New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users
Status: Fixed
Owner:
Email to this user bounced
Closed: Jun 2015
Cc:



Sign in to add a comment
Windows kernel: NULL pointer dereference with window station and clipboard
Reported by cevans@google.com, Mar 20 2015 Back to list
Credit is to "Nils Sommer of bytegeist, working with Google Project Zero".

Platform: Win7 32-bit.
trigger.cpp should fire the issue, with a caveat
- PoC might NOT work if compiled as a debug build.

windbg.txt is a sample crash log.

Analysis from Nils:

---
please find attached a C trigger, windbg output and the minimised testcase of a null pointer issue (exploitable on Win 7 32-bit). The trigger also demonstrates that the null page can be mapped in user mode and accessed from kernel mode.

Quick analysis:

The trigger creates a new window station which is freed during the process clean up. Through the clipboard operations the window's last reference is hold by the clipboard which is freed during the clean up of the window station object. This will also result in destroying the window object at a time where _gptiCurrent​ (threadinfo) is already set to null. This is used in xxxDestroyWindow in multiple locations. Depending on the window type it is potentially possible to trigger different kinds of crashes, this one demonstrates a write to a chosen memory location:

win32k!HMChangeOwnerThread+0x40:
96979765 ff412c          inc     dword ptr [ecx+2Ch]  ds:0023:bebebeea=????????
---


This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

 
trigger (1).cpp
2.0 KB Download
windbg.txt
8.0 KB View Download
Comment 1 by cevans@google.com, Mar 20 2015
Labels: Id-21787
Comment 2 by cevans@google.com, Mar 26 2015
Attaching better PoC.
bug294.cpp
2.8 KB Download
Comment 3 by cevans@google.com, Mar 26 2015
Labels: -Reported-2015-Mar-19 Reported-2015-Mar-26
Comment 4 by cevans@google.com, Jun 4 2015
Labels: CVE-2015-1721
Project Member Comment 6 by hawkes@google.com, Sep 21 2015
Labels: -Restrict-View-Commit
Sign in to add a comment