311 - Window kernel: use-after-free in bitmap handling #2 - project-zero

Starred by 2 users

Status:	Fixed
Owner:	█ cevans@google.com Email to this user bounced
Closed:	Jun 2015
Cc:	█ nils.som...@gmail.com project-...@google.com
Finder-nils CVE-2015-1722 Reported-2015-Mar-31 Deadline-90 Product-Windows-Kernel Id-21827 CCProjectZeroMembers Severity-High Vendor-Microsoft

Window kernel: use-after-free in bitmap handling #2

Reported by cevans@google.com, Mar 31 2015

Back to list

I confirmed this issue inside a Win7 32-bit VM; had to run the PoC a large number of times in the background whilst browsing the web.

---
please find the PoC and brief analysis for the issue attached. The analysis mentions how Special Pool can be used to get very reliable crashes, it should crash without Special Pool after a while as well. 
--

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

bug311.cpp
2.1 KB Download

analysis311.txt
13.0 KB View Download

Comment 1 by cevans@google.com, Mar 31 2015

Labels: Id-21827

Comment 2 by cevans@google.com, Apr 7 2015

Credit is to "Nils Sommer of bytegeist, working with Google Project Zero".

Comment 3 by cevans@google.com, Jun 4 2015

Labels: CVE-2015-1722

Same root cause as https://code.google.com/p/google-security-research/issues/detail?id=293, according to Microsoft. CVE shared.

Comment 4 by cevans@google.com, Jun 9 2015

Status: Fixed

https://technet.microsoft.com/library/security/MS15-061

Project Member Comment 5 by hawkes@google.com, Sep 21 2015

Labels: -Restrict-View-Commit

► Sign in to add a comment