Lucene search
Google Security Research1337DAY-ID-28025HistoryJun 28, 2017 - 12:00 a.m.
Microsoft Windows - win32k!NtGdiMakeFontDir Kernel Stack Memory Disclosure Exploit
2017-06-2800:00:00
Google Security Research
0day.today
30
0.001 Low
EPSS
Percentile
30.5%
Exploit for windows platform in category dos / poc
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1191
We have discovered that the win32k!NtGdiMakeFontDir system call discloses large portions of uninitialized kernel stack memory to user-mode clients.
The attached proof of concept code (which is specific to Windows 7 32-bit) works by first filling a large portion of the kernel stack with a controlled marker byte 0x41 ('A') using the nt!NtMapUserPhysicalPages system call, and then invoking the affected win32k!NtGdiMakeFontDir syscall. As a result, we can observe that a number of leftover bytes from the stack are indeed leaked to user-mode via the output structure:
--- cut ---
00000000: 01 00 00 00 00 02 95 00 00 00 57 69 6e 64 6f 77 ..........Window
00000010: 73 21 20 57 69 6e 64 6f 77 73 21 20 57 69 6e 64 s! Windows! Wind
00000020: 6f 77 73 21 00 10 03 01 01 00 00 00 00 00 00 00 ows!............
00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040: 00 00 00 00 00 00 03 40 00 08 48 00 48 00 66 06 [emailย protected]
00000050: 00 00 1b 02 00 00 00 f4 01 00 00 00 00 08 07 e8 ................
00000060: 03 86 02 1f a8 01 02 00 00 00 00 00 00 76 00 00 .............v..
00000070: 00 08 00 00 00 41 77 69 6e 65 5f 74 65 73 74 00 .....Awine_test.
00000080: 77 69 6e 65 5f 74 65 73 74 00 4d 65 64 69 75 6d wine_test.Medium
00000090: 00 41 41 41 41 00 41 41 41 41 41 41 41 41 41 41 .AAAA.AAAAAAAAAA
000000a0: 41 41 41 41 41 41 41 41 41 00 41 41 41 41 41 41 AAAAAAAAA.AAAAAA
000000b0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 00 AAAAAAAAAAAAAAA.
000000c0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000d0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000e0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000f0: 41 41 41 41 41 41 41 41 41 41 41 ?? ?? ?? ?? ?? AAAAAAAAAAA.....
--- cut ---
In order for the PoC program to work, the attached wine_test.ttf font must be present in the current working directory.
Repeatedly triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42230.zip
# 0day.today [2018-03-01] #Related
seebug
seebug
symantec
symantec
mscve
mscve
Windows Kernel Information Disclosure Vulnerability
2017-06-13 07:00:00
prion
prion
Information disclosure
2017-06-15 01:29:00
Information disclosure
2017-06-15 01:29:00
Information disclosure
2017-06-15 01:29:00
cve
cve
openvas
openvas
Microsoft Windows Multiple Vulnerabilities (KB4022722)
2017-06-14 00:00:00
Microsoft Windows Server 2012 Multiple Vulnerabilities (KB4022718)
2017-06-14 00:00:00
mskb
mskb
Win32k information disclosure vulnerability: June 13, 2017
2017-06-28 07:00:00
June 13, 2017โKB4022722 (Security-only update)
2017-06-28 07:00:00
June 13, 2017โKB4022718 (Security-only update)
2017-06-28 07:00:00
kaspersky
kaspersky
KLA11048 Multiple vulnerabilities in Windows Kernel
2017-06-13 00:00:00
KLA11842 Multiple vulnerabilities in Microsoft Products (ESU)
2017-06-13 00:00:00
KLA11039 Multiple vulnerabilities in Microsoft Windows
2019-06-13 00:00:00
nessus
nessus
Windows 2008 June 2017 Multiple Security Updates
2017-06-14 00:00:00
Windows Server 2012 June 2017 Security Updates
2017-06-13 00:00:00
Windows 7 and Windows Server 2008 R2 June 2017 Security Updates
2017-06-13 00:00:00
talosblog
talosblog
Microsoft Patch Tuesday - June 2017
2017-06-13 13:48:00
trendmicroblog
trendmicroblog