Vulners
Lucene search
Microsoft Windows - win32k!NtGdiMakeFontDir Kernel Stack Memory Disclosure Exploit
| Reporter | Title | Published | Views | Family All 52 |
|---|---|---|---|---|
 | CVE-2017-8477 | 22 Jun 201700:00 | – | circl |
 | Microsoft Windows Information Disclosure Vulnerability (CNVD-2017-12056) | 15 Jun 201700:00 | – | cnvd |
 | CVE-2017-8477 | 15 Jun 201701:00 | – | cve |
 | CVE-2017-8477 | 15 Jun 201701:00 | – | cvelist |
 | EUVD-2017-17427 | 7 Oct 202500:30 | – | euvd |
 | June 13, 2017 - KB4022714 (OS Build 10586.962) | 4 Aug 201707:00 | – | mskb |
| June 13, 2017—KB4022715 (OS Build 14393.1358) | 4 Aug 201707:00 | – | mskb |
| June 13, 2017—KB4022717 (Security-only update) | 28 Jun 201707:00 | – | mskb |
| June 13, 2017—KB4022718 (Security-only update) | 28 Jun 201707:00 | – | mskb |
| June 13, 2017—KB4022719 (Monthly Rollup) | 28 Jun 201707:00 | – | mskb |
10
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1191
We have discovered that the win32k!NtGdiMakeFontDir system call discloses large portions of uninitialized kernel stack memory to user-mode clients.
The attached proof of concept code (which is specific to Windows 7 32-bit) works by first filling a large portion of the kernel stack with a controlled marker byte 0x41 ('A') using the nt!NtMapUserPhysicalPages system call, and then invoking the affected win32k!NtGdiMakeFontDir syscall. As a result, we can observe that a number of leftover bytes from the stack are indeed leaked to user-mode via the output structure:
--- cut ---
00000000: 01 00 00 00 00 02 95 00 00 00 57 69 6e 64 6f 77 ..........Window
00000010: 73 21 20 57 69 6e 64 6f 77 73 21 20 57 69 6e 64 s! Windows! Wind
00000020: 6f 77 73 21 00 10 03 01 01 00 00 00 00 00 00 00 ows!............
00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00000040: 00 00 00 00 00 00 03 40 00 08 48 00 48 00 66 06 [email protected]
00000050: 00 00 1b 02 00 00 00 f4 01 00 00 00 00 08 07 e8 ................
00000060: 03 86 02 1f a8 01 02 00 00 00 00 00 00 76 00 00 .............v..
00000070: 00 08 00 00 00 41 77 69 6e 65 5f 74 65 73 74 00 .....Awine_test.
00000080: 77 69 6e 65 5f 74 65 73 74 00 4d 65 64 69 75 6d wine_test.Medium
00000090: 00 41 41 41 41 00 41 41 41 41 41 41 41 41 41 41 .AAAA.AAAAAAAAAA
000000a0: 41 41 41 41 41 41 41 41 41 00 41 41 41 41 41 41 AAAAAAAAA.AAAAAA
000000b0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 00 AAAAAAAAAAAAAAA.
000000c0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000d0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000e0: 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
000000f0: 41 41 41 41 41 41 41 41 41 41 41 ?? ?? ?? ?? ?? AAAAAAAAAAA.....
--- cut ---
In order for the PoC program to work, the attached wine_test.ttf font must be present in the current working directory.
Repeatedly triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.
Proof of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/42230.zip
# 0day.today [2018-03-01] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
28 Jun 2017 00:00Current
7.6High risk
Vulners AI Score7.6
EPSS0.03134