Full Disclosure mailing list archives
RE: [EEYEB-20050523] Windows Kernel APC Data-FreeLocal Privilege Escalation Vulnerability
From: "Marc Maiffret" <mmaiffret () eeye com>
Date: Tue, 13 Dec 2005 13:47:17 -0800
To be clear we did not make any claim except that Retina has been updated to be able to identify this vulnerability. Obviously being that it is a local vulnerability we audit for the vulnerability using credentials through normal means that you should find in most any vulnerability assessment scanner. -Marc
-----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Joshua Russel Sent: Tuesday, December 13, 2005 10:28 AM To: Advisories Cc: full-disclosure () lists grok org uk; vulnwatch () vulnwatch org; bugtraq () securityfocus com; ntbugtraq () ntbugtraq com Subject: Re: [Full-disclosure] [EEYEB-20050523] Windows Kernel APC Data-FreeLocal Privilege Escalation Vulnerability It is a local vulnerability, then how does Retina claims to scan it remotely? On 12/13/05, Advisories <Advisories () eeye com> wrote:Windows Kernel APC Data-Free Local Privilege EscalationVulnerabilityRelease Date: December 13, 2005 Date Reported: May 23, 2005 External Refferences: eEye ID# EEYEB-20050523 OSVDB ID# 18823 CVE # CAN-2005-2827 Microsoft # MS05-055 Severity: Medium (Local Privilege Escalation to Kernel) Systems Affected: Windows NT 4.0 Windows 2000 Overview: eEye Digital Security has discovered a local privilege escalation vulnerability in the Windows kernel that could allow any code executing on a Windows NT 4.0 or Windows 2000 system toelevate itselfto the highest possible local privilege level (kernel).For example,a malicious user, network worm, or e-mail virus could takeadvantageof this vulnerability in order to completely compromise thevulnerablesystem on which the exploit code is executing, regardless of that code's original privilege level. The vulnerability exists in the thread termination routinecontainedwithin NTOSKRNL.EXE. Through a specific series of steps, a local attacker can cause the code responsible for discarding queued Asynchronous Procedure Call (APC) entries to erroneously attempt to free a region of kernel data, producing a "data free" vulnerability that may be exploited in order to alter arbitrary kernel memory, or even divert the flow of execution directly. Technical Details: The basis of this vulnerability is in PspExitThread's APCfreeing loopand in the behavior of KiMoveApcState, invoked from KiAttachProcess and KeUnstackDetachProcess. We'll give a description ofthe problembelow, followed by a "call flow" illustration to outlinethe specificsequence of events. When a thread is exiting, PspExitThread will detach thethread's APCqueues from ETHREAD.ApcState.ApcListHead[0] and ApcListHead[1], so that each queue is now a circular, doubly-linked list in which the first and last nodes do not point back to the list head(LIST_ENTRY structure).However, since the list heads' pointers are not modified,the purposeis presumably just to allow the APC freeing loop withinPspExitThreadto walk each list and free its nodes, without navigatingback to thelist head and erroneously attempting to free memory withinthe ETHREADstructure. Of course, the vulnerability is that this canbe made tohappen, and the result is a "data free" condition that eventually causes ExFreePoolWithTag to operate on user memory. APCs queued by an external process count against thatprocess's poolquota, and therefore the quota block of the pool blockcontaining theAPC structure has a reference to the queuing process. Ifthe exitingthread contains an APC queued by a now-terminated externalprocess inits lists, and if that APC node represents the lastreference to theprocess's Process object, then freeing that node will cause the Process object to be destroyed from withinExFreePoolWithTag. Part ofthis sequence involves executing PspProcessDelete, whichswitches tothe ending process's address space usingKeStackAttachProcess, callsPspExitProcess, and then reverses the switch with KeUnstackDetachProcess. Both the "attach" and "detach" functions callKiMoveApcState, which isintended to temporarily strip the thread of its APCs sothat none aredispatched in an address space for which they were notintended, thenre-link the list of APCs after the thread's native address space is reinstated. During attach, the ETHREAD.ApcState structure is duplicated, and the pointers of the lists' first and last nodes are adjusted to refer to the copy. Upon detach, the first andlast nodes'pointers are adjusted to re-link the lists to the original ETHREAD.ApcState -- even though they were supposed to remain disconnected, since the APC free loop is still in progress.The endresult is that the free loop will continue and attempt to free a portion of the ETHREAD structure as though it were a pool block header, culminating in the kernel operating on attacker-supplied pointers from user-land memory, because the accessed portion of ETHREAD contains predictable and mostly zeroed values. The following depicts the sequence of function calls and parameters involved in producing the vulnerable condition: . PspExitThread . . KeFlushQueueApc . . (detaches APC queues from ETHREAD.ApcState.ApcListHead). . (APCfree loop begins) . . ExFreePool(1st_APC -- queued byexited_process). . . ExFreePoolWithTag(1st_APC) . . . . ObfDereferenceObject(exited_process) . . . . . ObpRemoveObjectRoutine . . . . . . PspProcessDelete . . . . . . . KeStackAttachProcess(exited_process) . . . . . . . . KiAttachProcess . . . . . . . . . KiMoveApcState(ETHREAD.ApcState -->duplicate) . . .. . . . . . KiSwapProcess . . . . . . . PspExitProcess(0) .. . . . .. KeUnstackDetachProcess . . . . . . . .KiMoveApcState(duplicate -->ETHREAD.ApcState) . . . . . . . . KiSwapProcess . . ExFreePool(2nd_APC) . . ExFreePool(ETHREAD + 30h) . . (APCfree loopends) The ETHREAD data upon which ExFreePool is called is mostly predictable, KernelStack at offset +28h being the single true variable; however, methods for leaking a thread's kernel ESP permit complete control over the path execution will take through ExFreePoolWithTag. With enough crafting, an arbitrary function pointer can be supplied as an object type method, allowingexecution to be hijacked directly.Beginning with Windows XP, KeFlushQueueApc contains a code fix that resolves this vulnerability. Protection: Retina Network Security Scanner has been updated to identify this vulnerability. Vendor Status: Microsoft has released a patch for this vulnerability. Thepatch isavailable at: http://www.microsoft.com/technet/security/bulletin/MS05-055.mspx Credit: Derek Soeder Greetings: Dedicated to R. W. S., Sr. 1928 - 2005From my father to his:"He was a good man; liked by all, loved by many. He was always upbeat, outgoing and loved to kid around. He was always willing to help others in their time of need and gave a lot ofhimself. He wasvery creative, handy with tools, and could fix aboutanything. He wasthe one everyone turned to for advice and direction. He was my father, and I miss him dearly." Copyright (c) 1998-2005 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent ofeEye. If youwish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert () eEye com for permission. Disclaimer The information within this paper may change withoutnotice. Use ofthis information constitutes acceptance for use in an AS IScondition.There are no warranties, implied or express, with regard to this information. In no event shall the author be liable forany direct orindirect damages whatsoever arising out of or in connectionwith theuse or spread of this information. Any use of thisinformation is atthe user's own risk. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- RE: [EEYEB-20050523] Windows Kernel APC Data-FreeLocal Privilege Escalation Vulnerability Marc Maiffret (Dec 13)