NT Internals
 
2008-09-04
Pointers and Handles - A Story of Unchecked Assumptions in the Windows Kernel

Last month on Black Hat conference Alex Ionescu presented several vulnerabilities discovered in Win32k.sys. In first part of the presentation Alex discussed a couple of unchecked pointer dereferences. In the second part (most focused) he discussed about user-mode accessible handles, and incorrect usage of Nt/Zw APIs when dealing with user-mode data. Alex wrote that calling NtUserGetThreadState or NtUserGetDCEx from Client Server Runtime Process (csrss.exe) can cause immediately BSoD. But there is another one function that dereferences Win32ThreadInfo->Desktop - NtUserGetWindowDC.

I wrote three demonstration DoS exploits. One for NtUserGetDCEx, NtUserGetWindowDC and NtUserCloseWindowStation. In the last one I used different scenario then Alex Ionescu showed on his blog. Firstly we look for handle of WindowStation then set ProtectFromClose attribute and finally call NtUserCloseWindowStation.

References:
Black Hat 2008 Wrap-up

Exploits:
NtUserGetDCEx_DoS.zip - Local Denial of Service Exploit
NtUserGetWindowDC_DoS.zip - Local Denial of Service Exploit
NtUserCloseWindowStation_DoS.zip - Local Denial of Service Exploit

Looking for vulnerabilities in different drivers I found a driver which allows any user to call ZwClose directly by supplying a specially crafted Irp to the IOCTL handler function. 


	...
	.text:00012572 @@ioctl_close_handle:
	.text:00012572                 cmp     dword ptr [eax+4], 210h        ; OutputBufferLength
	.text:00012579                 jb      @@invalid_buffer_size
	.text:0001257F                 mov     eax, [ebx+0Ch]                 ; SystemBuffer
	.text:00012582                 push    dword ptr [eax+208h]
	.text:00012588                 call    ds:ZwClose
	...

2008-09-21
DESlock+ - 3.2.7 (vdlptokn.sys) - Local Denial of Service Exploit

At the beginning of the year mu-b of digit-labs published information about few serious vulnerabilities he found in drivers distributed with DESlock+ - DESLock+ IOCTL Request Local Code Execution and Denial of Service Vulnerabilities. Yesterday he placed on digit-labs another exploits to prove that vulnerabilities in latest version of DESlock+ still exists. I decided to publish sample DoS exploit related with vdlptokn.sys device driver. I hope that this time Data Encryption Systems will correct all vulnerabilities.

Exploit:
Vdlptoken_DoS.zip - Local Denial of Service Exploit


2008-10-01
ESET SysInspector - 1.1.1.0 (esiadrv.sys) Proof of Concept Exploit

ESET SysInspector is prone to a local privilege escalation vulnerability, which could be exploited by local users in order o execute arbitrary code with kernel privileges. The problem specifically exists within the IOCTL handling code in the esiadrv.sys (3.0.65535.0) device driver. The device driver fails to validate user supplied addresses passed to IOCTLs. All IOCTLs are generated as METHOD_NEITHER. Although this is not serious vulnerability because the device driver is loaded and unloaded dynamically with the GUI application. 

	...
	.text:00012C3A @@ioctl_0x223C1F:
	.text:00012C3A                 mov     eax, [ebp+10h]                 ; InputBuffer
	.text:00012C3D                 cmp     eax, ebx
	.text:00012C3F                 jz      short @@jump
	.text:00012C41                 cmp     [ebp+14h], edi                 ; InputBufferLength
	.text:00012C44                 jnz     short @@jump
	.text:00012C46                 cmp     dword ptr [eax], 12345678h     ; InputBuffer[0] == 0x12345678 ?
	.text:00012C4C                 jnz     short @@jump
	.text:00012C4E                 push    offset aBsodCalled             ; "BSOD called\n"
	.text:00012C53                 call    DbgPrint
	.text:00012C58                 pop     ecx
	.text:00012C59                 push    0DEADDEADh
	.text:00012C5E                 call    ds:KeBugCheck
	.text:00012C64
	.text:00012C64 @@jump:
	.text:00012C64                 mov     esi, [ebp+18h]                 ; OutputBuffer
	.text:00012C67                 cmp     esi, ebx
	.text:00012C69                 jz      short @@invalid_parameter
	.text:00012C6B                 cmp     [ebp+1Ch], edi                 ; OutputBufferLength
	.text:00012C6E                 jb      short @@invalid_parameter
	.text:00012C70                 mov     [ebp+10h], ebx
	.text:00012C73                 lea     eax, [ebp+10h]
	.text:00012C76                 push    eax
	.text:00012C77                 push    dword ptr [ebp+28h]            ; DeviceObject
	.text:00012C7A                 call    sub_148EC
	.text:00012C7F                 mov     [ebp-1Ch], eax
	.text:00012C82                 mov     eax, [ebp+10h]
	.text:00012C85                 mov     [esi], eax                     ; OutputBuffer[0] - ?x????????
	.text:00012C87                 mov     [ebp-20h], edi
	.text:00012C8A                 jmp     short @@return
	...
Exploit:
Esiasdrv_DoS.zip - Local Denial of Service Exploit
Copyright © 2oo8-2oo9 NT Internals. All rights reserved.