Vulnerabilities > CVE-2017-0058 - Information Exposure vulnerability in Microsoft products
Attack vector
LOCAL Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
NONE Summary
A Win32k information disclosure vulnerability exists in Microsoft Windows when the win32k component improperly provides kernel information. An attacker who successfully exploited the vulnerability could obtain information to further compromise the user's system, aka "Win32k Information Disclosure Vulnerability."
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Subverting Environment Variable Values The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
- Footprinting An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
- Exploiting Trust in Client (aka Make the Client Invisible) An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
- Browser Fingerprinting An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
- Session Credential Falsification through Prediction This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
Exploit-Db
description | Microsoft Windows Kernel win32k.sys - Multiple Bugs in the NtGdiGetDIBitsInternal System Call. CVE-2017-0058. Dos exploit for Windows platform. Tags: Denial ... |
file | exploits/windows/dos/41879.txt |
id | EDB-ID:41879 |
last seen | 2017-04-13 |
modified | 2017-04-13 |
platform | windows |
port | |
published | 2017-04-13 |
reporter | Exploit-DB |
source | https://www.exploit-db.com/download/41879/ |
title | Microsoft Windows Kernel win32k.sys - Multiple Bugs in the NtGdiGetDIBitsInternal System Call |
type | dos |
Nessus
NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS17_APR_4015221.NASL description The remote Windows 10 Version 1507 host is missing security update KB4015221. It is, therefore, affected by multiple vulnerabilities : - An information disclosure vulnerability exists in the open-source libjpeg image processing library due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this to disclose sensitive information that can be utilized to bypass ASLR security protections. (CVE-2013-6629) - An information disclosure vulnerability exists in the win32k component due to improper handling of kernel information. A local attacker can exploit these vulnerabilities, via a specially crafted application, to disclose sensitive information. (CVE-2017-0058) - A privilege escalation vulnerability exists in the Microsoft Graphics Component due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code with elevated privileges. (CVE-2017-0156) - A flaw exists in the VBScript engine due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a malicious website or open a specially crafted document file, to execute arbitrary code. (CVE-2017-0158) - A privilege escalation vulnerability exists in the Microsoft .NET framework due to improper validation of input when loading libraries. A local attacker can exploit this to gain elevated privileges. (CVE-2017-0160) - Multiple flaws exist in Windows Hyper-V Network Switch due to improper validation of input from the guest operating system. A local attacker can exploit these, via a specially crafted application on the guest, to execute arbitrary code on the host system. (CVE-2017-0162, CVE-2017-0163) - A privilege escalation vulnerability exists due to improper sanitization of handles stored in memory. A local attacker can exploit this to gain elevated privileges. (CVE-2017-0165) - A flaw exists in LDAP due to buffer request lengths not being properly calculated. An unauthenticated, remote attacker can exploit this, via specially crafted traffic sent to a Domain Controller, to run processes with elevated privileges. (CVE-2017-0166) - A flaw exists in the Windows kernel due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information. (CVE-2017-0167) last seen 2020-06-01 modified 2020-06-02 plugin id 99287 published 2017-04-11 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99287 title KB4015221: Windows 10 Version 1507 April 2017 Cumulative Update NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS17_APR_4015549.NASL description The remote Windows host is missing security update 4015546 or cumulative update 4015549. It is, therefore, affected by multiple vulnerabilities : - An information disclosure vulnerability exists in the open-source libjpeg image processing library due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this to disclose sensitive information that can be utilized to bypass ASLR security protections. (CVE-2013-6629) - An information disclosure vulnerability exists in the win32k component due to improper handling of kernel information. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information. (CVE-2017-0058) - Multiple privilege escalation vulnerabilities exist in the Microsoft Graphics Component due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code with elevated privileges. (CVE-2017-0155, CVE-2017-0156) - A flaw exists in the VBScript engine due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a malicious website or open a specially crafted document file, to execute arbitrary code. (CVE-2017-0158) - Multiple flaws exist in Windows Hyper-V Network Switch due to improper validation of input from the guest operating system. A local attacker can exploit these, via a specially crafted application on the guest, to execute arbitrary code on the host system. (CVE-2017-0163, CVE-2017-0180) - A flaw exists in LDAP due to buffer request lengths not being properly calculated. An unauthenticated, remote attacker can exploit this, via specially crafted traffic sent to a Domain Controller, to run processes with elevated privileges. (CVE-2017-0166) - An information disclosure vulnerability exists in Windows Hyper-V Network Switch due to improper validation of user-supplied input. A guest attacker can exploit this to disclose sensitive information on the host server. (CVE-2017-0168) - Multiple denial of service vulnerabilities exist in Windows Hyper-V Network Switch due to improper validation of input from the guest operating system. A local attacker on the guest can exploit these vulnerabilities, via a specially crafted application, to crash the host system. (CVE-2017-0182, CVE-2017-0183) - A denial of service vulnerability exists in Hyper-V due to improper validation of input from a privileged user on a guest operating system. A local attacker on the guest can exploit this, via a specially crafted application, to cause the host system to crash. (CVE-2017-0184) - A flaw exists in Windows due to improper handling of objects in memory that allows an attacker to cause a denial of service condition. (CVE-2017-0191) - An information disclosure vulnerability exists in the Adobe Type Manager Font Driver (ATMFD.dll) due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to open a specially crafted document or visit a malicious web page, to disclose sensitive information. (CVE-2017-0192) - An arbitrary code execution vulnerability exists in Microsoft Office and Windows WordPad due to improper handling of specially crafted files. An unauthenticated, remote attacker can exploit this, by convincing a user to open a malicious file, to execute arbitrary code in the context of the current user. Note that this vulnerability is being utilized to spread the Petya ransomware. (CVE-2017-0199) - A memory corruption issue exists in Internet Explorer due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a malicious website, to execute arbitrary code. (CVE-2017-0202) - A privilege escalation vulnerability exists in Internet Explorer due to a failure to properly enforce cross-domain policies. An unauthenticated, remote attacker can exploit this to inject arbitrary content and gain elevated privileges. (CVE-2017-0210) last seen 2020-06-01 modified 2020-06-02 plugin id 99304 published 2017-04-12 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99304 title Windows 7 and Windows 2008 R2 April 2017 Security Updates (Petya) NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS17_APR_4015195.NASL description The remote Windows host is missing a security update KB4015195. It is, therefore, affected by multiple vulnerabilities: - An information disclosure vulnerability in the win32k component due to improper handling of kernel information. A local attacker can exploit this, via a specially crafted application,to disclose sensitive information. (CVE-2017-0058) - An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. (CVE-2017-0155) last seen 2020-06-01 modified 2020-06-02 plugin id 99307 published 2017-04-12 reporter This script is Copyright (C) 2017-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/99307 title KB4015195: Security Update for the Win32k Information Disclosure Vulnerability (April 2017) NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS17-APR_4015551.NASL description The remote Windows host is missing security update 4015548 or cumulative update 4015551. It is, therefore, affected by multiple vulnerabilities : - An information disclosure vulnerability exists in the open-source libjpeg image processing library due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this to disclose sensitive information that can be utilized to bypass ASLR security protections. (CVE-2013-6629) - An information disclosure vulnerability exists in Windows DirectShow due to improper handling of objects in memory. Any unauthenticated, remote attacker can exploit this, by convincing a user to visit a website with specially crafted media content, to disclose sensitive information. (CVE-2017-0042) - Multiple information disclosure vulnerabilities exist in the win32k component due to improper handling of kernel information. A local attacker can exploit these vulnerabilities, via a specially crafted application, to disclose sensitive information. (CVE-2017-0058, CVE-2017-0188) - Multiple flaws exist in Windows Hyper-V Network Switch due to improper validation of input from the guest operating system. A local attacker can exploit these, via a specially crafted application on the guest, to execute arbitrary code on the host system. (CVE-2017-0163, CVE-2017-0180) - A flaw exists in LDAP due to buffer request lengths not being properly calculated. An unauthenticated, remote attacker can exploit this, via specially crafted traffic sent to a Domain Controller, to run processes with elevated privileges. (CVE-2017-0166) - Multiple information disclosure vulnerabilities exist in Windows Hyper-V Network Switch due to improper validation of user-supplied input. A guest attacker can exploit these to disclose sensitive information on the host server. (CVE-2017-0168, CVE-2017-0169) - Multiple denial of service vulnerabilities exist in Windows Hyper-V Network Switch due to improper validation of input from the guest operating system. A local attacker on the guest can exploit these vulnerabilities, via a specially crafted application, to crash the host system. (CVE-2017-0182, CVE-2017-0183, CVE-2017-0185, CVE-2017-0186) - Multiple denial of service vulnerabilities exist in Hyper-V due to improper validation of input from a privileged user on a guest operating system. A local attacker on the guest can exploit these, via a specially crafted application, to cause the host system to crash. (CVE-2017-0184) - A flaw exists in Windows due to improper handling of objects in memory that allows an attacker to cause a denial of service condition. (CVE-2017-0191) - An information disclosure vulnerability exists in the Adobe Type Manager Font Driver (ATMFD.dll) due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to open a specially crafted document or visit a malicious web page, to disclose sensitive information. (CVE-2017-0192) - An arbitrary code execution vulnerability exists in Microsoft Office and Windows WordPad due to improper handling of specially crafted files. An unauthenticated, remote attacker can exploit this, by convincing a user to open a malicious file, to execute arbitrary code in the context of the current user. Note that this vulnerability is being utilized to spread the Petya ransomware. (CVE-2017-0199) - A memory corruption issue exists in Internet Explorer in the JScript and VBScript engines due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a malicious website, to execute arbitrary code. (CVE-2017-0201) - A privilege escalation vulnerability exists in Internet Explorer due to a failure to properly enforce cross-domain policies. An unauthenticated, remote attacker can exploit this to inject arbitrary content and gain elevated privileges. (CVE-2017-0210) - A privilege escalation vulnerability exists in Microsoft Windows OLE due to an unspecified failure in integrity-level checks. An authenticated, remote attacker can exploit this to run an application with limited privileges at a medium integrity level. Note that this vulnerability by itself does not allow arbitrary code execution but can be used in conjunction other vulnerabilities. (CVE-2017-0211) last seen 2020-06-01 modified 2020-06-02 plugin id 99285 published 2017-04-11 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99285 title Windows Server 2012 April 2017 Security Updates (Petya) NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS17_APR_4015583.NASL description The remote Windows 10 version 1703 host is missing security update KB4015583. It is, therefore, affected by multiple vulnerabilities : - An information disclosure vulnerability exists in the open-source libjpeg image processing library due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this to disclose sensitive information that can be utilized to bypass ASLR security protections. (CVE-2013-6629) - Multiple information disclosure vulnerabilities exist in the win32k component due to improper handling of kernel information. A local attacker can exploit these vulnerabilities, via a specially crafted application, to disclose sensitive information. (CVE-2017-0058, CVE-2017-0188) - A remote code execution vulnerability exists in Microsoft Edge due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a malicious website, to execute arbitrary code. (CVE-2017-0093) - A privilege escalation vulnerability exists in the Microsoft Graphics Component due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code with elevated privileges. (CVE-2017-0156) - A flaw exists in the VBScript engine due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a malicious website or open a specially crafted document file, to execute arbitrary code. (CVE-2017-0158) - A security feature bypass vulnerability exists in ADFS due to incorrectly treating requests from Extranet clients as Intranet requests. An unauthenticated, remote attacker can exploit this to bypass account lockout protection mechanisms and more easily gain access to a user last seen 2020-06-01 modified 2020-06-02 plugin id 99288 published 2017-04-11 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99288 title KB4015583: Windows 10 Version 1703 April 2017 Cumulative Update NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS17_APR_4015217.NASL description The remote Windows 10 host is missing security update KB4015217. It is, therefore, affected by multiple vulnerabilities : - An information disclosure vulnerability exists in the open-source libjpeg image processing library due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this to disclose sensitive information that can be utilized to bypass ASLR security protections. (CVE-2013-6629) - Multiple information disclosure vulnerabilities exist in the win32k component due to improper handling of kernel information. A local attacker can exploit these, via a specially crafted application, to disclose sensitive information. (CVE-2017-0058, CVE-2017-0188) - A privilege escalation vulnerability exists in the Microsoft Graphics Component due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code with elevated privileges. (CVE-2017-0156) - A flaw exists in the VBScript engine due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a malicious website or open a specially crafted document file, to execute arbitrary code. (CVE-2017-0158) - A security feature bypass vulnerability exists in ADFS due to incorrectly treating requests from Extranet clients as Intranet requests. An unauthenticated, remote attacker can exploit this to bypass account lockout protection mechanisms and more easily gain access to a user last seen 2020-06-01 modified 2020-06-02 plugin id 99286 published 2017-04-11 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99286 title KB4015217: Windows 10 1607 April 2017 Cumulative Update NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS17_APR_4015550.NASL description The remote Windows host is missing security update 4015547 or cumulative update 4015550. It is, therefore, affected by multiple vulnerabilities : - An information disclosure vulnerability exists in the open-source libjpeg image processing library due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this to disclose sensitive information that can be utilized to bypass ASLR security protections. (CVE-2013-6629) - Multiple information disclosure vulnerabilities exist in the win32k component due to improper handling of kernel information. A local attacker can exploit these vulnerabilities, via a specially crafted application, to disclose sensitive information. (CVE-2017-0058, CVE-2017-0188) - A privilege escalation vulnerability exists in the Microsoft Graphics Component due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code with elevated privileges. (CVE-2017-0156) - A flaw exists in the VBScript engine due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a malicious website or open a specially crafted document file, to execute arbitrary code. (CVE-2017-0158) - A security feature bypass vulnerability exists in ADFS due to incorrectly treating requests from Extranet clients as Intranet requests. An unauthenticated, remote attacker can exploit this to bypass account lockout protection mechanisms and more easily gain access to a user last seen 2020-06-01 modified 2020-06-02 plugin id 99312 published 2017-04-12 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99312 title Windows 8.1 and Windows Server 2012 R2 April 2017 Security Updates NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS17_APR_4015219.NASL description The remote Windows 10 version 1511 host is missing security update KB4015219. It is, therefore, affected by multiple vulnerabilities : - An information disclosure vulnerability exists in the open-source libjpeg image processing library due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this to disclose sensitive information that can be utilized to bypass ASLR security protections. (CVE-2013-6629) - Multiple information disclosure vulnerabilities exist in the win32k component due to improper handling of kernel information. A local attacker can exploit these vulnerabilities, via a specially crafted application, to disclose sensitive information. (CVE-2017-0058, CVE-2017-0188) - A remote code execution vulnerability exists in Microsoft Edge due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a malicious website, to execute arbitrary code. (CVE-2017-0093) - A privilege escalation vulnerability exists in the Microsoft Graphics Component due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code with elevated privileges. (CVE-2017-0156) - A flaw exists in the VBScript engine due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a malicious website or open a specially crafted document file, to execute arbitrary code. (CVE-2017-0158) - A privilege escalation vulnerability exists in the Microsoft .NET framework due to improper validation of input when loading libraries. A local attacker can exploit this to gain elevated privileges. (CVE-2017-0160) - Multiple flaws exist in Windows Hyper-V Network Switch due to improper validation of input from the guest operating system. A local attacker can exploit these, via a specially crafted application on the guest, to execute arbitrary code on the host system. (CVE-2017-0162, CVE-2017-0163, CVE-2017-0180, CVE-2017-0181) - A privilege escalation vulnerability exists due to improper sanitization of handles stored in memory. A local attacker can exploit this to gain elevated privileges. (CVE-2017-0165) - A flaw exists in LDAP due to buffer request lengths not being properly calculated. An unauthenticated, remote attacker can exploit this, via specially crafted traffic sent to a Domain Controller, to run processes with elevated privileges. (CVE-2017-0166) - A flaw exists in the Windows kernel due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to disclose sensitive information. (CVE-2017-0167) - Multiple denial of service vulnerabilities exist in Hyper-V due to improper validation of input from a privileged user on a guest operating system. A local attacker on the guest can exploit these, via a specially crafted application, to cause the host system to crash. (CVE-2017-0178, CVE-2017-0179, CVE-2017-0184) - Multiple denial of service vulnerabilities exist in Windows Hyper-V Network Switch due to improper validation of input from the guest operating system. A local attacker on the guest can exploit these vulnerabilities, via a specially crafted application, to crash the host system. (CVE-2017-0182, CVE-2017-0183, CVE-2017-0185, CVE-2017-0186) - A privilege escalation vulnerability exists in the Windows kernel-mode driver due to improper handling of objects in memory. A local attacker can exploit this, via a specially crafted application, to execute arbitrary code in kernel mode. (CVE-2017-0189) - A flaw exists in Windows due to improper handling of objects in memory that allows an attacker to cause a denial of service condition. (CVE-2017-0191) - An information disclosure vulnerability exists in the Adobe Type Manager Font Driver (ATMFD.dll) due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this, by convincing a user to open a specially crafted document or visit a malicious web page, to disclose sensitive information. (CVE-2017-0192) - A memory corruption issue exists in Internet Explorer due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a malicious website, to execute arbitrary code. (CVE-2017-0202) - A security feature bypass vulnerability exists in Microsoft Edge due to improper handling of CSP documents. An unauthenticated, remote attacker can exploit this, via a specially crafted CSP document, to bypass security features. (CVE-2017-0203) - A memory corruption issue exists in Microsoft Edge due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, by convincing a user to visit a malicious website, to execute arbitrary code. (CVE-2017-0205) - An information disclosure vulnerability exists in Microsoft Edge in the Chakra scripting engine due to improper handling of objects in memory. An unauthenticated, remote attacker can exploit this to disclose sensitive information. (CVE-2017-0208) - A privilege escalation vulnerability exists in Internet Explorer due to a failure to properly enforce cross-domain policies. An unauthenticated, remote attacker can exploit this to inject arbitrary content and gain elevated privileges. (CVE-2017-0210) - A privilege escalation vulnerability exists in Microsoft Windows OLE due to an unspecified failure in integrity-level checks. An authenticated, remote attacker can exploit this to run an application with limited privileges at a medium integrity level. Note that this vulnerability by itself does not allow arbitrary code execution but can be used in conjunction other vulnerabilities. (CVE-2017-0211) last seen 2020-06-01 modified 2020-06-02 plugin id 99282 published 2017-04-11 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99282 title KB4015219: Windows 10 Version 1511 April 2017 Cumulative Update
Seebug
bulletinFamily | exploit |
description | We have discovered two bugs in the implementation of the win32k!NtGdiGetDIBitsInternal system call, which is a part of the graphic subsystem in all modern versions of Windows. The issues can potentially lead to kernel pool memory disclosure (bug #1) or denial of service (bug #1 and #2). Under certain circumstances, memory corruption could also be possible. ----------[ Double-fetch while handling the BITMAPINFOHEADER structure ]---------- At the beginning of the win32k!NtGdiGetDIBitsInternal system call handler, the code references the BITMAPINFOHEADER structure (and specifically its .biSize field) several times, in order to correctly calculate its size and capture it into kernel-mode memory. A pseudo-code representation of the relevant code is shown below, where "bmi" is a user-controlled address: ``` --- cut --- ProbeForRead(bmi, 4, 1); ProbeForWrite(bmi, bmi->biSize, 1); <------------ Fetch #1 header_size = GreGetBitmapSize(bmi); <----------- Fetch #2 captured_bmi = Alloc(header_size); ProbeForRead(bmi, header_size, 1); memcpy(captured_bmi, bmi, header_size); <-------- Fetch #3 new_header_size = GreGetBitmapSize(bmi); if (header_size != new_header_size) { // Bail out. } // Process the data further. --- cut --- ``` In the snippet above, we can see that the user-mode "bmi" buffer is accessed thrice: when accessing the biSize field, in the GreGetBitmapSize() call, and in the final memcpy() call. While this is clearly a multi-fetch condition, it is mostly harmless: since there is a ProbeForRead() call for "bmi", it must be a user-mode address, so bypassing the subsequent ProbeForWrite() call by setting bmi->biSize to 0 doesn't change much. Furthermore, since the two results of the GreGetBitmapSize() calls are eventually compared, introducing any inconsistencies in between them is instantly detected. As far as we are concerned, the only invalid outcome of the behavior could be read access to out-of-bounds pool memory in the second GreGetBitmapSize() call. This is achieved in the following way: 1. Invoke NtGdiGetDIBitsInternal with a structure having the biSize field set to 12 (sizeof(BITMAPCOREHEADER)). 2. The first call to GreGetBitmapSize() now returns 12 or a similar small value. 3. This number of bytes is allocated for the header buffer. 4. (In a second thread) Change the value of the biSize field to 40 (sizeof(BITMAPINFOHEADER)) before the memcpy() call. 5. memcpy() copies the small structure (with incorrectly large biSize) into the pool allocation. 6. When called again, the GreGetBitmapSize() function assumes that the biSize field is set adequately to the size of the corresponding memory area (untrue), and attempts to access structure fields at offsets greater than 12. The bug is easiest to reproduce with Special Pools enabled for win32k.sys, as the invalid memory read will then be reliably detected and will yield a system bugcheck. An excerpt from a kernel crash log triggered using the bug in question is shown below: ``` --- cut --- DRIVER_PAGE_FAULT_BEYOND_END_OF_ALLOCATION (d6) N bytes of memory was allocated and more than N bytes are being referenced. This cannot be protected by try-except. When possible, the guilty driver's name (Unicode string) is printed on the bugcheck screen and saved in KiBugCheckDriver. Arguments: Arg1: fe3ff008, memory referenced Arg2: 00000000, value 0 = read operation, 1 = write operation Arg3: 943587f1, if non-zero, the address which referenced memory. Arg4: 00000000, (reserved) Debugging Details: ------------------ [...] TRAP_FRAME: 92341b1c -- (.trap 0xffffffff92341b1c) ErrCode = 00000000 eax=fe3fefe8 ebx=00000000 ecx=00000000 edx=00000028 esi=00000004 edi=01240000 eip=943587f1 esp=92341b90 ebp=92341b98 iopl=0 nv up ei pl zr na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010246 win32k!GreGetBitmapSize+0x34: 943587f1 8b7820 mov edi,dword ptr [eax+20h] ds:0023:fe3ff008=???????? Resetting default scope LAST_CONTROL_TRANSFER: from 816f9dff to 816959d8 STACK_TEXT: 9234166c 816f9dff 00000003 09441320 00000065 nt!RtlpBreakWithStatusInstruction 923416bc 816fa8fd 00000003 00000000 00000002 nt!KiBugCheckDebugBreak+0x1c 92341a80 816a899d 00000050 fe3ff008 00000000 nt!KeBugCheck2+0x68b 92341b04 8165af98 00000000 fe3ff008 00000000 nt!MmAccessFault+0x104 92341b04 943587f1 00000000 fe3ff008 00000000 nt!KiTrap0E+0xdc 92341b98 9434383e fe3fefe8 00000000 067f9cd5 win32k!GreGetBitmapSize+0x34 92341c08 81657db6 00000000 00000001 00000000 win32k!NtGdiGetDIBitsInternal+0x17f 92341c08 011d09e1 00000000 00000001 00000000 nt!KiSystemServicePostCall [...] --- cut --- ``` The out-of-bounds data read by GreGetBitmapSize() could then be extracted back to user-mode to some degree, which could help disclose sensitive data or defeat certain kernel security mitigations (such as kASLR). Attached is a PoC program for Windows 7 32-bit (double_fetch_oob_read.cpp). ----------[ Unhandled out-of-bounds write to user-mode memory when requesting RLE-compressed bitmaps ]---------- The 5th parameter of the NtGdiGetDIBitsInternal syscall is a pointer to an output buffer where the bitmap data should be written to. The length of the buffer is specified in the 8th parameter, and can be optionally 0. The logic of sanitizing and locking the memory area is shown below ("Buffer" is the 5th argument and "Length" is the 8th). ``` --- cut --- if (Length != 0 || (Length = GreGetBitmapSize(bmi)) != 0) { ProbeForWrite(Buffer, Length, 4); MmSecureVirtualMemory(Buffer, Length, PAGE_READWRITE); } --- cut --- ``` We can see that if the "Length" argument is non-zero, it is prioritized over the result of GreGetBitmapSize() in specifying how many bytes of the user-mode output buffer should be locked in memory as readable/writeable. Since the two calls above are supposed to guarantee that the required user-mode memory region will be accessible until it is unlocked, the call to the GreGetDIBitsInternal() function which actually fills the buffer with data is not guarded with a try/except block. However, if we look into GreGetDIBitsInternal() and further into GreGetDIBitsInternalWorker(), we can see that if a RLE-compressed bitmap is requested by the user (as indicated by bmi.biCompression set to BI_RLE[4,8]), the internal EncodeRLE4() and EncodeRLE8() routines are responsible for writing the output data. The legal size of the buffer is passed through the functions' 5th parameter (last one), and is always set to bmi.biSizeImage. This creates a discrepancy: a different number of bytes is ensured to be present in memory (Length), and a different number can be actually written to it (bmi.biSizeImage). Due to the lack of exception handling in this code area, the resulting exception causes a system-wide bugcheck: ``` --- cut --- KERNEL_MODE_EXCEPTION_NOT_HANDLED (8e) This is a very common bugcheck. Usually the exception address pinpoints the driver/function that caused the problem. Always note this address as well as the link date of the driver/image that contains this address. Some common problems are exception code 0x80000003. This means a hard coded breakpoint or assertion was hit, but this system was booted /NODEBUG. This is not supposed to happen as developers should never have hardcoded breakpoints in retail code, but ... If this happens, make sure a debugger gets connected, and the system is booted /DEBUG. This will let us see why this breakpoint is happening. Arguments: Arg1: c0000005, The exception code that was not handled Arg2: 9461564b, The address that the exception occurred at Arg3: 9d0539a0, Trap Frame Arg4: 00000000 Debugging Details: ------------------ [...] TRAP_FRAME: 9d0539a0 -- (.trap 0xffffffff9d0539a0) ErrCode = 00000002 eax=00291002 ebx=00291000 ecx=00000004 edx=fe9bb1c1 esi=00000064 edi=fe9bb15c eip=9461564b esp=9d053a14 ebp=9d053a40 iopl=0 nv up ei ng nz ac pe cy cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010297 win32k!EncodeRLE8+0x1ac: 9461564b c60300 mov byte ptr [ebx],0 ds:0023:00291000=?? Resetting default scope [...] STACK_TEXT: 9d052f5c 8172adff 00000003 17305ce1 00000065 nt!RtlpBreakWithStatusInstruction 9d052fac 8172b8fd 00000003 9d0533b0 00000000 nt!KiBugCheckDebugBreak+0x1c 9d053370 8172ac9c 0000008e c0000005 9461564b nt!KeBugCheck2+0x68b 9d053394 817002f7 0000008e c0000005 9461564b nt!KeBugCheckEx+0x1e 9d053930 81689996 9d05394c 00000000 9d0539a0 nt!KiDispatchException+0x1ac 9d053998 8168994a 9d053a40 9461564b badb0d00 nt!CommonDispatchException+0x4a 9d053a40 944caea9 fe9bb1c1 ff290ffc 00000064 nt!KiExceptionExit+0x192 9d053b04 944e8b09 00000028 9d053b5c 9d053b74 win32k!GreGetDIBitsInternalWorker+0x73e 9d053b7c 944d390f 0c0101fb 1f050140 00000000 win32k!GreGetDIBitsInternal+0x21b 9d053c08 81688db6 0c0101fb 1f050140 00000000 win32k!NtGdiGetDIBitsInternal+0x250 9d053c08 00135ba6 0c0101fb 1f050140 00000000 nt!KiSystemServicePostCall [...] --- cut --- ``` While the size of the buffer passed to EncodeRLE[4,8] can be arbitrarily controlled through bmi.biSizeImage (32-bit field), it doesn't enable an attacker to corrupt kernel-mode memory, as the memory writing takes place sequentially from the beginning to the end of the buffer. Furthermore, since the code in NtGdiGetDIBitsInternal() makes sure that the buffer size passed to ProbeForWrite() is >= 1, its base address must reside in user space. As such, this appears to be a DoS issue only, if we haven't missed anything in our analysis. Attached is a PoC program for Windows 7 32-bit (usermode_oob_write.cpp), and a bitmap file necessary for the exploit to work (test.bmp). 附件: [double_fetch_oob_read.cpp](https://bugs.chromium.org/p/project-zero/issues/attachment?aid=266398) [usermode_oob_write.cpp](https://bugs.chromium.org/p/project-zero/issues/attachment?aid=266399) [test.bmp](https://bugs.chromium.org/p/project-zero/issues/attachment?aid=266400) |
id | SSV:92947 |
last seen | 2017-11-19 |
modified | 2017-04-14 |
published | 2017-04-14 |
reporter | Root |
title | Windows Kernel win32k.sys multiple bugs in the NtGdiGetDIBitsInternal system call (CVE-2017-0058) |