SHARE
TWEET

Description of the Win7 "Remote" Win32k.sys/Webkit Exploit

a guest Dec 22nd, 2011 7,754 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. The bug happens due to a NineGrid request coming through GdiDrawStream sent on behalf of the UX Theme DLL which handles Windows Themes starting in XP and later.
  2.  
  3. Webkit browsers (along with IE8 -- but not IE9, it would seem) attempt to render HTML elements on the page using the native skin of the OS. In this case, in the drawControl function (see http://www.opensource.apple.com/source/WebCore/WebCore-658.28/rendering/RenderThemeWin.cpp), DrawThemeBackground is called, which handles skinning of OS controls.
  4.  
  5. A 96 (0x60) byte buffer is sent (parameter 2 and 3 of GdiDrawStream are the size and buffer address, parameter 1 is the HDC).
  6.  
  7. Draw Steam buffers begin with a magic value, followed by a series of commands identified by a 32-byte market. Here is the stream sent with the special iframe when viewed in Safari:
  8.  
  9. 44727753 = 'DrwS' = DrawStream Magic
  10.  
  11. Command Buffers:
  12.  
  13. #0: 00000000 <SET TARGET>
  14.         3b01017a // Destination DC (hdc) *** Must match HDC in GdiDrawStream argument 1 ***
  15.         // Destination Clip (ERECTL):
  16.                 0000011b // Left
  17.                 00000011 // Top
  18.                 0000012c // Right
  19.                 0089f580 // Bottom               *** Multiply by 2, and you get the "magic" value used in the iframe PoC ***
  20. #1: 00000001 <SET SOURCE>
  21.         058506a3 // Source Surface (pso)  *** Dumped the surface from kernel mode, got a 13x5 32BPP bitmap which is the Luna/Aero scrollbar slider control ***
  22. #2: 00000009 <NINEGRID>
  23.         // Destination Clip (ERECTL):          *** Should match the Destination Clip of the Target
  24.                 0000011b // Left
  25.                 00000011 // Top
  26.                 0000012c // Right
  27.                 0089f580 // Bottom
  28.         // Source Clip (ERECTL):                 *** Should be within the bounds of the surface (which is 13x5 in this case)
  29.                 00000000 // Left
  30.                 00000000 // Top
  31.                 0000000e // Right
  32.                 00000001 // Bottom
  33.         // NINEGRID_BITMAP_INFO             *** Documented in RDP docs. Should fit within the surface and destination.
  34.                 00000001 // Flags (DSDNG_STRETCH)
  35.                 0000000a // Left Width
  36.                 00000003 // Right Width
  37.                 00000000 // Top Height
  38.                 00000000 // Bottom Height
  39.                 00000000 // Transparent
  40.  
  41. Here is the raw dump:
  42.  
  43. 0: kd> dds @r8 l18
  44. 00000000`003be664  44727753
  45. 00000000`003be668  00000000
  46. 00000000`003be66c  2b0108d5   // HDC, this will change from dump to dump
  47. 00000000`003be670  0000011b
  48. 00000000`003be674  00000011
  49. 00000000`003be678  0000012c
  50. 00000000`003be67c  0089f580
  51. 00000000`003be680  00000001
  52. 00000000`003be684  018503c2   // Bitmap Surface, this will change from dump to dump
  53. 00000000`003be688  00000009
  54. 00000000`003be68c  0000011b
  55. 00000000`003be690  00000011
  56. 00000000`003be694  0000012c
  57. 00000000`003be698  0089f580
  58. 00000000`003be69c  00000000
  59. 00000000`003be6a0  00000000
  60. 00000000`003be6a4  0000000e
  61. 00000000`003be6a8  00000001
  62. 00000000`003be6ac  00000001
  63. 00000000`003be6b0  0000000a
  64. 00000000`003be6b4  00000003
  65. 00000000`003be6b8  00000000
  66. 00000000`003be6bc  00000000
  67. 00000000`003be6c0  00000000
  68.  
  69. What are you essentially seeing is an iframe that has a particularly interesting height, that when the scrollbar is being drawn and themed, a math error in the NineGrid transform causes an out-of-bounds write. This PoC would work in IE 8, but IE 8 has a well known CSS bug where it has a maximum pixel limit (around 1342177), which is why it doesn't immediately manifest itself.
  70.  
  71. *OTHER HEIGHTS ARE EXPLOITABLE*, and some may be small enough such that even IE 8 hits the NineGrid height corner case.
  72.  
  73. IE9 does not seem to theme controls using UxTheme at all, and its scrollbar behavior is different from IE 8, so even though the pixel limit is no longer there, the PoC did not work. Firefox was not tested.
  74.  
  75. *NOT ONLY IFRAMES ARE VULNERABLE*. Testing with an HTML <button> of the same height resulted in a crash in Safari as well.
  76.  
  77. What this means is that *any* client, local or remote, that does skinning of the controls (i.e.: almost all of them -- even a button on a flash PDF) could result in a NineGrid transform that hits this bug. It's not at all specific to WebKit.
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top