Description:: A vulnerability in the handling of GDI kernel structures of Microsoft Windows leads to an exploitable memory corruption condition, causing a denial of service (so-called BSoD) or arbitrary code execution on successful exploitation. This would allow a local user to escalate privileges, gaining full control of the system.
Author:: Cesar Cerrudo - Contributed proof of concept and information, found vulnerability.
Exploit:: Cesar's explanation:
Microsoft Windows GDI Kernel data structures are mapped on a global shared memory section that is created automatically on any windows process that uses GDI objects (process with a GUI, etc.), this section is mapped as read-only, but any process can re-map it as read-write (by default this kernel shared section has read, write, execute permissions), thus processes can write to this section overwriting the GDI kernel data structures, causing a denial of service (BSoD)/ crashing Windows. If certain selected data structures are overwritten with specific data it is possible to perform arbitrary code excecution. Affected versions:
- Microsoft Windows 2000
- Microsoft Windows 2000 Service Pack 1
- Microsoft Windows 2000 Service Pack 2
- Microsoft Windows 2000 Service Pack 3
- Microsoft Windows 2000 Service Pack 4
- Microsoft Windows XP
- Microsoft Windows XP Service Pack 1
- Microsoft Windows XP Service Pack 2
- Microsoft Windows Server 2003
- Microsoft Windows Vista (tested with beta 2)
typedef structSource Code
Microsoft (R) Windows Debugger Version 6.4.0007.2
Copyright (c) Microsoft Corporation. All rights reserved.
Waiting to reconnect...
Connected to Windows 2000 2195 x86 compatible target, ptr64 FALSE
Kernel Debugger connection established. (Initial Breakpoint requested)
Symbol search path is: C:\WINDOWS\Symbols
Executable search path is:
Windows 2000 Kernel Version 2195 UP Free x86 compatible
Kernel base = 0x80400000 PsLoadedModuleList = 0x80481580
System Uptime: not available
Break instruction exception - code 80000003 (first chance)
Proof of concept:: GDIKernelPoC.cpp