415 - Windows kernel: pool buffer overflows in NtGdiStretchBlt - project-zero

Starred by 3 users

Status:	Fixed
Owner:	hawkes@google.com
Closed:	Sep 2015
Cc:	█ nils.som...@gmail.com project-...@google.com
Finder-nils CVE-2015-2512 Deadline-90 Id-30336 Product-Windows-Kernel Deadline-Grace Deadline-Exceeded Reported-2015-May-29 CCProjectZeroMembers Severity-High Vendor-Microsoft

Windows kernel: pool buffer overflows in NtGdiStretchBlt

Reported by cevans@google.com, May 29 2015

Back to list

Credit is to "Nils Sommer of bytegeist, working with Google Project Zero".

---
Tested on Win 7 32-bit with Special Pool enabled. 

Multiple pool buffer overflows can be triggered through the NtGdiStretchBlt system call. The attached PoC demonstrates a write overflow and another read over flow issue which is likely to be usable for memory leaks (enabled by uncommenting the first NtGdiStretchBlt call).
---

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

bug415.cpp
942 bytes Download

windbg_read_overflow.txt
6.4 KB View Download

windbg_write_overflow.txt
7.1 KB View Download

Comment 1 by cevans@google.com, May 29 2015

Labels: Id-30336

Comment 2 by cevans@google.com, Jul 30 2015

Labels: Deadline-Exceeded Deadline-Grace

10 day grace period extension. Patch targeted for 09/08 (September Patch Tuesday).

Project Member Comment 3 by hawkes@google.com, Aug 21 2015

Owner: hawkes@google.com

Project Member Comment 4 by hawkes@google.com, Sep 21 2015

Labels: CVE-2015-2512
Status: Fixed

Fixed in September bulletin MS15-097.

Project Member Comment 5 by hawkes@google.com, Sep 21 2015

Labels: -Restrict-View-Commit

► Sign in to add a comment