Windows: NtCreateProcessEx NULL Pointer Dereference
Platform: Windows 10 10586
Class: Elevation of Privilege
Summary:
PspInitializeFullProcessImageName doesn’t correctly handle a NULL pointer being passed to it leading to a dereference at NULL for a file object which might be exploitable on 32 bit systems for elevation of privilege.
Description:
When calling NtCreateProcessEx a NULL pointer is passed as one of the parameters to the PspAllocateProcess function. Most places correctly check that the pointer isn’t NULL before dereferencing it but when passed to PspInitializeFullProcessImageName the check is missing leading to a dereference at a small offset from address 0. This is looking up a file object pointer to extract the underlying name, on 32 bit systems with the VDM enabled this might be exploitable to elevate privileges or at least leak kernel memory.
Copied here is the crash dump.
Use !analyze -v to get detailed debugging information.
BugCheck 1E, {c0000005, 8172c1ea, 0, 68}
*** WARNING: Unable to verify checksum for PoC_NtCreateUserProcexxEx_NDP.exe
*** ERROR: Module load completed but symbols could not be loaded for PoC_NtCreateUserProcexxEx_NDP.exe
Probably caused by : ntkrpamp.exe ( nt!PspInitializeFullProcessImageName+36 )
Followup: MachineOwner
---------
nt!RtlpBreakWithStatusInstruction:
8158b144 cc int 3
kd> !analyze -v
*******************************************************************************
* *
* Bugcheck Analysis *
* *
*******************************************************************************
KMODE_EXCEPTION_NOT_HANDLED (1e)
This is a very common bugcheck. Usually the exception address pinpoints
the driver/function that caused the problem. Always note this address
as well as the link date of the driver/image that contains this address.
Arguments:
Arg1: c0000005, The exception code that was not handled
Arg2: 8172c1ea, The address that the exception occurred at
Arg3: 00000000, Parameter 0 of the exception
Arg4: 00000068, Parameter 1 of the exception
Debugging Details:
------------------
DUMP_CLASS: 1
DUMP_QUALIFIER: 0
BUILD_VERSION_STRING: 10586.162.x86fre.th2_release_sec.160223-1728
DUMP_TYPE: 0
BUGCHECK_P1: ffffffffc0000005
BUGCHECK_P2: ffffffff8172c1ea
BUGCHECK_P3: 0
BUGCHECK_P4: 68
READ_ADDRESS: 00000068
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
FAULTING_IP:
nt!PspInitializeFullProcessImageName+36
8172c1ea 8b4068 mov eax,dword ptr [eax+68h]
EXCEPTION_PARAMETER2: 00000068
BUGCHECK_STR: 0x1E_c0000005_R
CPU_COUNT: 1
CPU_MHZ: ae9
CPU_VENDOR: GenuineIntel
CPU_FAMILY: 6
CPU_MODEL: 3e
CPU_STEPPING: 4
CPU_MICROCODE: 6,3e,4,0 (F,M,S,R) SIG: 19'00000000 (cache) 19'00000000 (init)
DEFAULT_BUCKET_ID: WIN8_DRIVER_FAULT
PROCESS_NAME: PoC_NtCreateUs
CURRENT_IRQL: 0
ANALYSIS_SESSION_HOST: FORSHAW02-W
ANALYSIS_SESSION_TIME: 06-17-2016 21:39:20.0885
ANALYSIS_VERSION: 10.0.10586.567 x86fre
EXCEPTION_RECORD: a71c5578 -- (.exr 0xffffffffa71c5578)
ExceptionAddress: 8172c1ea (nt!PspInitializeFullProcessImageName+0x00000036)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 00000068
Attempt to read from address 00000068
TRAP_FRAME: a71c565c -- (.trap 0xffffffffa71c565c)
ErrCode = 00000000
eax=00000000 ebx=000002a0 ecx=00000000 edx=a8482b00 esi=00000000 edi=a8482b00
eip=8172c1ea esp=a71c56d0 ebp=a71c57fc iopl=0 nv up ei pl zr na pe nc
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246
nt!PspInitializeFullProcessImageName+0x36:
8172c1ea 8b4068 mov eax,dword ptr [eax+68h] ds:0023:00000068=????????
Resetting default scope
LAST_CONTROL_TRANSFER: from 81604a6a to 8158b144
STACK_TEXT:
a71c4bbc 81604a6a 00000003 f59b2deb 00000065 nt!RtlpBreakWithStatusInstruction
a71c4c10 8160454a 834dd340 a71c5018 a71c504c nt!KiBugCheckDebugBreak+0x1f
a71c4fec 81589fa2 0000001e c0000005 8172c1ea nt!KeBugCheck2+0x742
a71c5010 81589ed9 0000001e c0000005 8172c1ea nt!KiBugCheck2+0xc6
a71c5030 8163319b 0000001e c0000005 8172c1ea nt!KeBugCheckEx+0x19
a71c504c 8159db62 a71c5578 816a8328 a71c5140 nt!KiFatalExceptionHandler+0x1a
a71c5070 8159db34 a71c5578 816a8328 a71c5140 nt!ExecuteHandler2+0x26
a71c5130 8151a480 a71c5578 a71c5140 00010037 nt!ExecuteHandler+0x24
a71c555c 815994d5 a71c5578 00000000 a71c565c nt!KiDispatchException+0x440
a71c55c8 8159bdd7 00000000 00000000 00000000 nt!KiDispatchTrapException+0x51
a71c55c8 8172c1ea 00000000 00000000 00000000 nt!KiTrap0E+0x1a7
a71c57fc 81756714 f59b3853 a556a040 00000000 nt!PspInitializeFullProcessImageName+0x36
a71c59a8 81801fb9 0014fbf0 3bf1a800 15adc000 nt!PspAllocateProcess+0x918
a71c5b9c 818f276c 0014fbf0 ffffffff 00000000 nt!PspCreateProcess+0x169
a71c5be8 81598717 0014fbec 02000000 0014fbf0 nt!NtCreateProcessEx+0x63
a71c5be8 77aa1400 0014fbec 02000000 0014fbf0 nt!KiSystemServicePostCall
0014fbb0 77aa02ba 001a1368 0014fbec 02000000 ntdll!KiFastSystemCallRet
0014fbb4 001a1368 0014fbec 02000000 0014fbf0 ntdll!NtCreateProcessEx+0xa
WARNING: Stack unwind information not available. Following frames may be wrong.
0014fe20 001a15c9 00000001 0056a210 0056e018 PoC_NtCreateUserProcexxEx_NDP+0x1368
0014fe6c 779895f4 0035c000 779895d0 aae90312 PoC_NtCreateUserProcexxEx_NDP+0x15c9
0014fe80 77a3241a 0035c000 64441622 00000000 KERNEL32!BaseThreadInitThunk+0x24
0014fec8 77a323e9 ffffffff 77ab39f3 00000000 ntdll!__RtlUserThreadStart+0x2b
0014fed8 00000000 001a1646 0035c000 00000000 ntdll!_RtlUserThreadStart+0x1b
STACK_COMMAND: kb
THREAD_SHA1_HASH_MOD_FUNC: b72bed831eba0349caf7b5b54b775a03499a8ee4
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 0db4c029832cac7695cb2f87e647e596fba62203
THREAD_SHA1_HASH_MOD: 10225c3e599668b688916c7544cf063c3f91582f
FOLLOWUP_IP:
nt!PspInitializeFullProcessImageName+36
8172c1ea 8b4068 mov eax,dword ptr [eax+68h]
FAULT_INSTR_CODE: 8d68408b
SYMBOL_STACK_INDEX: b
SYMBOL_NAME: nt!PspInitializeFullProcessImageName+36
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: nt
IMAGE_NAME: ntkrpamp.exe
DEBUG_FLR_IMAGE_TIMESTAMP: 56cd3fa4
BUCKET_ID_FUNC_OFFSET: 36
FAILURE_BUCKET_ID: 0x1E_c0000005_R_nt!PspInitializeFullProcessImageName
BUCKET_ID: 0x1E_c0000005_R_nt!PspInitializeFullProcessImageName
PRIMARY_PROBLEM_CLASS: 0x1E_c0000005_R_nt!PspInitializeFullProcessImageName
TARGET_TIME: 2016-06-17T20:37:58.000Z
OSBUILD: 10586
OSSERVICEPACK: 0
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
SUITE_MASK: 272
PRODUCT_TYPE: 1
OSPLATFORM_TYPE: x86
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt TerminalServer SingleUserTS
OS_LOCALE:
USER_LCID: 0
OSBUILD_TIMESTAMP: 2016-02-24 05:29:08
BUILDDATESTAMP_STR: 160223-1728
BUILDLAB_STR: th2_release_sec
BUILDOSVER_STR: 10.0.10586.162.x86fre.th2_release_sec.160223-1728
ANALYSIS_SESSION_ELAPSED_TIME: 2341
ANALYSIS_SOURCE: KM
FAILURE_ID_HASH_STRING: km:0x1e_c0000005_r_nt!pspinitializefullprocessimagename
FAILURE_ID_HASH: {e1a9290c-e597-9d3a-70ee-45eab5ec9b1e}
Followup: MachineOwner
---------
Proof of Concept:
I’ve provided a PoC as a C++ source code file. You need to compile it with VC++.
1) Compile the C++ source code file.
2) Execute the poc executable as a normal user.
Expected Result:
A new process is created.
Observed Result:
Crashing on a NPD.
This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.
|
PoC_NtCreateUserProcexxEx_NDP.7z
3.1 KB
Download
|