Twenty Year Anniversary

Microsoft Windows Kernel msrpc!LRPC_CASSOCIATION::AlpcSendCancelMessage Memory Disclosure

Microsoft Windows Kernel msrpc!LRPC_CASSOCIATION::AlpcSendCancelMessage Memory Disclosure
Posted Mar 21, 2018
Authored by Google Security Research, mjurczyk

The Microsoft Windows kernel suffers from a stack memory disclosure vulnerability in msrpc!LRPC_CASSOCIATION::AlpcSendCancelMessage.

tags | advisory, kernel
systems | windows
advisories | CVE-2018-0896
MD5 | a3019927b362555cf6724e71c06a0e35

Microsoft Windows Kernel msrpc!LRPC_CASSOCIATION::AlpcSendCancelMessage Memory Disclosure

Change Mirror Download
Windows Kernel 64-bit stack memory disclosure in msrpc!LRPC_CASSOCIATION::AlpcSendCancelMessage 

CVE-2018-0896


We have discovered that the msrpc!LRPC_CASSOCIATION::AlpcSendCancelMessage function sends an ALPC message with portions of uninitialized memory from the local stack frame on Windows 7 64-bit (other versions were not tested).

The message is 0x18 bytes long, 8 of which are uninitialized. The layout of the memory area is as follows:

--- cut ---
00000000: 00 00 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 ................
00000010: 00 00 00 00 ff ff ff ff ?? ?? ?? ?? ?? ?? ?? ?? ................
--- cut ---

Where 00 denote bytes which are properly initialized, while ff indicate uninitialized values. This buffer can be then read back into user-mode with e.g. the nt!NtAlpcSendWaitReceivePort syscall, as observed during system runtime on our test machine:

--- cut ---
kd> k
# Child-SP RetAddr Call Site
00 fffff880`0220ea58 fffff800`029a0478 nt!memcpy+0x3
01 fffff880`0220ea60 fffff800`029a253e nt!AlpcpReceiveMessage+0x3c5
02 fffff880`0220eb00 fffff800`0268d093 nt!NtAlpcSendWaitReceivePort+0x1fe
03 fffff880`0220ebb0 00000000`772ac58a nt!KiSystemServiceCopyEnd+0x13
04 00000000`028af748 000007fe`ff241f0e ntdll!NtAlpcSendWaitReceivePort+0xa
05 00000000`028af750 000007fe`ff290fb4 RPCRT4!ReceiveMessage+0xba
06 00000000`028af7b0 000007fe`ff26ef85 RPCRT4!LRPC_ADDRESS::ProcessIO+0x151
07 00000000`028af8b0 00000000`772c2920 RPCRT4!LrpcIoComplete+0xa5
08 00000000`028af940 00000000`77279e35 ntdll!TppAlpcpExecuteCallback+0x2cd
09 00000000`028af9b0 00000000`771559cd ntdll!TppWorkerThread+0x554
0a 00000000`028afc40 00000000`7728a561 kernel32!BaseThreadInitThunk+0xd
0b 00000000`028afc70 00000000`00000000 ntdll!RtlUserThreadStart+0x1d

kd> db rdx rdx+r8-1
fffff8a0`01195130 04 00 00 00 bb bb bb bb-00 00 00 00 02 00 00 00 ................
fffff8a0`01195140 00 00 00 00 bb bb bb bb ........
--- cut ---

It is not clear if any special privileges need to be held to access the data leaked by msrpc.sys. In our case, the process reading from the ALPC port was svchost.exe, but we suspect that more restricted processes could access the affected functionality, too. We are leaving it up to the vendor to determine if the leak can be triggered within the context of a regular system user.

This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public.



Found by: mjurczyk

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

August 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    19 Files
  • 2
    Aug 2nd
    17 Files
  • 3
    Aug 3rd
    16 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    1 Files
  • 6
    Aug 6th
    19 Files
  • 7
    Aug 7th
    15 Files
  • 8
    Aug 8th
    9 Files
  • 9
    Aug 9th
    7 Files
  • 10
    Aug 10th
    10 Files
  • 11
    Aug 11th
    1 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    14 Files
  • 14
    Aug 14th
    18 Files
  • 15
    Aug 15th
    38 Files
  • 16
    Aug 16th
    5 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close