Monday, 6 November 2006

Windows kernel GDI local privilege escalation

Vendor:: Microsoft
Application:: Windows
Disclosed:: 06-11-06
Description:: A vulnerability in the handling of GDI kernel structures of Microsoft Windows leads to an exploitable memory corruption condition, causing a denial of service (so-called BSoD) or arbitrary code execution on successful exploitation. This would allow a local user to escalate privileges, gaining full control of the system.
Author:: Cesar Cerrudo - Contributed proof of concept and information, found vulnerability.
LMH - MoKB release, testing, debugging information.
Exploit:: Cesar's explanation:
Microsoft Windows GDI Kernel data structures are mapped on a global shared memory section that is created automatically on any windows process that uses GDI objects (process with a GUI, etc.), this section is mapped as read-only, but any process can re-map it as read-write (by default this kernel shared section has read, write, execute permissions), thus processes can write to this section overwriting the GDI kernel data structures, causing a denial of service (BSoD)/ crashing Windows. If certain selected data structures are overwritten with specific data it is possible to perform arbitrary code excecution. Affected versions:
  • Microsoft Windows 2000
  • Microsoft Windows 2000 Service Pack 1
  • Microsoft Windows 2000 Service Pack 2
  • Microsoft Windows 2000 Service Pack 3
  • Microsoft Windows 2000 Service Pack 4
  • Microsoft Windows XP
  • Microsoft Windows XP Service Pack 1
  • Microsoft Windows XP Service Pack 2

Not affected:

  • Microsoft Windows Server 2003
  • Microsoft Windows Vista (tested with beta 2)
Related debugging information::
typedef struct
DWORD pKernelInfo;
WORD ProcessID;
WORD _nCount;
WORD nUpper;
WORD nType;
DWORD pUserInfo;
} GDITableEntry;

Microsoft (R) Windows Debugger Version 6.4.0007.2
Copyright (c) Microsoft Corporation. All rights reserved.

Opened \\.\pipe\com_1
Waiting to reconnect...
Connected to Windows 2000 2195 x86 compatible target, ptr64 FALSE
Kernel Debugger connection established. (Initial Breakpoint requested)
Symbol search path is: C:\WINDOWS\Symbols
Executable search path is:
Windows 2000 Kernel Version 2195 UP Free x86 compatible
Kernel base = 0x80400000 PsLoadedModuleList = 0x80481580
System Uptime: not available
Break instruction exception - code 80000003 (first chance)
Source Code
Proof of concept:: GDIKernelPoC.cpp

No comments: