New issue
Advanced search Search tips
Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Sep 2017
Cc:



Sign in to add a comment
link

Issue 1275: Windows Kernel stack memory disclosure in win32k!NtGdiGetFontResourceInfoInternalW

Reported by mjurczyk@google.com, Jun 2 2017 Project Member

Issue description

We have discovered that the nt!NtGdiGetFontResourceInfoInternalW system call discloses portions of uninitialized kernel stack memory to user-mode clients.

This is caused by the fact that for user-specified output buffer sizes up to 0x5c, a temporary stack-based buffer is used by the syscall for optimization. As opposed to the pool allocation, the stack memory area is not pre-initialized with zeros, and when it is copied back to user-mode in its entirety, its contents disclose leftover kernel stack bytes containing potentially sensitive information.

The vulnerability is fixed in Windows 10, which has the following memset() call at the beginning of the function:

--- cut ---
.text:0025F9E6                 push    5Ch             ; size_t
.text:0025F9E8                 push    ebx             ; int
.text:0025F9E9                 lea     eax, [ebp+var_118]
.text:0025F9EF                 push    eax             ; void *
.text:0025F9F0                 call    _memset
--- cut ---

This indicates that Microsoft is aware of the bug but didn't backport the fix to systems earlier than Windows 10. The issue was in fact discovered by cross-diffing the list of memset calls between Windows 7 and Windows 10, which illustrates how easy it is to use exclusive patches for one system version to attack another.

The attached proof-of-concept program demonstrates the disclosure. An example output is as follows:

--- cut ---
00000000: 00 00 00 00 a9 fb c2 82 02 00 00 00 19 00 00 00 ................
00000010: 00 00 00 00 46 69 6c 65 a8 6f 06 89 46 69 6c 65 ....File.o..File
00000020: c8 00 00 00 ff 07 00 00 00 00 00 00 00 30 06 89 .............0..
00000030: 00 08 00 00 46 02 00 00 68 72 b8 93 d0 71 b8 93 ....F...hr...q..
00000040: a8 71 b8 93 00 8b 2e 9a 98 a8 a2 82 68 8b 2e 9a .q..........h...
00000050: fa a8 a2 82 a8 71 b8 93 46 69 6c e5 ?? ?? ?? ?? .....q..Fil.....
--- cut ---

Only the first four bytes of the data are properly initialized to 0x00, while the rest are visibly leaked from the kernel stack and contain a multitude of kernel-space addresses, readily facilitating exploitation of other memory corruption vulnerabilities.

The bug is limited to leaking at most ~0x5c bytes at a time, as specifying a larger size will provoke a correctly padded pool allocation instead of the stack-based buffer.

Repeatedly triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.

This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public.
 
NtGdiGetFontResourceInfoInternalW.cpp
1.4 KB View Download

Comment 1 by mjurczyk@google.com, Jun 4 2017

Project Member
Labels: Reported-2017-Jun-4

Comment 2 by mjurczyk@google.com, Jun 5 2017

Project Member
Labels: MSRC-39057

Comment 3 by mjurczyk@google.com, Aug 7 2017

Project Member
Labels: CVE-2017-8684

Comment 4 by mjurczyk@google.com, Aug 25 2017

Project Member
Labels: Deadline-Exceeded Deadline-Grace
The bug is scheduled to be fixed in the September Patch Tuesday.

Comment 5 by mjurczyk@google.com, Sep 12 2017

Project Member
Labels: Fixed-2017-Sep-12
Status: Fixed (was: New)
Fixed in today's Patch Tuesday.

Comment 6 by mjurczyk@google.com, Sep 18 2017

Project Member
Labels: -Restrict-view-commit

Sign in to add a comment