Windows Kernel APC Data-Free Local Privilege Escalation Vulnerability Release Date: December 13, 2005 Date Reported: May 23, 2005 External Refferences: eEye ID# EEYEB-20050523 OSVDB ID# 18823 CVE # CAN-2005-2827 Microsoft # MS05-055 Severity: Medium (Local Privilege Escalation to Kernel) Systems Affected: Windows NT 4.0 Windows 2000 Overview: eEye Digital Security has discovered a local privilege escalation vulnerability in the Windows kernel that could allow any code executing on a Windows NT 4.0 or Windows 2000 system to elevate itself to the highest possible local privilege level (kernel). For example, a malicious user, network worm, or e-mail virus could take advantage of this vulnerability in order to completely compromise the vulnerable system on which the exploit code is executing, regardless of that code's original privilege level. The vulnerability exists in the thread termination routine contained within NTOSKRNL.EXE. Through a specific series of steps, a local attacker can cause the code responsible for discarding queued Asynchronous Procedure Call (APC) entries to erroneously attempt to free a region of kernel data, producing a "data free" vulnerability that may be exploited in order to alter arbitrary kernel memory, or even divert the flow of execution directly. Technical Details: The basis of this vulnerability is in PspExitThread's APC freeing loop and in the behavior of KiMoveApcState, invoked from KiAttachProcess and KeUnstackDetachProcess. We'll give a description of the problem below, followed by a "call flow" illustration to outline the specific sequence of events. When a thread is exiting, PspExitThread will detach the thread's APC queues from ETHREAD.ApcState.ApcListHead[0] and ApcListHead[1], so that each queue is now a circular, doubly-linked list in which the first and last nodes do not point back to the list head (LIST_ENTRY structure). However, since the list heads' pointers are not modified, the purpose is presumably just to allow the APC freeing loop within PspExitThread to walk each list and free its nodes, without navigating back to the list head and erroneously attempting to free memory within the ETHREAD structure. Of course, the vulnerability is that this can be made to happen, and the result is a "data free" condition that eventually causes ExFreePoolWithTag to operate on user memory. APCs queued by an external process count against that process's pool quota, and therefore the quota block of the pool block containing the APC structure has a reference to the queuing process. If the exiting thread contains an APC queued by a now-terminated external process in its lists, and if that APC node represents the last reference to the process's Process object, then freeing that node will cause the Process object to be destroyed from within ExFreePoolWithTag. Part of this sequence involves executing PspProcessDelete, which switches to the ending process's address space using KeStackAttachProcess, calls PspExitProcess, and then reverses the switch with KeUnstackDetachProcess. Both the "attach" and "detach" functions call KiMoveApcState, which is intended to temporarily strip the thread of its APCs so that none are dispatched in an address space for which they were not intended, then re-link the list of APCs after the thread's native address space is reinstated. During attach, the ETHREAD.ApcState structure is duplicated, and the pointers of the lists' first and last nodes are adjusted to refer to the copy. Upon detach, the first and last nodes' pointers are adjusted to re-link the lists to the original ETHREAD.ApcState -- even though they were supposed to remain disconnected, since the APC free loop is still in progress. The end result is that the free loop will continue and attempt to free a portion of the ETHREAD structure as though it were a pool block header, culminating in the kernel operating on attacker-supplied pointers from user-land memory, because the accessed portion of ETHREAD contains predictable and mostly zeroed values. The following depicts the sequence of function calls and parameters involved in producing the vulnerable condition: . PspExitThread . . KeFlushQueueApc . . (detaches APC queues from ETHREAD.ApcState.ApcListHead) . . (APC free loop begins) . . ExFreePool(1st_APC -- queued by exited_process) . . . ExFreePoolWithTag(1st_APC) . . . . ObfDereferenceObject(exited_process) . . . . . ObpRemoveObjectRoutine . . . . . . PspProcessDelete . . . . . . . KeStackAttachProcess(exited_process) . . . . . . . . KiAttachProcess . . . . . . . . . KiMoveApcState(ETHREAD.ApcState --> duplicate) . . . . . . . . . KiSwapProcess . . . . . . . PspExitProcess(0) . . . . . . . KeUnstackDetachProcess . . . . . . . . KiMoveApcState(duplicate --> ETHREAD.ApcState) . . . . . . . . KiSwapProcess . . ExFreePool(2nd_APC) . . ExFreePool(ETHREAD + 30h) . . (APC free loop ends) The ETHREAD data upon which ExFreePool is called is mostly predictable, KernelStack at offset +28h being the single true variable; however, methods for leaking a thread's kernel ESP permit complete control over the path execution will take through ExFreePoolWithTag. With enough crafting, an arbitrary function pointer can be supplied as an object type method, allowing execution to be hijacked directly. Beginning with Windows XP, KeFlushQueueApc contains a code fix that resolves this vulnerability. Protection: Retina Network Security Scanner has been updated to identify this vulnerability. Vendor Status: Microsoft has released a patch for this vulnerability. The patch is available at: http://www.microsoft.com/technet/security/bulletin/MS05-055.mspx Credit: Derek Soeder Greetings: Dedicated to R. W. S., Sr. 1928 - 2005 >>From my father to his: "He was a good man; liked by all, loved by many. He was always upbeat, outgoing and loved to kid around. He was always willing to help others in their time of need and gave a lot of himself. He was very creative, handy with tools, and could fix about anything. He was the one everyone turned to for advice and direction. He was my father, and I miss him dearly." Copyright (c) 1998-2005 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/