A Kernel-mode ASLR leak exists in the win32k!xxxDeferredDesktopRotation routine (exposed via win32k!NtUserCallNoParam).

This leak is caused by the function win32k!xxxDeferredDesktopRotation routine failing to sanitize the RAX/EAX return value, which is relayed back the unprivileged user-mode caller.

Most of the time, this function returns the value "1", and hence is not useful, however if a particular flag is set on the PDESKTOP object indicating that the desktop is currently undergoing a "smooth rotate" operation, the function instead leaks back the pointer value of the current PDESKTOP object to the user, and hence disclosing to the user the location of the kernel heap.

This flag is set during device rotation (for devices that have an integrated sensor, such as a Microsoft Surface device), however an equally valid (albeit less fun) way to trigger the vulnerability is via the win32k!xxxAutoRotateScreen, called via NtUserAutoRotateScreen.

Annoyingly, this syscall can only be called from within CSRSS, however it is possible to persuade CSRSS to make this call on a low-privileged accounts' behalf by connecting to CSRSS via a local ALPC to "\RPC Control\AutoRotateApiPort". CSRSS maintains a thread that listens on this ALPC port, and relays the "orientation" to the kernel.

Putting this altogether; a low privileged process "exploit.exe" can run one thread that sends a "device orientation" request to CSRSS via ALPC. CSRSS then calls NtUserAutoRotateScreen, which causes the "deferred rotate" flag to be set on the current user desktop. Back inside "exploit.exe" another thread continuously calls NtUserCallNoParam requesting the win32k!xxxDeferredDesktopRotation method. When the screen rotates, this leaks the PDESKTOP back to the usermode low-privileged "exploit.exe" on RAX.

This vulnerability affects Windows 8, Windows 8.1 and Windows 10; although the impact is limited for server editions of Windows (because CSRSS does not listen on the AutoRotateApi ALPC port for server editions) or for processes that make use of the "Win32kSyscallDisable" exploit mitigation in Windows 8.1 or Windows 10.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
 

turnaround.c 5.8 KB Download