1268 - Windows Kernel stack memory disclosure in win32k!NtGdiGetPhysicalMonitorDescription - project-zero

Starred by 2 users

Status:	Fixed
Owner:	mjurczyk@google.com
Closed:	Sep 12
Cc:	project-...@google.com
Severity-Medium Product-Kernel Deadline-90 Deadline-Grace Deadline-Exceeded CCProjectZeroMembers Finder-mjurczyk Vendor-Microsoft Reported-2017-May-31 MSRC-38995 CVE-2017-8681 Fixed-2017-Sep-12

Windows Kernel stack memory disclosure in win32k!NtGdiGetPhysicalMonitorDescription

Project Member Reported by mjurczyk@google.com, May 31 2017

Back to list

We have discovered that the nt!NtGdiGetPhysicalMonitorDescription system call discloses portions of uninitialized kernel stack memory to user-mode clients, on Windows 7 to Windows 10.

This is caused by the fact that the syscall copies a whole stack-based array of 256 bytes (128 wide-chars) to the caller, but typically only a small portion of the buffer is used to store the requested monitor description, while the rest of it remains uninitialized. This memory region contains sensitive information such as addresses of executable images, kernel stack, kernel pools and stack cookies.

The attached proof-of-concept program demonstrates the disclosure by spraying the kernel stack with a large number of 0x41 ('A') marker bytes, and then calling the affected system call. An example output is as follows:

--- cut ---
00000000: 47 00 65 00 6e 00 65 00 72 00 69 00 63 00 20 00 G.e.n.e.r.i.c. .
00000010: 4e 00 6f 00 6e 00 2d 00 50 00 6e 00 50 00 20 00 N.o.n.-.P.n.P. .
00000020: 4d 00 6f 00 6e 00 69 00 74 00 6f 00 72 00 00 00 M.o.n.i.t.o.r...
00000030: 74 00 6f 00 72 00 2e 00 64 00 65 00 76 00 69 00 t.o.r...d.e.v.i.
00000040: 63 00 65 00 64 00 65 00 73 00 63 00 25 00 3b 00 c.e.d.e.s.c.%.;.
00000050: 47 00 65 00 6e 00 65 00 72 00 69 00 63 00 20 00 G.e.n.e.r.i.c. .
00000060: 4e 00 6f 00 6e 00 2d 00 50 00 6e 00 50 00 20 00 N.o.n.-.P.n.P. .
00000070: 4d 00 6f 00 6e 00 69 00 74 00 6f 00 72 00 00 00 M.o.n.i.t.o.r...
00000080: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000090: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000a0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000b0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000c0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000d0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000e0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000f0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
--- cut ---

If the stack spraying part of the PoC code is disabled, we can immediately observe various kernel-mode addresses in the dumped memory area.

Repeatedly triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.

This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public.

NtGdiGetPhysicalMonitorDescription.cpp
3.9 KB View Download

Project Member Comment 1 by mjurczyk@google.com, May 31 2017

Labels: Reported-2017-May-31

Project Member Comment 2 by mjurczyk@google.com, May 31 2017

Labels: MSRC-38995

Project Member Comment 3 by mjurczyk@google.com, Aug 7

Labels: CVE-2017-8681

Project Member Comment 4 by mjurczyk@google.com, Aug 25

Labels: Deadline-Exceeded Deadline-Grace

The bug is scheduled to be fixed in the September Patch Tuesday.

Project Member Comment 5 by mjurczyk@google.com, Sep 12

Labels: Fixed-2017-Sep-12
Status: Fixed

Fixed in today's Patch Tuesday.

Project Member Comment 6 by mjurczyk@google.com, Sep 18

Labels: -Restrict-view-commit

► Sign in to add a comment