New issue
Advanced search Search tips
Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Oct 2017
Cc:



Sign in to add a comment
link

Issue 1352: Windows Kernel pool memory disclosure into NTFS metadata ($LogFile) in Ntfs!LfsRestartLogFile

Reported by mjurczyk@google.com, Sep 4 2017 Project Member

Issue description

This tracker entry is a fork of  issue #1325 , which this bug was reported as a part of. However, as some essential information and context was provided in  issue #1325 , the "Reported" date was adjusted there to account for it. The new information did not concern the vulnerability discussed here, so we are sticking to the original deadline in this case. Hence the need to create a separate entry in the tracker.

We have discovered that the NTFS.sys driver writes uninitialized kernel pool memory into the internal structures of the file system, while mounting and operating on it. This may be of a security concern in cases where, for example, users share some files with each other via USB sticks or other storage media with NTFS-formatted volumes on them. While the victim would assume that they're only sharing intended data explicitly copied to the disk, they could also unknowingly share bits and pieces of sensitive/confidential information stored in the kernel, that just happened to reside in the memory area used by NTFS.sys while constructing internal file system structures.

Even more scary are leaks which don't require any human interaction and take place immediately when the volume is mounted. In this scenario, it could be possible to disclose kernel memory of a locked machine with physical access to a USB port, by repeatedly plugging in a flash drive (or a device which emulates one), waiting for the uninitialized memory to be written by the system, reading it back and re-mounting the disk.

We have implemented some dedicated logic in our Bochspwn system instrumentation to detect instances of such info leaks. As a result, we have found that pool memory allocated in the Ntfs!LfsRestartLogFile function is leaked to NTFS volumes (both system and external ones). From a security perspective, the leak is quite severe, as it is triggered with no user interaction (just by mounting an NTFS volume), and it discloses ~7.5kB of kernel pool memory in 2 chunks of ~3800 consecutive bytes. This data is saved in the first 8192 bytes of the special $LogFile file, as part of the two "RSTR" restart area records. As we understand it, this means that every NTFS-formatted USB stick last accessed by Windows 7 now includes more than 7kB of junk kernel memory from that computer. However, since $LogFile is an internal file, reading from it requires raw disk access which significantly reduces the impact of the bug.

Interestingly, Windows 8 and 10 are not affected by the flaw, as these newer systems include an extra memset() call immediately following the allocation request:

--- cut ---
PAGE:000D3D2A                 push    'rsfL'          ; Tag
PAGE:000D3D2F                 imul    eax, [edi+18h], 22h
PAGE:000D3D33                 shr     eax, 1
PAGE:000D3D35                 push    eax             ; NumberOfBytes
PAGE:000D3D36                 push    210h            ; PoolType
PAGE:000D3D3B                 mov     esi, ds:__imp__ExAllocatePoolWithTag@12 ; ExAllocatePoolWithTag(x,x,x)
PAGE:000D3D41                 call    esi ; ExAllocatePoolWithTag(x,x,x)
PAGE:000D3D43                 mov     [edi+198h], eax
PAGE:000D3D49                 push    dword ptr [edi+18h] ; size_t
PAGE:000D3D4C                 push    ebx             ; int
PAGE:000D3D4D                 push    eax             ; void *
PAGE:000D3D4E                 call    _memset
--- cut ---

This appears to be an instance of a bug fixed by Microsoft in recent system versions, but not backported to the older, yet still supported ones.

This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public.
 

Comment 1 by mjurczyk@google.com, Sep 4 2017

Project Member
Labels: MSRC-40537

Comment 2 by mjurczyk@google.com, Oct 3 2017

Project Member
Labels: -MSRC-40537 MSRC-39518 Deadline-Exceeded Deadline-Grace
The bug is scheduled to be fixed in the October Patch Tuesday.

Comment 3 by mjurczyk@google.com, Oct 10 2017

Project Member
Labels: Fixed-2017-Oct-10
Status: Fixed (was: New)
Fixed in today's Patch Tuesday.

Comment 4 by mjurczyk@google.com, Oct 10 2017

Project Member
Labels: CVE-2017-11817

Comment 5 by mjurczyk@google.com, Oct 16 2017

Project Member
Labels: -Restrict-View-Commit

Sign in to add a comment