lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <52822A27.90502@yandex.com>
Date: Tue, 12 Nov 2013 13:16:23 +0000
From: sixtyvividtails <sixtyvividtails@...dex.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Windows Local DOS on Win32 Handle Validation

There's really simple and useless bug in win32k!IsHandleEntrySecure(),
which, nevertheless, allows unprivileged local user to cause bsod. I
believe entire NT line is affected. What's intresting, is Microsoft
reaction to it, because, apparently, nowadays local denial of service
from unprivileged users is not considered vulnerability.

QUOTE START
I looked through your report, and it appears to be a local DOS. Although
this is an unfortunate bug, we don't consider it a security
vulnerability according to our 10 immutable laws of security
(http://technet.microsoft.com/library/cc722487.aspx). If you know how to
exploit this bug without violating one of those laws, we would consider
it a remote DOS which is considered a vulnerability.

If you'd like to see this bug fixed, please contact Microsoft Product
Support Services at
http://support.microsoft.com/common/international.aspx. You may also
want to try posting a message to our free support newsgroups. See
Microsoft Product Support Newsgroups at
http://support.microsoft.com/newsgroups/ for more information.
QUOTE END

Instead of spending time trying to contact other MS instances, it was
decided to go full disclosure :)

So, the bug core is in win32k!IsHandleEntrySecure() function which
doesn't properly check if 'pW32Job' field of 'tagPROCESSINFO' for
current process contains non-zero value.
Client can reach that function through call to NtUserValidateHandleSecure().

// IsHandleEntrySecure:
// ...
// .text:00149042 eax: current process processInfo
// .text:00149042 edx: handleEntry process processInfo
// .text:00149042
// .text:00149042 checkHandleInJob:                       ; CODE XREF:
IsHandleEntrySecure(x,x)+48.j
// .text:00149042         mov     ecx, [eax+tagPROCESSINFO.pW32Job] ;
ecx: pW32Job of current process processInfo
// .text:00149048         cmp     [edx+tagPROCESSINFO.pW32Job], ecx
// .text:0014904E         jz      short ret_1
// .text:0014904E
// .text:00149050         mov     edx, [ecx+tagW32JOB.pgh] ; <<<<<<< 
let's bsod here
// .text:00149053         xor     eax, eax
// .text:00149055         test    edx, edx
// .text:00149057         jz      short ret_eax
//


Links to PoC source and binaries will be posted shortly here and on my
twitter @sixtyvividtails.

-- 
sixtyvividtails@...dex.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ