Windows Kernel - Bitmap Handling Use-After-Free MS15-061

ID EDB-ID:38275
Type exploitdb
Reporter Nils Sommer
Modified 2015-09-22T00:00:00


Windows Kernel - Bitmap Handling Use-After-Free (MS15-061). CVE-2015-1722. Dos exploit for win32 platform


Platform: Win7 32-bit.
trigger.cpp should fire the issue, with two caveats:
- PoC will NOT work if compiled as a debug build.
- PoC will trigger the condition every time but the subsequent corruption might not cause a crash every time. It may be necessary to run the PoC multiple times.

debug.txt is a sample crash log.

Analysis from Nils:

Using the series of calls we are able to free the bitmap object, a reference to this object still exists in the trigger process after killing the first notepad process.

At this time we are able to replace the freed object in memory. We are not able to reuse this object through the original handle, however another free is triggered when quitting the trigger process, which will decrement the reference counter on the freed or replaced object, either modifying heap metadata or freeing the object which was allocated in the place of the original bitmap object.

Proof of Concept: