ANALYSIS OF A WIN32K NULL POINTER DEREFERENCE BY MATCHING THE MAY PATCH

Microsoft shipped and fixed four win32k kernel Escalation of Privilege vulnerabilities in the May security bulletin. This article will discover and analyze one of these vulnerabilities caused by a null pointer dereference fixed by the patch program, and will finally attempt to implement its proof and exploitation code. The analyzing and debugging process will take place in a virtual machine of Windows 7 x86 SP1 basic environment.

To avoid attacks from exploiting this vulnerability, users who are using Windows operating system must install the latest official security updates as soon as possible.

0x0 Abstract

This article discovers and analyzes a kernel Escalation of Privilege vulnerability caused by a null pointer dereference in the win32k kernel module by matching the patch. According to the information released by FortiGuard Labs, the bug is CVE-2018-8120 that was fixed in the May patch. The vulnerability exists in the kernel function SetImeInfoEx. In the case where the pointer field spklList of the target window station has not been validated, the function directly reads the memory address pointed to by the field.

It is possible that the value of field spklList of window station tagWINDOWSTATION object reaches 0. If an user process creates a window station whose filed spklList points to NULL address, and associates the window station with the current process, at the time when calling system service NtUserSetImeInfoEx to set extended IME information, the kernel function SetImeInfoEx would access the memory in zero page which is located in the user address space. The operation of the function will cause the page fault exception, resulting in the occurrence of the system BSOD.

If the exploitation code in the user process allocates zero page memory in advance, to make the zero page mapped, and crafts some fake kernel objects in the zero page, the data in the zero page will be mistaken for a correct keyboard layout tagKL node object by the kernel function, which implements the arbitrary address writing primitive. Using the implemented writing primitive to override the function pointer field of a particular kernel object (such as tagWND), or to modify the relevant flag bits that represent kernel mode or user mode execution, the ability of arbitrary code execution is then implemented, the kernel Escalation of Privilege is achieved ultimately as well.

continue reading the original article at xiaodaozhi.com

Leave a Reply

Your email address will not be published. Required fields are marked *