Exploitation requires no special privileges: a user-mode app can trigger the bug via D3D11/DXGI + DirectComposition and syscalls to inject raw batch buffer commands (NtDCompositionProcessChannelBatchBuffer / NtDCompositionCommitChannel).
- The GetRECT spray uses CRegionGeometry RECT buffers (288 bytes, LFH bucket matching the target) to reclaim the freed allocation and place a fake vtable and controlled data for a vtable call at vtable+0x50.
- A CFG-safe gadget chain leverages __fnINSTRING (user32.dll) to perform in-place fixups and CStdAsyncStubBuffer2_Disconnect (combase.dll) to first call VirtualProtect (make RWX) and then call inline shellcode, culminating in WinExec(“cmd.exe”) and a safe defuse for re-entry.
- The patch adds Feature_1732988217 so RemoveSource() is conditionally forced during destruction, preventing the dangling pointer and mitigating the UAF (fixed in dwmcore.dll v10.0.26100.7623).
- The author notes LLM-assisted reverse engineering (Opus 4.5/4.6) dramatically reduced discovery-to-exploit time, highlighting dual-use risks and the need for defenders to adopt similar tooling.
MITRE Techniques
- [T1203 ] Exploitation for Client Execution – The vulnerability is exploited from a user-mode application via the DirectComposition API to gain RCE in DWM (‘The UAF can be triggered from a regular user-mode application via the DirectComposition API. The attack requires no special privileges.’).
- [T1068 ] Exploitation for Privilege Escalation – The exploit path escalates from low-privilege user code into DWM and then to SYSTEM using the UAF and subsequent gadget chain (‘…get RCE from low privilege into DWM and to SYSTEM.’).
Indicators of Compromise
- [File Name ] vulnerable and patched binary context – dwmcore.dll (v10.0.26100.7309 vulnerable, v10.0.26100.7623 patched), dwm.exe (host process executing DWM components)
- [DLL / Module ] exploitation gadgets and helpers – user32.dll (__fnINSTRING), combase.dll (CStdAsyncStubBuffer2_Disconnect), dcomp.dll (DirectComposition helpers)
- [Resource Type ] DirectComposition resource handles used in exploit – CSynchronousSuperWetInk (resource type 0xa8), CSuperWetInkVisual (type 0xa5), CRegionGeometry (type 0x81)
- [Command Identifiers ] batch buffer command primitives – CMD_SET_PROPERTY (0x0B), CMD_SET_BUFFER_PROPERTY (0x0F), CMD_SET_REFERENCE (0x10), CMD_CREATE_RESOURCE (0x02)
- [Feature Flag / Patch Marker ] mitigation indicator – Feature_1732988217 (added to force RemoveSource() during destructor)
Read more: https://www.elastic.co/security-labs/patch-diff-to-system