lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CA+YQQ6VBQCbKTdNfxR-_gjsqiDO-RAia3TGFUAwKO4w6M_5hrQ@mail.gmail.com>
Date: Thu, 22 May 2014 11:35:53 -0700
From: Tavis Ormandy <taviso@...xchg8b.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] Windows 8 Touch Injection API doesn't handle memory pressure

Perhaps this is an unfair oversimplification, but a humorous (to me)
summary of the SDL might be "security is solved because old code is
irrelevant and new code is perfect". For this reason, I can't help
finding it amusing that both old and new Microsoft code keeps failing
so spectacularly.

I mentioned some ancient code that fails yesterday, here's a fun
example of brand new code failing. There is a new Windows 8+ only
feature I've been looking at, the Touch Injection API:

http://msdn.microsoft.com/en-us/library/windows/desktop/hh802898(v=vs.85).aspx

The feature is backed by two new system calls,
win32k!NtUserInitializeTouchInjection and
win32k!NtUserInjectTouchInput. When you initialize touch injection,
you specify the maximum number of simultaneous contacts you want to
support, up to MAX_TOUCH_CONTACTS. This allocates enough space for the
appropriate structures.

Unfortunately, win32k!InitializeTouchInjectionWithQDCData doesn't
handle allocation failure correctly. This can be exploited by
allocating all available pool, and then increasing the number of
contacts requested.

I have a reliable test case for this issue, attached for reference or
at the URL below (only tested on x86, but I don't see why it wouldn't
work on x64).

https://gist.github.com/taviso/4cfc3035e99f2ea1377e

-- 
-------------------------------------
taviso@...xchg8b.com | pgp encrypted mail preferred
-------------------------------------------------------

View attachment "Inject.c" of type "text/x-csrc" (2697 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ