New issue
Advanced search Search tips
Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Sep 2017
Cc:



Sign in to add a comment
link

Issue 1268: Windows Kernel stack memory disclosure in win32k!NtGdiGetPhysicalMonitorDescription

Reported by mjurczyk@google.com, May 31 2017 Project Member

Issue description

We have discovered that the nt!NtGdiGetPhysicalMonitorDescription system call discloses portions of uninitialized kernel stack memory to user-mode clients, on Windows 7 to Windows 10.

This is caused by the fact that the syscall copies a whole stack-based array of 256 bytes (128 wide-chars) to the caller, but typically only a small portion of the buffer is used to store the requested monitor description, while the rest of it remains uninitialized. This memory region contains sensitive information such as addresses of executable images, kernel stack, kernel pools and stack cookies.

The attached proof-of-concept program demonstrates the disclosure by spraying the kernel stack with a large number of 0x41 ('A') marker bytes, and then calling the affected system call. An example output is as follows:

--- cut ---
00000000: 47 00 65 00 6e 00 65 00 72 00 69 00 63 00 20 00 G.e.n.e.r.i.c. .
00000010: 4e 00 6f 00 6e 00 2d 00 50 00 6e 00 50 00 20 00 N.o.n.-.P.n.P. .
00000020: 4d 00 6f 00 6e 00 69 00 74 00 6f 00 72 00 00 00 M.o.n.i.t.o.r...
00000030: 74 00 6f 00 72 00 2e 00 64 00 65 00 76 00 69 00 t.o.r...d.e.v.i.
00000040: 63 00 65 00 64 00 65 00 73 00 63 00 25 00 3b 00 c.e.d.e.s.c.%.;.
00000050: 47 00 65 00 6e 00 65 00 72 00 69 00 63 00 20 00 G.e.n.e.r.i.c. .
00000060: 4e 00 6f 00 6e 00 2d 00 50 00 6e 00 50 00 20 00 N.o.n.-.P.n.P. .
00000070: 4d 00 6f 00 6e 00 69 00 74 00 6f 00 72 00 00 00 M.o.n.i.t.o.r...
00000080: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000090: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000a0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000b0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000c0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000d0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000e0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000f0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
--- cut ---

If the stack spraying part of the PoC code is disabled, we can immediately observe various kernel-mode addresses in the dumped memory area.

Repeatedly triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.

This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public.
 
NtGdiGetPhysicalMonitorDescription.cpp
3.9 KB View Download

Comment 1 by mjurczyk@google.com, May 31 2017

Project Member
Labels: Reported-2017-May-31

Comment 2 by mjurczyk@google.com, May 31 2017

Project Member
Labels: MSRC-38995

Comment 3 by mjurczyk@google.com, Aug 7 2017

Project Member
Labels: CVE-2017-8681

Comment 4 by mjurczyk@google.com, Aug 25 2017

Project Member
Labels: Deadline-Exceeded Deadline-Grace
The bug is scheduled to be fixed in the September Patch Tuesday.

Comment 5 by mjurczyk@google.com, Sep 12 2017

Project Member
Labels: Fixed-2017-Sep-12
Status: Fixed (was: New)
Fixed in today's Patch Tuesday.

Comment 6 by mjurczyk@google.com, Sep 18 2017

Project Member
Labels: -Restrict-view-commit

Sign in to add a comment