Flag: Tornado! Hurricane!

Blogs >> omeg's Blog

Created: Saturday, November 24 2007 16:01.37 CST  
Printer Friendly ...
Null pointer dereference in win32k
Author: omeg # Views: 6436

Totally forgot about this. Some time ago I've accidentally found an unhandled exception condition in kernel-mode GDI. Microsoft is aware of this but frankly they still didn't fix it. Well, it may be not security issue, but who knows ;)

Offending function: win32k!NtUserGetDCEx or its user wrapper, GetDCEx.
Crash condition: call it with all 0s before any desktops are created (I'm not 100% sure of this, but it seems to be the case).
Sample scenario: Create a DLL that calls GetDcEx(0,0,0) in DllMain. MessageBox works too (that's how I first stumbled on it). Add the dll to AppInit_DLLs registry key. Reboot. Upon next system start the DLL will be mapped into winlogon's memory and the fatal function called before any windows are present. Boom, BSOD.

PROCESS_NAME:  winlogon.exe

FAULTING_IP:
win32k!NtUserGetDCEx+29
bf83c00f 8b4904          mov     ecx,dword ptr [ecx+4]

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: bf83c00f (win32k!NtUserGetDCEx+0x00000029)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 00000004
Attempt to read from address 00000004

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".

READ_ADDRESS:  00000004

BUGCHECK_STR:  ACCESS_VIOLATION

DEFAULT_BUCKET_ID:  NULL_CLASS_PTR_DEREFERENCE

LAST_CONTROL_TRANSFER:  from 8053ca28 to bf83c00f

STACK_TEXT:  
f88d9d50 8053ca28 00000000 00000000 00000003 win32k!NtUserGetDCEx+0x29
f88d9d50 7c90eb94 00000000 00000000 00000003 nt!KiFastCallEntry+0xf8
0006fb24 7e41e881 7e43a383 00000000 00000000 ntdll!KiFastSystemCallRet
0006fddc 7e43a284 0006ff38 00000005 00000004 USER32!NtUserGetDCEx+0xc
0006ff2c 7e4661d3 0006ff38 00000028 00000000 USER32!MessageBoxWorker+0x2ba
0006ff84 7e4505f3 00000000 1000d9e8 1000b370 USER32!MessageBoxTimeoutW+0x7a
0006ffa4 7e46634f 00000000 1000d9e8 1000b370 USER32!MessageBoxExW+0x1b
0006ffc0 1000105f 00000000 1000d9e8 1000b370 USER32!MessageBoxW+0x45


Here's the appropriate disassembly:
bf83c003 a138a59abf      mov     eax,dword ptr [win32k!gptiCurrent (bf9aa538)]
bf83c008 f6404b20        test    byte ptr [eax+4Bh],20h
bf83c00c 8b483c          mov     ecx,dword ptr [eax+3Ch]
bf83c00f 8b4904          mov     ecx,dword ptr [ecx+4] ds:0023:00000004=????????
bf83c012 8b7108          mov     esi,dword ptr [ecx+8]


Interestingly, NtUserGetDC isn't just a wrapper to the ...Ex function. It has different code and isn't vulnerable to this.


Blog Comments
mxatone Posted: Monday, November 26 2007 08:52.10 CST
It seems vulnerable as you can control a win32k object pointer. It's possible than as you need to be registered in init dlls, Microsoft considers that a patch is not necessary (as NtSystemDebugControl vulnerability story).

In fact win32k lack checking most pointers during boot procedure so maybe a total redesign should be needed to avoid those kinda issues.

Anyway, thank for this kernel NULL ptr, a good real example for kernel exploitation, even if you need admin rights or equivalent.



Add New Comment
Comment:









There are 31,310 total registered users.


Recently Created Topics
[help] Unpacking VMP...
Mar/12
Reverse Engineering ...
Jul/06
hi!
Jul/01
let 'IDAPython' impo...
Sep/24
set 'IDAPython' as t...
Sep/24
GuessType return une...
Sep/20
About retrieving the...
Sep/07
How to find specific...
Aug/15
How to get data depe...
Jul/07
Identify RVA data in...
May/06


Recent Forum Posts
Finding the procedur...
rolEYder
Question about debbu...
rolEYder
Identify RVA data in...
sohlow
let 'IDAPython' impo...
sohlow
How to find specific...
hackgreti
Problem with ollydbg
sh3dow
How can I write olly...
sh3dow
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n


Recent Blog Entries
halsten
Mar/14
Breaking IonCUBE VM

oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

oleavr
Aug/27
CryptoShark: code tracer ba...

oleavr
Jun/25
Build a debugger in 5 minutes

More ...


Recent Blog Comments
nieo on:
Mar/22
IAT Patcher - new tool for ...

djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit