exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Microsoft Windows Kernel DeviceApi Stack Memory Disclosure

Microsoft Windows Kernel DeviceApi Stack Memory Disclosure
Posted Jun 21, 2017
Authored by Google Security Research, mjurczyk

The Microsoft Windows kernel suffers from a stack memory disclosure vulnerability in DeviceApi (PiDqIrpQueryGetResult, PiDqIrpQueryCreate, PiDqQueryCompletePendedIrp).

tags | advisory, kernel
systems | windows
advisories | CVE-2017-8474
SHA-256 | 20fe3af744abb0a442ff7060c80b06e0bf24932685f850604475164f9ae0b61f

Microsoft Windows Kernel DeviceApi Stack Memory Disclosure

Change Mirror Download
Windows Kernel stack memory disclosure in DeviceApi (PiDqIrpQueryGetResult, PiDqIrpQueryCreate, PiDqQueryCompletePendedIrp) 

CVE-2017-8474


We have discovered that it is possible to disclose portions of uninitialized kernel stack memory to user-mode applications in Windows 10 through the PiDqIrpQueryGetResult, PiDqIrpQueryCreate, PiDqQueryCompletePendedIrp IOCTLs sent to the \Device\DeviceApi device. The analysis shown below was performed on Windows 10 1607 32-bit.

The output buffer size expected for each of the aforementioned IOCTLs is 16 (0x10), and the copying of the output data takes place in the nt!PiDqIrpComplete function:

--- cut ---
PAGE:0068183C cmp dword ptr [eax+0Ch], 470007h
PAGE:00681843 jz short loc_681867
PAGE:00681845 mov esi, [ebp+arg_4]
PAGE:00681848 mov edi, [ecx+0Ch]
PAGE:0068184B movsd
PAGE:0068184C movsd
PAGE:0068184D movsd
PAGE:0068184E movsd
[...]
PAGE:00681867 loc_681867:
PAGE:00681867 and [ebp+ms_exc.registration.TryLevel], 0
PAGE:0068186B mov esi, [ebp+arg_4]
PAGE:0068186E mov edi, [ecx+3Ch]
PAGE:00681871 movsd
PAGE:00681872 movsd
PAGE:00681873 movsd
PAGE:00681874 movsd
--- cut ---

Clearly, all 16 bytes are unconditionally copied from kernel to user-mode memory. In the cases of all three IOCTL handlers, the kernel copies of the structure are placed on the local stack. Interestingly, the only function responsible for filling out the structure (nt!PiDqQueryGetNextIoctlInfo) only ever touches its first 8 bytes:

--- cut ---
PAGE:00680927 mov dword ptr [eax], 470007h
[...]
PAGE:00680940 mov [eax+4], ecx
[...]
PAGE:00680948 cmp [eax+4], ecx
[...]
PAGE:0068094D cmp [eax+4], edx
[...]
PAGE:00680952 cmp [eax+4], edi
[...]
PAGE:00680957 mov [eax+4], edi
[...]
PAGE:0068095C mov dword ptr [eax], 470008h
PAGE:00680962 mov dword ptr [eax+4], 10h
[...]
PAGE:0068097E mov [eax+4], ecx
[...]
PAGE:00680983 mov [eax+4], edx
--- cut ---

As a result, the trailing 8 bytes of the structure remain uninitialized and are leaked in their original form to user-mode. This can be easily tested with a kernel debugger (WinDbg), by setting a breakpoint on e.g. nt!PiDqIrpQueryGetResult, manually filling out the structure memory with a marker byte (0xcc), then setting a breakpoint on nt!PiDqIrpComplete and observing that half of the memory area being copied into ring-3 still has the marker data:

--- cut ---
1: kd> bp nt!PiDqIrpQueryGetResult
1: kd> g
Breakpoint 0 hit
nt!PiDqIrpQueryGetResult:
81e91324 6a44 push 44h
1: kd> p
nt!PiDqIrpQueryGetResult+0x2:
81e91326 686807e181 push offset nt!RtlpMuiRegValidateConfigNode+0x8ff (81e10768)
1: kd> p
nt!PiDqIrpQueryGetResult+0x7:
81e9132b e86460ebff call nt!_SEH_prolog4 (81d47394)
1: kd> p
nt!PiDqIrpQueryGetResult+0xc:
81e91330 8bc1 mov eax,ecx
1: kd> eb ebp-54 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc
1: kd> ? ebp-54
Evaluate expression: -868562492 = cc3ac9c4
1: kd> bp PiDqIrpComplete+4b
1: kd> g
Breakpoint 1 hit
nt!PiDqIrpComplete+0x4b:
81e94871 a5 movs dword ptr es:[edi],dword ptr [esi]
1: kd> ? esi
Evaluate expression: -868562492 = cc3ac9c4
1: kd> ? edi
Evaluate expression: 141332072 = 086c8e68
1: kd> u
nt!PiDqIrpComplete+0x4b:
81e94871 a5 movs dword ptr es:[edi],dword ptr [esi]
81e94872 a5 movs dword ptr es:[edi],dword ptr [esi]
81e94873 a5 movs dword ptr es:[edi],dword ptr [esi]
81e94874 a5 movs dword ptr es:[edi],dword ptr [esi]
81e94875 c745fcfeffffff mov dword ptr [ebp-4],0FFFFFFFEh
81e9487c ebd1 jmp nt!PiDqIrpComplete+0x29 (81e9484f)
81e9487e 83611c00 and dword ptr [ecx+1Ch],0
81e94882 ebd1 jmp nt!PiDqIrpComplete+0x2f (81e94855)
1: kd> db esi esi+10-1
cc3ac9c4 08 00 47 00 10 00 00 00-cc cc cc cc cc cc cc cc ..G.............
--- cut ---

Repeatedly triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.

This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public.



Found by: mjurczyk

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close