New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users
Status: Fixed
Owner:
Closed: Sep 2015
Cc:



Sign in to add a comment
Windows kernel: use-after-free with cursor object
Reported by cevans@google.com, Jun 22 2015 Back to list
Credit is to "Nils Sommer of bytegeist, working with Google Project Zero".

I confirm the apparent vulnerability on Win 7 32-bit, with special pool enabled. I run the .exe just once from the command prompt and immediately my VM dies, but in a strange way: it looks like it's about to do a blue screen and there is a video mode change but it hangs at a black screen.

Nils did get a debug dump, attached.

---
The attached testcase crashes Win 7 with Special Pool enabled while accessing the freed global cursor object (_gpqCursor​). See poc.cpp for instructions on how to compile and run.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
---
 
poc457.cpp
2.0 KB Download
special_pool457.txt
6.4 KB View Download
Comment 1 by cevans@google.com, Jun 22 2015
Labels: -Vendor-Windows -Product-Kernel Vendor-Microsoft Product-Windows-Kernel
Comment 2 by cevans@google.com, Jun 22 2015
Labels: Id-30496
MSRC Case 30496 TRK:0001801
Project Member Comment 3 by hawkes@google.com, Aug 21 2015
Owner: hawkes@google.com
Project Member Comment 4 by hawkes@google.com, Sep 10 2015
Labels: CVE-2015-2517
Status: Fixed
Project Member Comment 5 by hawkes@google.com, Sep 21 2015
Labels: -Restrict-View-Commit
Fixed in September bulletin MS15-097.
Sign in to add a comment