Vulnerabilities > CVE-2018-0810 - Improper Initialization vulnerability in Microsoft Windows 7, Windows Server 2008 and Windows Server 2012
Attack vector
LOCAL Attack complexity
HIGH Privileges required
LOW Confidentiality impact
HIGH Integrity impact
NONE Availability impact
NONE Summary
The Windows kernel in Windows 7 SP1, Windows Server 2008 SP2 and R2, and Windows Server 2012 allows an information disclosure vulnerability due to the way memory is initialized, aka "Windows Kernel Information Disclosure Vulnerability". This CVE is unique from CVE-2018-0757.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
OS | 4 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Leveraging Race Conditions This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
- Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.
Nessus
NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS18_FEB_WIN2008.NASL description The remote Windows host is missing security updates. It is, therefore, affected by multiple vulnerabilities : - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2018-0757, CVE-2018-0829, CVE-2018-0830) - An information disclosure vulnerability exists when VBScript improperly discloses the contents of its memory, which could provide an attacker with information to further compromise the users computer or data. (CVE-2018-0847) - A remote code execution vulnerability exists in StructuredQuery when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-0825) - An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2018-0742, CVE-2018-0820) - A remote code execution vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited these vulnerabilities could take control of an affected system. (CVE-2018-0842) - An elevation of privilege vulnerability exists when the Windows Common Log File System (CLFS) driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2018-0844, CVE-2018-0846) - An information disclosure vulnerability exists when the Windows kernel fails to properly initialize a memory address. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2018-0810) last seen 2020-06-01 modified 2020-06-02 plugin id 106818 published 2018-02-14 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106818 title Security Updates for Windows Server 2008 (February 2018) NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS18_FEB_4074593.NASL description The remote Windows host is missing security update 4074589 or cumulative update 4074593. It is, therefore, affected by multiple vulnerabilities : - A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-0866) - An information disclosure vulnerability exists when the Windows kernel improperly handles objects in memory. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2018-0757, CVE-2018-0829, CVE-2018-0830) - An information disclosure vulnerability exists when VBScript improperly discloses the contents of its memory, which could provide an attacker with information to further compromise the users computer or data. (CVE-2018-0847) - A remote code execution vulnerability exists in StructuredQuery when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. (CVE-2018-0825) - An elevation of privilege vulnerability exists in the way that the Windows Kernel handles objects in memory. An attacker who successfully exploited the vulnerability could execute code with elevated permissions. (CVE-2018-0742, CVE-2018-0820) - A remote code execution vulnerability exists when Windows improperly handles objects in memory. An attacker who successfully exploited these vulnerabilities could take control of an affected system. (CVE-2018-0842) - An elevation of privilege vulnerability exists when the Windows Common Log File System (CLFS) driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could run processes in an elevated context. (CVE-2018-0844, CVE-2018-0846) - An information disclosure vulnerability exists in the way that the Microsoft Windows Embedded OpenType (EOT) font engine parses specially crafted embedded fonts. An attacker who successfully exploited this vulnerability could potentially read data that was not intended to be disclosed. Note that while this vulnerability would not allow an attacker to either execute code or to elevate user rights directly, it could be used to obtain information in an attempt to further compromise the affected system. (CVE-2018-0760) - A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. (CVE-2018-0840) - An information disclosure vulnerability exists when the Windows kernel fails to properly initialize a memory address. An attacker who successfully exploited this vulnerability could obtain information to further compromise the users system. (CVE-2018-0810) last seen 2020-06-01 modified 2020-06-02 plugin id 106799 published 2018-02-13 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106799 title KB4074589: Windows Server 2012 February 2018 Security Update
Seebug
bulletinFamily | exploit |
description | We have discovered that a user-mode callback invoked by the win32k!SfnINLPHELPINFOSTRUCT function (via KeUserModeCallback) leads to the disclosure of uninitialized stack memory to user-mode clients, due to compiler-introduced structure padding. The vulnerability affects Windows 7 64-bit; other versions of Windows have not been tested. The act of copying uninitialized kernel memory has been detected under the following stack trace: ``` #0 0xfffff80002684830 ((00067830) ntoskrnl.exe!memcpy+00000000) #1 0xfffff8000297dbf0 ((00360bf0) ntoskrnl.exe!KeUserModeCallback+000000a4) #2 0xfffff9600018c282 ((0014c282) win32k.sys!SfnINLPHELPINFOSTRUCT+000001c2) #3 0xfffff9600010e45b ((000ce45b) win32k.sys!xxxSendMessageToClient+000001f7) #4 0xfffff9600010dca3 ((000cdca3) win32k.sys!xxxSendMessageTimeout+000002b6) #5 0xfffff960001bb557 ((0017b557) win32k.sys!xxxSendHelpMessage+0000007f) #6 0xfffff960000ec960 ((000ac960) win32k.sys!xxxRealDefWindowProc+00000700) #7 0xfffff960000f3b54 ((000b3b54) win32k.sys!xxxWrapRealDefWindowProc+0000003c) #8 0xfffff960000e5847 ((000a5847) win32k.sys!NtUserfnNCDESTROY+00000027) #9 0xfffff960000f302e ((000b302e) win32k.sys!NtUserMessageCall+0000012e) #10 0xfffff8000268d093 ((00070093) ntoskrnl.exe!KiSystemServiceCopyEnd+00000013) ``` At that point of execution, 0x88 bytes are copied from kernel to user-mode. The layout of the i/o structure passed down to the user-mode callback that we're seeing is as follows: ``` 00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000060: 00 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ................ 00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00000080: 00 00 00 00 00 00 00 00 ?? ?? ?? ?? ?? ?? ?? ?? ................ ``` Where 00 denote bytes which are properly initialized, while ff indicate uninitialized values copied back to user-mode. As shown above, there are 4 bytes leaked at offsets 0x6c-0x6f. We have determined that these bytes originally come from a smaller structure of size 0x28, which is passed down to win32k!SfnINLPHELPINFOSTRUCT through the 4th argument, and copied into offset 0x60 of the overall memory area passed to ring-3. More specifically, we have found that the nested structure is most likely of type HELPINFO, and the uninitialized bytes correspond to the 4 bytes of padding between the iCtrlId and hItemHandle fields, inserted by the compiler to align the latter to an 8-byte boundary. ``` typedef struct tagHELPINFO { UINT cbSize; int iContextType; int iCtrlId; HANDLE hItemHandle; DWORD dwContextId; POINT MousePos; } HELPINFO, *LPHELPINFO; ``` The origin of the leaked bytes is the stack frame of the win32k!xxxSendHelpMessage function. A proof-of-concept program is not provided for this issue, but it has been observed and confirmed at normal system runtime, and is quite evident in the code. Repeatedly triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space. |
id | SSV:97141 |
last seen | 2018-02-25 |
modified | 2018-02-24 |
published | 2018-02-24 |
reporter | Root |
title | Windows Kernel 64-bit stack memory disclosure in win32k!SfnINLPHELPINFOSTRUCT (via user-mode callback)(CVE-2018-0810) |
References
- http://www.securityfocus.com/bid/102938
- http://www.securityfocus.com/bid/102938
- http://www.securitytracker.com/id/1040373
- http://www.securitytracker.com/id/1040373
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0810
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-0810