Microsoft Windows Kernel – ‘win32k.sys’ Malformed OS/2 Table TTF Font Processing Pool-Based Buffer Overflow (MS15-115)

• Exploit Database
• 121 阅读

• 作者： Google Security Research
  日期： 2015-11-16
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/38714/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85

  Source: https://code.google.com/p/google-security-research/issues/detail?id=506   We have encountered a number of Windows kernel crashes in the win32k.sys driver while processing a specific corrupted TTF font file. The cleanest stack trace we have acquired, which might also indicate where the pool corruption takes place and/or the root cause of the vulnerability, is shown below:   --- PAGE_FAULT_IN_NONPAGED_AREA (50) Invalid system memory was referenced.This cannot be protected by try-except, it must be protected by a Probe.Typically the address is just plain bad or it is pointing at freed memory. Arguments: Arg1: fffff900c4c31000, memory referenced. Arg2: 0000000000000001, value 0 = read operation, 1 = write operation. Arg3: fffff96000156a34, If non-zero, the instruction address which referenced the bad memory address. Arg4: 0000000000000000, (reserved)   [...]   FAULTING_IP: win32k!memmove+64 fffff960<code>00156a34 488901mov qword ptr [rcx],rax   MM_INTERNAL_CODE:0   DEFAULT_BUCKET_ID:VISTA_DRIVER_FAULT   BUGCHECK_STR:0x50   CURRENT_IRQL:0   TRAP_FRAME:fffff880074a0210 -- (.trap 0xfffff880074a0210) .trap 0xfffff880074a0210 NOTE: The trap frame does not contain all registers. Some register values may be zeroed or incorrect. rax=fffff47cffffe440 rbx=0000000000000000 rcx=fffff900c4c31000 rdx=000000000141f518 rsi=0000000000000000 rdi=0000000000000000 rip=fffff96000156a34 rsp=fffff880074a03a8 rbp=0000000000000010 r8=0000000000000018r9=0000000000000001 r10=fffff900c4c211a8 r11=fffff900c4c30ff0 r12=0000000000000000 r13=0000000000000000 r14=0000000000000000 r15=0000000000000000 iopl=0 nv up ei pl nz na pe nc win32k!memmove+0x64: fffff960</code>00156a34 488901mov qword ptr [rcx],rax ds:a020:fffff900<code>c4c31000=???????????????? .trap Resetting default scope   LAST_CONTROL_TRANSFER:from fffff800028fa017 to fffff8000287d5c0   STACK_TEXT: fffff880</code>074a00a8 fffff800<code>028fa017 : 00000000</code>00000050 fffff900<code>c4c31000 00000000</code>00000001 fffff880<code>074a0210 : nt!KeBugCheckEx fffff880</code>074a00b0 fffff800<code>0287b6ee : 00000000</code>00000001 fffff900<code>c4c31000 fffff880</code>074a0400 fffff900<code>c4c30fd8 : nt! ?? ::FNODOBFM::</code>string&apos;+0x4174f fffff880<code>074a0210 fffff960</code>00156a34 : fffff960<code>00252e40 fffff900</code>c4c30f98 00000000<code>00000003 fffff900</code>c48f2eb0 : nt!KiPageFault+0x16e fffff880<code>074a03a8 fffff960</code>00252e40 : fffff900<code>c4c30f98 00000000</code>00000003 fffff900<code>c48f2eb0 fffff960</code>002525dc : win32k!memmove+0x64 fffff880<code>074a03b0 fffff960</code>0031d38e : 00000000<code>000028a6 fffff900</code>c4c30fd8 00000000<code>00000000 fffff900</code>c4c21008 : win32k!EPATHOBJ::bClone+0x138 fffff880<code>074a0400 fffff960</code>000f07bb : fffff880<code>00002640 fffff900</code>c576aca0 00000000<code>00002640 fffff880</code>00000641 : win32k!RFONTOBJ::bInsertMetricsPlusPath+0x17e fffff880<code>074a0540 fffff960</code>000eccf7 : fffff880<code>074a2640 fffff880</code>074a0a68 fffff880<code>074a0b40 fffff800</code>00000641 : win32k!xInsertMetricsPlusRFONTOBJ+0xe3 fffff880<code>074a0610 fffff960</code>000ec998 : fffff880<code>074a0b40 fffff880</code>074a0a68 fffff900<code>c0480014 00000000</code>00000179 : win32k!RFONTOBJ::bGetGlyphMetricsPlus+0x1f7 fffff880<code>074a0690 fffff960</code>000ec390 : fffff980<code>00000000 fffff880</code>074a0830 fffff900<code>c04a8000 fffff800</code>00000008 : win32k!ESTROBJ::vCharPos_H3+0x168 fffff880<code>074a0710 fffff960</code>000ed841 : 00000000<code>41800000 00000000</code>00000000 00000000<code>0000000a fffff880</code>074a0830 : win32k!ESTROBJ::vInit+0x350 fffff880<code>074a07a0 fffff960</code>000ed4ef : fffff880<code>074a0ca0 fffff900</code>c576aca0 ffffd08c<code>00000020 ffffffff</code>ffffffff : win32k!GreGetTextExtentExW+0x275 fffff880<code>074a0a60 fffff800</code>0287c853 : 00000000<code>00000000 fffff880</code>074a0ca0 00000000<code>00000001 fffff880</code>00000000 : win32k!NtGdiGetTextExtentExW+0x237 fffff880<code>074a0bb0 00000000</code>750a213a : 00000000<code>00000000 00000000</code>00000000 00000000<code>00000000 00000000</code>00000000 : nt!KiSystemServiceCopyEnd+0x13 00000000<code>0025e1c8 00000000</code>00000000 : 00000000<code>00000000 00000000</code>00000000 00000000<code>00000000 00000000</code>00000000 : 0x750a213a ---   We have also observed a number of other system bugchecks caused by the particular TTF file with various stack traces indicating a pool corruption condition. For example, on Windows 7 32-bit a crash occurs only while deleting the font, under the following call stack:   --- 9823bc7c 90d8dec1 fb634cf0 fb60ecf0 00000001 win32k!RFONTOBJ::vDeleteCache+0x56 9823bca8 90d14209 00000000 00000000 00000001 win32k!RFONTOBJ::vDeleteRFONT+0x190 9823bcd0 90d15e00 9823bcf4 fb62ccf0 00000000 win32k!PUBLIC_PFTOBJ::bLoadFonts+0x6fb 9823bd00 90ddf48e 00000008 fbc16ff8 912f8fc8 win32k!PFTOBJ::bUnloadWorkhorse+0x114 9823bd28 8267ea06 13000117 0040fa24 775e71b4 win32k!GreRemoveFontMemResourceEx+0x60 9823bd28 775e71b4 13000117 0040fa24 775e71b4 nt!KiSystemServicePostCall ---   While we have not determined the specific root cause of the vulnerability, we have pinpointed the offending mutations to reside in the "OS/2" table.   The issue reproduces on Windows 7 (32 and 64-bit). It is easiest to reproduce with Special Pools enabled for win32k.sys (leading to an immediate crash when the bug is triggered), but it it also possible to observe a system crash on a default Windows installation as a consequence of pool corruption and resulting system instability. In order to reproduce the problem with the provided sample, it might be necessary to use a custom program which displays all of the font&apos;s glyphs at various point sizes.   Attached is an archive with the proof-of-concept mutated TTF file, together with the original font used to generate it and a corresponding kernel crash log from Windows 7 64-bit.   Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38714.zip