Issue metadata
Sign in to add a comment
|
Security: untrusted code exec to kernel code exec, applicable from chrome render process as well
Reported by
ferdinan...@gmail.com,
Apr 12 2016
|
||||||||||||||||||||||||||||
Issue descriptionVULNERABILITY DETAILS tm.sys is extension of ntoskrnl, and ntos provides various syscalls wrapped to that module. this module is responsible for kernel transaction managment, more you can read at : https://msdn.microsoft.com/en-us/library/windows/desktop/bb986748(v=vs.85).aspx bug resides, in recovery mechanism. As due to RecoverTransactionManager you can double ObDeref ('arbitrary' decrease pointer count by one) on single transaction object (_ktransaction), and that can potentionally leads to UAF on transaction object. Altought you have no access to call syscalls on free-ed transaction, you can missue limited access to it trough enlistment object (_kenlitment), and achieve full kernel io, therefore kernel code exec as well. VERSION Chrome Version: from render, to gpu proc Operating System: tested on windows 10 - x64 REPRODUCTION CASE pwd : abe1bffbe3fac4abdbf11ae50d5790e0 instruction : 1> now is hardcoded user name - "alice", put content of ./rsrc/ dir (pwn2goog*) to temp folder : C:\Users\alice\AppData\Local\Temp\Low\ * for test from chrome will be needed path to chrome download folder ofc .. 2> compile project (gcc, build.bat, boost dependency) 3> run test for system cmd * at current version is w32k gdi io technique implementation, however we are working to use it with our ntos io tehcnique, therefore fully exploitable directly from render process
,
Apr 12 2016
,
Apr 12 2016
I will report this to MS and update this bug with status. Reporter: can you confirm how you wish this to be credited in any MS advisory?
,
Apr 13 2016
@1 : as it is going directly trough ntos, there is not much to do
,
Apr 13 2016
@2 : as for credit : Peter Hlavaty (@zer0mem), KeenLab, Tencent
,
Apr 13 2016
,
Apr 14 2016
,
Apr 19 2016
,
Apr 19 2016
-> timwillis@
,
Apr 22 2016
Thanks for reporting these. Can you please report these to MSRC and let us know the reference numbers for the issues? Reporting them to the vendor won't affect the Chrome eligibility for reward.
,
Apr 22 2016
sure, thanks
,
May 26 2016
,
Jul 7 2016
Hi guys, just pinging, all issues (tm & clfs) are repro by Microsoft, and waiting for upcoming patches around September. therefore I recommend keep issues 'hidden' until Microsoft guys successfully patch those. btw I sent ref numbers by mail to Tim some time ago, however again here : clfs - untrusted to kernel #GetSymbol I have opened case 33285 and the case manager, Stephen will be in touch when there is more information. clfs - untrusted to kernel #ExtendMetadataBlock I have opened case 33286 and the case manager, Stephen will be in touch when there is more information. clfs - untrusted to kernel #ReadMetadataBlock I have opened case 33287 and the case manager, Stephen will be in touch when there is more information. clfs - untrusted to kernel #GetUsn I have opened case 33288 and the case manager, Stephen will be in touch when there is more information. clfs - kernel to untrusted I have opened case 33289 and the case manager, Stephen will be in touch when there is more information. clfs - kernel to untrusted #LoadContainerQ I have opened case 33290 and the case manager, Stephen will be in touch when there is more information. tm - kernel code exec I have opened case 33294 and the case manager, Stephen will be in touch when there is more information.
,
Jul 21 2016
,
Sep 1 2016
,
Oct 13 2016
,
Nov 16 2016
,
Nov 21 2016
Microsoft has fixed, see https://technet.microsoft.com/library/security/mt674627.aspx
,
Dec 2 2016
,
Dec 12 2016
,
Jan 26 2017
,
Mar 10 2017
,
Apr 20 2017
,
Jun 6 2017
,
Jul 26 2017
,
Sep 6 2017
,
Oct 18 2017
,
Dec 6 2017
,
Dec 7 2017
,
Jan 25 2018
,
Feb 14 2018
Were this bugs every reported to MSFT? Do you have an MSRC reference number for each bug. If not, I will go ahead and close these bugs in a week or two.
,
Feb 14 2018
looks like this one was actually fixed.
,
Feb 15 2018
,
Feb 28 2018
The NextAction date has arrived: 2018-02-28
,
May 24 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||||||||||
Comment 1 by tsepez@chromium.org
, Apr 12 2016Status: Assigned (was: Unconfirmed)