For more DirectX kernel vulnerability analysis-vulnerability warning-the black bar safety net

Operating systemthe kernel, is often every well-known vulnerability is the use of chain final goal. Throughout the years of Zero Day Initiative, ZDI）Pwn2Own contest relates to the vulnerability, in fact, it can be found in this law. For a long time, the Windows kernel has always been to attack the main target. My personal favorite is for the various drivers of DeviceoControl call abuse, because by this vulnerability, you can access a large number of manufacturers prepared many applications, which has some driver does not implement the security code, or has not been well-tested process.
Over the years, most for the Windows kernel-penetration attack, 都利用了win32k.sys this is a control the Windows graphics and window management system of the kernel-mode device driver. 20 years ago, when Microsoft will this function from the CSRSS removed and added to the kernel, it immediately makes the Windows kernel-the attack surface has expanded 1-3 times. Since then, the drivers of vulnerability researchers is a“rich trove” of.
In the past decade, since the WDDM（Wondows display driver model replaced the earlier XDDM since another range of attack surface is also already open. Specifically, first, by win32k. sys call display system, followed by user process by means of the GDIPlus entry point directly calls dgxkrnl. sys and other driver. This expanded attack surface for the researchers to say that is a tempting target.
In 2018 the spring, the ZDI obtained the Tencent Cham Lu Laboratory of ChenNan and Rancholce found the 5 for DirectX kernel interface vulnerability. Which of the 4 vulnerabilities from Microsoft’s CVE number. This article focuses on these vulnerabilities were analyzed, while providing a PoC proof-of-concept source code.
For one of the vulnerabilities ZDI-18-946/CVE-2018-8405, the Rancho and ChenNan in the 9 months of the 44CON conference delivered a speech, I strongly recommend that researchers first read the lecture slides.
DirectX overview
In-depth study of vulnerability before, we first briefly introduce the DirectX interface and the driver.
The DirectX graphics kernel subsystem by 3 a kernel-mode driver components, 分别是dxgkrnl.sys and dxgmms1.sys和dxgmms2.sys the. These drivers by win32k. sys and its own a set of interfaces to communicate with the user. In addition, 它们还会与BasicRender.sys and BasicDisplay. sys and Display Driver, Display Miniport Drivers communicate with.
DirectX defines a number of complex kernel objects, most of which the names are to DXG at the beginning. The user through these complex API entry point with the DirectX connection, many of the entrance points to D3DKMT at the beginning, some other entry point to DXGK at the beginning.
We analyze some of the important entry point:
D3DKMTEscape
The entry point will be totally the user control of the data Blob as an input. Since this is a data Blob may be very large, so it is likely it will be retained in the user memory, and not in the conversion to the kernel during the processing in the kernel to capture it. Such a model will make its call to the kernel routine it is prone to test time-Of-Check, or by using time-Of-Use）vulnerabilities. Wherein the data does not use standardized structure, each driver has their own different definition.
D3DKMTRender
The entry point is the actual rendering of the graphics data to the core. The user addresses commands and the patch buffer by the kernel driver to explain, and ultimately passed to the display driver. For this, you can use the race condition attack. In addition, since the rendering can be generated in the worker thread, it is more prone to race condition vulnerability.
D3DKMTCreateAllocation
The entry point used to allocate memory. Due to the passed to the API calls of the different flags and a handle having between a complex interaction may occur problems, see the following ZDI-18-946 km.
From the attack perspective, IOActive Ilja van Sprundel had at the 2014 Black Hat on for WDDM for a very complete overview of his presentation title is“Windows kernel Graphics Driver attack surface”. I strongly suggest that readers first read the relevant material, which describes in detail the WDDM kernel end of the complex attack surface.
Exploit
Here, you can find the vulnerabilities related to the proof-of-concept（PoC）source code. If you want to reproduce the vulnerability, the need in 2018 to 8 months before the Windows version. The kernel debug program is added to the test used on the computer, and in the presence of a vulnerability in a driver provided on a special pool. In the actual test, I’m on Windows 10 x64 on the successful reproduction of these vulnerabilities.
D3DKMTCreateAllocation type confusion vulnerability ZDI-18-946/CVE-2018-8405）
In dgxkrnl. sys in DXGDEVICE::CreateAllocation found the first vulnerability is through the D3DKMTCreateAllocation method exposed, and could allow a local attacker privilege escalation to the SYSTEM level. For this vulnerability, we recommend the following: https://www.zerodayinitiative.com/advisories/ZDI-18-946/Microsoft’s official patch please refer to: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8405 the. The vulnerability stems from the lack of the user to provide data sufficient to verify, may lead to type confusion problems.
To the specific view of this situation, the need to run a PoC before, in dxgkrn. sys on the Enable special pool. Type confusion is due to the allocation process does not properly use the CrossAdapter flag. In the PoC code, the use of CrossAdapter flag 0 to be allocated, then the result will be a handle to pass a second allocation, in the allocation, it will CrossAdapter the flag is set to 1.
! [](/Article/UploadPic/2018-12/2018121617624432. png)
Below is the blue screen analysis:
! [](/Article/UploadPic/2018-12/2018121617624857. png)
! [](/Article/UploadPic/2018-12/2018121617624942. png)
! [](/Article/UploadPic/2018-12/2018121617625183. png)
Where the problem code is located in the DXGDEVICE::CreateAllocation, and in the dispensing end occurs when the typical type of confusion:
! [](/Article/UploadPic/2018-12/2018121617625860. png)
D3DKMTRender type confusion vulnerability ZDI-18-947/CVE-2018-8406）
In dxgmms2. sys, there is also another vulnerability, and by D3DKMTRender exposed. The vulnerability also could allow a local attacker privilege escalation to the SYSTEM. For this vulnerability, we recommend the following: https://www.zerodayinitiative.com/advisories/ZDI-18-947/ Microsoft’s official patch please refer to: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8406 the. With the first vulnerability, the vulnerability will lead to the type confusion issue. Although it looks similar, but these vulnerabilities have different root causes.

[1] [2] next