Just yesterday I had the pleasure to speak at a highly hacking-oriented Russian conference, ZeroNights, for the second time (see my “ZeroNights slides, Hack In The Box Magazine #9 and other news” post from last year). The conference itself has been great so far – several interesting and inspiring talks, lots of leet Russian hackers and the Moscow atmosphere makes it a truly unique event. The title of my talk was “Windows Kernel Trap Handler and NTVDM Vulnerabilities — Case Study”, and as the name suggests, it included coverage of four vulnerabilities in all 32-bit Windows kernels starting from Windows NT 3.1 through Windows 8/Server 2012, making them 20 year old issues now. Namely, the following problems were discussed:
-
CVE-2013-3196 (
nt!PushIntwrite-what-where condition) -
CVE-2013-3197 (
nt!PushExceptionwrite-what-where condition) -
CVE-2013-3198 (
nt!VdmCallStringIoHandlerwrite-where condition) -
0-day (
nt!PushPmInterruptandnt!PushRmInterruptBlue Screen of Death DoS)
All of the above security flaws were local problems (i.e. require the ability to execute arbitrary code on the victim machine); the first three have a maximum impact of elevation of privileges (ring-0 code execution) and thus were fixed by Microsoft in September this year by the MS13-063 security bulletin. While equally interesting, the fourth one only makes it possible to get the kernel to reference memory at addressess 0xfff80008 through 0xffffffff (top 128 pages of the kernel address space) which, given the memory layout used by the operating system, is believed to be non-exploitable at the time of this writing. The bugcheck triggered by the condition is as follows:
TRAP_FRAME: 88c37b90 -- (.trap 0xffffffff88c37b90) ErrCode = 00000000 eax=00000000 ebx=00000002 ecx=7fff0000 edx=fffffeff esi=88c37d34 edi=fff80008 eip=82b31e51 esp=88c37c04 ebp=88c37c50 iopl=0 nv up ei ng nz na pe cy cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010287 nt!PushPmInterrupt+0x20c: 82b31e51 668b07 mov ax,word ptr [edi] ds:0023:fff80008=???? Resetting default scope
The slide deck can be downloaded here (zeronights.pdf, 6.9MB).
Enjoy!
BTW, the privileged instruction emulation in protected mode in NTVDM is there to support DPMI applications.
@Yuhong Bao: Yeah, I should have mentioned that. Updated the slides with an additional line mentioning DPMI.
Hi!Thanks for you work!I make a PoC of CVE-2013-3196 (nt!PushInt write-what-where condition),
but met trouble:
I can’t add to the LDT custom Expand Down SS segment.
Inside PspIsDescriptorValid function this condition doesn’t pass:
Base == 0x0 ActualLimit == 0xFFFFFFFF
if (Base > Base + ActualLimit ||
((PVOID)(Base + ActualLimit) > MM_HIGHEST_USER_ADDRESS)) {
return FALSE;
}
If we will use usual expand up data-segment we fail inside PushInt:
cmp edi,[esi].RiSsLimit ; edi==0xDEADBEEF (esp must be below limit)
jnb err_
Can you give me a hint?)
With regards!
@0x16: which operating system are you targetting? On Windows 7, you can create a custom LDT data segment with Base=0x0 and Limit=0xffffffff without any problems.
Excellent job. Again. Excellent work. Again. ;)
Thanks. Again. Keep goin’ – again.
Take a beer from me. Again. ;)
Thanks for answer!Yes it was xp sp3,so now i see that in w7x86 PspIsDescriptorValid totaly different,and not exist all limit-conditions..So it looks like on old windows exploitation not possible…?
@0x16: pretty much yes.
@j00ru: Also note that Protected mode != 32-bit, 16-bit DPMI is also very common.