New issue
Advanced search Search tips
Issue 1304
Starred by 2 users
Status: Fixed
Owner:
mjurczyk@google.com
Closed: Sep 12
Cc:
project-...@google.com



Sign in to add a comment
 Windows Kernel stack memory disclosure in win32k!NtGdiDoBanding
Project Member Reported by mjurczyk@google.com, Jun 22 Back to list 
We have discovered that the win32k!NtGdiDoBanding system call discloses portions of uninitialized kernel stack memory to user-mode clients.

More specifically, exactly 8 bytes of uninitialized kernel stack memory are copied to ring-3 in one of two execution contexts (unique stack traces):

--- 1 ---
 #0 win32k.sys!memcpy+00000033
 #1 win32k.sys!UMPDOBJ::ThunkMemBlock+00000047
 #2 win32k.sys!UMPDDrvStartBanding+000000b1
 #3 win32k.sys!GreDoBanding+000000ad
 #4 win32k.sys!NtGdiDoBanding+0000001f
 #5 ntoskrnl.exe!KiSystemServicePostCall+00000000
--- 1 ---

... and ...

--- 2 ---
 #0 win32k.sys!memcpy+00000033
 #1 win32k.sys!UMPDOBJ::ThunkMemBlock+00000047
 #2 win32k.sys!UMPDDrvNextBand+000000b1
 #3 win32k.sys!GreDoBanding+0000011e
 #4 win32k.sys!NtGdiDoBanding+0000001f
 #5 ntoskrnl.exe!KiSystemServicePostCall+00000000
--- 2 ---

The names and offsets are specific to Windows 7 32-bit from February 2017, as symbols for the latest win32k.sys are not available from the Microsoft Symbol Server at the moment. The leaked bytes origin from the stack frame of the win32k!NtGdiDoBanding function (top-level syscall handler), and a pointer to the uninitialized buffer is passed down to win32k!GreDoBanding in the third argument.

The attached proof-of-concept program can be used to reproduce the vulnerability on Windows 7 32-bit. On our test virtual machine, the output is as follows:

--- cut ---
  [+] Leaked data: 00000bf8 00460000
  [+] Leaked data: ff9ed130 969e68ad
  [+] Leaked data: ff9ed130 969e68ad
  [+] Leaked data: ff9ed130 969e68ad
...
--- cut ---

As it turns out, 0xff9ed130 is a valid paged session pool address, and 0x969e68ad is a valid code address within win32k.sys:

--- cut ---
  3: kd> !pool ff9ed130
  Pool page ff9ed130 region is Paged session pool
   ff9ed000 size:  118 previous size:    0  (Allocated)  Usqu
  *ff9ed118 size:  ee8 previous size:  118  (Allocated) *GDev
      Pooltag GDev : Gdi pdev

  3: kd> u 969e68ad
  win32k!EngReleaseSemaphore+0x2f6:
  969e68ad c3              ret
  969e68ae 90              nop
  969e68af 90              nop
  969e68b0 90              nop
  969e68b1 90              nop
  969e68b2 90              nop
  969e68b3 8bff            mov     edi,edi
  969e68b5 55              push    ebp
--- cut ---

Repeatedly triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.

This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public.
NtGdiDoBanding.cpp
2.2 KB View Download
Project Member Comment 1 by mjurczyk@google.com, Jun 28
Labels: Reported-2017-Jun-28
Project Member Comment 2 by mjurczyk@google.com, Jun 28
Labels: MSRC-39355
Project Member Comment 3 by mjurczyk@google.com, Aug 7
Labels: CVE-2017-8687
Project Member Comment 4 by mjurczyk@google.com, Sep 12
Labels: Fixed-2017-Sep-12
Status: Fixed
Fixed in today's Patch Tuesday.
Project Member Comment 5 by mjurczyk@google.com, Sep 18
Labels: -Restrict-view-commit
Sign in to add a comment