457 - Windows kernel: use-after-free with cursor object - project-zero

Starred by 2 users

Status:	Fixed
Owner:	hawkes@google.com
Closed:	Sep 2015
Cc:	█ nils.som...@gmail.com project-...@google.com
Finder-nils Deadline-90 CVE-2015-2517 Product-Windows-Kernel Id-30496 Reported-2015-Jun-22 CCProjectZeroMembers Severity-High Vendor-Microsoft

Windows kernel: use-after-free with cursor object

Reported by cevans@google.com, Jun 22 2015

Back to list

Credit is to "Nils Sommer of bytegeist, working with Google Project Zero".

I confirm the apparent vulnerability on Win 7 32-bit, with special pool enabled. I run the .exe just once from the command prompt and immediately my VM dies, but in a strange way: it looks like it's about to do a blue screen and there is a video mode change but it hangs at a black screen.

Nils did get a debug dump, attached.

---
The attached testcase crashes Win 7 with Special Pool enabled while accessing the freed global cursor object (_gpqCursor). See poc.cpp for instructions on how to compile and run.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
---

poc457.cpp
2.0 KB Download

special_pool457.txt
6.4 KB View Download

Comment 1 by cevans@google.com, Jun 22 2015

Labels: -Vendor-Windows -Product-Kernel Vendor-Microsoft Product-Windows-Kernel

Comment 2 by cevans@google.com, Jun 22 2015

Labels: Id-30496

MSRC Case 30496 TRK:0001801

Project Member Comment 3 by hawkes@google.com, Aug 21 2015

Owner: hawkes@google.com

Project Member Comment 4 by hawkes@google.com, Sep 10 2015

Labels: CVE-2015-2517
Status: Fixed

Project Member Comment 5 by hawkes@google.com, Sep 21 2015

Labels: -Restrict-View-Commit

Fixed in September bulletin MS15-097.

► Sign in to add a comment