We have discovered that it is possible to disclose portions of uninitialized kernel stack memory to user-mode applications in Windows 7-10 through the win32k!NtGdiGetOutlineTextMetricsInternalW system call.
The system call returns an 8-byte structure back to ring-3 through the 4th parameter, as evidenced by the following assembly code (win32k.sys from Windows 7 32-bit):
--- cut ---
.text:BF87364A mov edx, [ebp+arg_C]
.text:BF87364D lea ecx, [edx+8]
.text:BF873650 mov eax, _W32UserProbeAddress
.text:BF873655 cmp ecx, eax
.text:BF873657 ja short loc_BF873662
.text:BF873659 cmp ecx, edx
.text:BF87365B jbe short loc_BF873662
.text:BF87365D test dl, 3
.text:BF873660 jz short loc_BF873665
.text:BF873662
.text:BF873662 loc_BF873662:
.text:BF873662 mov byte ptr [eax], 0
.text:BF873665
.text:BF873665 loc_BF873665:
.text:BF873665 lea esi, [ebp+var_24]
.text:BF873668 mov edi, edx
.text:BF87366A movsd
.text:BF87366B movsd
--- cut ---
However, according to our experiments, only the first 4 bytes of the source structure (placed on the kernel stack) are initialized under normal circumstances, while the other 4 bytes are set to leftover data. In order to demonstrate the issue, we have created a proof-of-concept program which sprays 1024 bytes of the kernel stack with a 0x41 ('A') byte directly prior to triggering the vulnerability, with the help of the win32k!NtGdiEngCreatePalette system call. Then, the DWORD leaked via the discussed vulnerability is indeed equal to 0x41414141, as evidenced by the PoC output:
--- cut ---
C:\>NtGdiGetOutlineTextMetricsInternalW_stack.exe
Data read: 41414141
--- cut ---
Repeatedly triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.
This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public.
|
NtGdiGetOutlineTextMetricsInternalW_stack.cpp
2.7 KB
View
Download
|