[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <52822A27.90502@yandex.com>
Date: Tue, 12 Nov 2013 13:16:23 +0000
From: sixtyvividtails <sixtyvividtails@...dex.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Windows Local DOS on Win32 Handle Validation
There's really simple and useless bug in win32k!IsHandleEntrySecure(),
which, nevertheless, allows unprivileged local user to cause bsod. I
believe entire NT line is affected. What's intresting, is Microsoft
reaction to it, because, apparently, nowadays local denial of service
from unprivileged users is not considered vulnerability.
QUOTE START
I looked through your report, and it appears to be a local DOS. Although
this is an unfortunate bug, we don't consider it a security
vulnerability according to our 10 immutable laws of security
(http://technet.microsoft.com/library/cc722487.aspx). If you know how to
exploit this bug without violating one of those laws, we would consider
it a remote DOS which is considered a vulnerability.
If you'd like to see this bug fixed, please contact Microsoft Product
Support Services at
http://support.microsoft.com/common/international.aspx. You may also
want to try posting a message to our free support newsgroups. See
Microsoft Product Support Newsgroups at
http://support.microsoft.com/newsgroups/ for more information.
QUOTE END
Instead of spending time trying to contact other MS instances, it was
decided to go full disclosure :)
So, the bug core is in win32k!IsHandleEntrySecure() function which
doesn't properly check if 'pW32Job' field of 'tagPROCESSINFO' for
current process contains non-zero value.
Client can reach that function through call to NtUserValidateHandleSecure().
// IsHandleEntrySecure:
// ...
// .text:00149042 eax: current process processInfo
// .text:00149042 edx: handleEntry process processInfo
// .text:00149042
// .text:00149042 checkHandleInJob: ; CODE XREF:
IsHandleEntrySecure(x,x)+48.j
// .text:00149042 mov ecx, [eax+tagPROCESSINFO.pW32Job] ;
ecx: pW32Job of current process processInfo
// .text:00149048 cmp [edx+tagPROCESSINFO.pW32Job], ecx
// .text:0014904E jz short ret_1
// .text:0014904E
// .text:00149050 mov edx, [ecx+tagW32JOB.pgh] ; <<<<<<<
let's bsod here
// .text:00149053 xor eax, eax
// .text:00149055 test edx, edx
// .text:00149057 jz short ret_eax
//
Links to PoC source and binaries will be posted shortly here and on my
twitter @sixtyvividtails.
--
sixtyvividtails@...dex.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists