[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Windows Local DOS on Win32 Handle Validation

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] Windows Local DOS on Win32 Handle Validation
From: sixtyvividtails <sixtyvividtails@xxxxxxxxxx>
Date: Tue, 12 Nov 2013 13:16:23 +0000

There's really simple and useless bug in win32k!IsHandleEntrySecure(),
which, nevertheless, allows unprivileged local user to cause bsod. I
believe entire NT line is affected. What's intresting, is Microsoft
reaction to it, because, apparently, nowadays local denial of service
from unprivileged users is not considered vulnerability.

QUOTE START
I looked through your report, and it appears to be a local DOS. Although
this is an unfortunate bug, we don't consider it a security
vulnerability according to our 10 immutable laws of security
(http://technet.microsoft.com/library/cc722487.aspx). If you know how to
exploit this bug without violating one of those laws, we would consider
it a remote DOS which is considered a vulnerability.

If you'd like to see this bug fixed, please contact Microsoft Product
Support Services at
http://support.microsoft.com/common/international.aspx. You may also
want to try posting a message to our free support newsgroups. See
Microsoft Product Support Newsgroups at
http://support.microsoft.com/newsgroups/ for more information.
QUOTE END

Instead of spending time trying to contact other MS instances, it was
decided to go full disclosure :)

So, the bug core is in win32k!IsHandleEntrySecure() function which
doesn't properly check if 'pW32Job' field of 'tagPROCESSINFO' for
current process contains non-zero value.
Client can reach that function through call to NtUserValidateHandleSecure().

// IsHandleEntrySecure:
// ...
// .text:00149042 eax: current process processInfo
// .text:00149042 edx: handleEntry process processInfo
// .text:00149042
// .text:00149042 checkHandleInJob:                       ; CODE XREF:
IsHandleEntrySecure(x,x)+48j
// .text:00149042         mov     ecx, [eax+tagPROCESSINFO.pW32Job] ;
ecx: pW32Job of current process processInfo
// .text:00149048         cmp     [edx+tagPROCESSINFO.pW32Job], ecx
// .text:0014904E         jz      short ret_1
// .text:0014904E
// .text:00149050         mov     edx, [ecx+tagW32JOB.pgh] ; <<<<<<< 
let's bsod here
// .text:00149053         xor     eax, eax
// .text:00149055         test    edx, edx
// .text:00149057         jz      short ret_eax
//


Links to PoC source and binaries will be posted shortly here and on my
twitter @sixtyvividtails.

-- 
sixtyvividtails@xxxxxxxxxx

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Windows Local DOS on Win32 Handle Validation
  - From: sixtyvividtails

Prev by Date: [Full-disclosure] CSRF vulnerabilities in OS of fortianalyzer 5.0.4
Next by Date: [Full-disclosure] bugs in IJG jpeg6b & libjpeg-turbo
Previous by thread: [Full-disclosure] CSRF vulnerabilities in OS of fortianalyzer 5.0.4
Next by thread: Re: [Full-disclosure] Windows Local DOS on Win32 Handle Validation
Index(es):
- Date
- Thread