Windows Kernel stack memory disclosure in DeviceApi (PiDqIrpQueryGetResult, PiDqIrpQueryCreate, PiDqQueryCompletePendedIrp) 

CVE-2017-8474


We have discovered that it is possible to disclose portions of uninitialized kernel stack memory to user-mode applications in Windows 10 through the PiDqIrpQueryGetResult, PiDqIrpQueryCreate, PiDqQueryCompletePendedIrp IOCTLs sent to the \Device\DeviceApi device. The analysis shown below was performed on Windows 10 1607 32-bit.

The output buffer size expected for each of the aforementioned IOCTLs is 16 (0x10), and the copying of the output data takes place in the nt!PiDqIrpComplete function:

--- cut ---
PAGE:0068183C                 cmp     dword ptr [eax+0Ch], 470007h
PAGE:00681843                 jz      short loc_681867
PAGE:00681845                 mov     esi, [ebp+arg_4]
PAGE:00681848                 mov     edi, [ecx+0Ch]
PAGE:0068184B                 movsd
PAGE:0068184C                 movsd
PAGE:0068184D                 movsd
PAGE:0068184E                 movsd
[...]
PAGE:00681867 loc_681867:
PAGE:00681867                 and     [ebp+ms_exc.registration.TryLevel], 0
PAGE:0068186B                 mov     esi, [ebp+arg_4]
PAGE:0068186E                 mov     edi, [ecx+3Ch]
PAGE:00681871                 movsd
PAGE:00681872                 movsd
PAGE:00681873                 movsd
PAGE:00681874                 movsd
--- cut ---

Clearly, all 16 bytes are unconditionally copied from kernel to user-mode memory. In the cases of all three IOCTL handlers, the kernel copies of the structure are placed on the local stack. Interestingly, the only function responsible for filling out the structure (nt!PiDqQueryGetNextIoctlInfo) only ever touches its first 8 bytes:

--- cut ---
PAGE:00680927                 mov     dword ptr [eax], 470007h
[...]
PAGE:00680940                 mov     [eax+4], ecx
[...]
PAGE:00680948                 cmp     [eax+4], ecx
[...]
PAGE:0068094D                 cmp     [eax+4], edx
[...]
PAGE:00680952                 cmp     [eax+4], edi
[...]
PAGE:00680957                 mov     [eax+4], edi
[...]
PAGE:0068095C                 mov     dword ptr [eax], 470008h
PAGE:00680962                 mov     dword ptr [eax+4], 10h
[...]
PAGE:0068097E                 mov     [eax+4], ecx
[...]
PAGE:00680983                 mov     [eax+4], edx
--- cut ---

As a result, the trailing 8 bytes of the structure remain uninitialized and are leaked in their original form to user-mode. This can be easily tested with a kernel debugger (WinDbg), by setting a breakpoint on e.g. nt!PiDqIrpQueryGetResult, manually filling out the structure memory with a marker byte (0xcc), then setting a breakpoint on nt!PiDqIrpComplete and observing that half of the memory area being copied into ring-3 still has the marker data:

--- cut ---
1: kd> bp nt!PiDqIrpQueryGetResult
1: kd> g
Breakpoint 0 hit
nt!PiDqIrpQueryGetResult:
81e91324 6a44            push    44h
1: kd> p
nt!PiDqIrpQueryGetResult+0x2:
81e91326 686807e181      push    offset nt!RtlpMuiRegValidateConfigNode+0x8ff (81e10768)
1: kd> p
nt!PiDqIrpQueryGetResult+0x7:
81e9132b e86460ebff      call    nt!_SEH_prolog4 (81d47394)
1: kd> p
nt!PiDqIrpQueryGetResult+0xc:
81e91330 8bc1            mov     eax,ecx
1: kd> eb ebp-54 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 
1: kd> ? ebp-54
Evaluate expression: -868562492 = cc3ac9c4
1: kd> bp PiDqIrpComplete+4b
1: kd> g
Breakpoint 1 hit
nt!PiDqIrpComplete+0x4b:
81e94871 a5              movs    dword ptr es:[edi],dword ptr [esi]
1: kd> ? esi
Evaluate expression: -868562492 = cc3ac9c4
1: kd> ? edi
Evaluate expression: 141332072 = 086c8e68
1: kd> u
nt!PiDqIrpComplete+0x4b:
81e94871 a5              movs    dword ptr es:[edi],dword ptr [esi]
81e94872 a5              movs    dword ptr es:[edi],dword ptr [esi]
81e94873 a5              movs    dword ptr es:[edi],dword ptr [esi]
81e94874 a5              movs    dword ptr es:[edi],dword ptr [esi]
81e94875 c745fcfeffffff  mov     dword ptr [ebp-4],0FFFFFFFEh
81e9487c ebd1            jmp     nt!PiDqIrpComplete+0x29 (81e9484f)
81e9487e 83611c00        and     dword ptr [ecx+1Ch],0
81e94882 ebd1            jmp     nt!PiDqIrpComplete+0x2f (81e94855)
1: kd> db esi esi+10-1
cc3ac9c4  08 00 47 00 10 00 00 00-cc cc cc cc cc cc cc cc  ..G.............
--- cut ---

Repeatedly triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.

This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public.



Found by: mjurczyk