0-day keyboard layout Vulnerability Analysis

 

Recently called instruder 0-day vulnerability: http://www.exploit-db.com/exploits/18140/

Write the debugging analysis here. The level is limited, making everyone laugh. You are welcome to correct your criticism.

 

The analysis result of the dump file is as follows:

Prediction_code: (NTSTATUS) 0xc0000005-"0x % 08lx"

 

FAULTING_IP:

Win32k! ReadLayoutFile + 88

Bf89ed23 0fb75006 movzx edx, word ptr [eax + 6]

 

TRAP_FRAME: b28068a0 -- (. trap 0xffffffffb28068a0)

ErrCode = 00000000

Eax = 003e0000 ebx = 00000000 ecx = 003d0000 edx = 804ff619 esi = 00000000 edi = 00000000

Eip = bf89ed23 esp = b2806914 ebp = b2806944 iopl = 0 nv up ei pl nz na pe nc

Cs = 0008 ss = 0010 ds = 0023 es = 0023 fs = 0030 gs = 0000 efl = 00010206

Win32k! ReadLayoutFile + 0x88:

Bf89ed23 0fb75006 movzx edx, word ptr [eax + 6] ds: 0023: 003e0006 = ????

Resetting default scope

 

CUSTOMER_CRASH_COUNT: 1

 

DEFAULT_BUCKET_ID: DRIVER_FAULT

 

BUGCHECK_STR: 0x8E

 

PROCESS_NAME: 0Day.exe

 

LAST_CONTROL_TRANSFER: from bf89ec61 to bf89ed23

 

STACK_TEXT:

B2806944 bf89ec61 e12a4298 000007cc 00000160 win32k! ReadLayoutFile + 0x88

B2806964 bf885192 000007cc 00000160 00000000 win32k! LoadKeyboardLayoutFile + 0x6a

B28069f0 bf884c80 81ccf038 000007cc 08040804 win32k! XxxLoadKeyboardLayoutEx + 0x1be

B2806d40 8053e638 000007cc 00000160 00409c40 win32k! NtUserLoadKeyboardLayoutEx + 0x158

B2806d40 7c92e4f4 000007cc 00000160 00409c40 nt! KiFastCallEntry + 0xf8

WARNING: Frame IP not in any known module. Following frames may be wrong.

0012ffc0 00000000 00000000 00000000 00000000 0x7c92e4f4

 

After analysis, it is guessed that winXP did not perform any detection on the imported file handle, resulting in an error in parsing malformed keyboard layout files gradually according to the PE file format.

Vulnerability occurs in win32k! ReadLayoutFile function. The following describes the function process:

 

. Text: BF89EC9E; int _ stdcall ReadLayoutFile (int, HANDLE FileHandle, size_t, int)

. Text: BF89EC9E _ ReadLayoutFile @ 16 proc near; code xref: LoadKeyboardLayoutFile (x, x) + 4Dp

. Text: BF89EC9E www.2cto.com

. Text: BF89EC9E ObjectAttributes = OBJECT_ATTRIBUTES ptr-28 h

. Text: BF89EC9E ViewSize = dword ptr-10 h

. Text: BF89EC9E Handle = dword ptr-0Ch

. Text: BF89EC9E var_8 = dword ptr-8

. Text: BF89EC9E BaseAddress = dword ptr-4

. Text: BF89EC9E arg_0 = dword ptr 8

. Text: BF89EC9E FileHandle = dword ptr 0Ch

. Text: BF89EC9E arg_8 = dword ptr 10 h

. Text: BF89EC9E arg_C = dword ptr 14 h

. Text: BF89EC9E

. Text: BF89EC9E; function chunk at. text: BF89E265 SIZE 00000071 BYTES

......

 

. Text: BF89ECE1 mov [ebp + ObjectAttributes. SecurityDescriptor], esi

. Text: BF89ECE4 mov [ebp + ObjectAttributes. SecurityQualityOfService], esi

. Text: BF89ECE7 mov [ebp + BaseAddress], esi

. Text: BF89ECEA call ds :__ imp _ ZwCreateSection @ 28; ZwCreateSection (x, x)

. Text: BF89ECF0 test eax, eax

. Text: BF89ECF2 jl loc_BF89E265

......

 

. Text: BF89ED07 push eax; BaseAddress

. Text: BF89ED08 push 0 ffffffh; ProcessHandle

. Text: BF89ED0A push [ebp + Handle]; SectionHandle

. Text: BF89ED0D call ds :__ imp _ ZwMapViewOfSection @ 40; ZwMapViewOfSection (x, x)

. Text: BF89ED13 test eax, eax; execute memory ing on the keyboard File

. Text: BF89ED15 jl loc_BF89EEB3

. Text: BF89ED1B mov ecx, [ebp + BaseAddress]; ecx saves the memory base address after the execution file ing

. Text: BF89ED1E mov eax, [ecx + 3Ch]; 0x3c is the e_lfanew member of IMAGE_DOS_HEADER_STRUCT, which saves the offset pointing to the PE file.

. Text: BF89ED21 add eax, ecx; in addition to the file ing memory base address, eax points to the IMAGE_FILE_HEADER Structure

. Text: BF89ED23 movzx edx, word ptr [eax + 6]; IMAGE_FILE_HEADER structure 0x6 offset save NumberOfSections Member

. Text: BF89ED23; edx saves the value of the NumberOfSections Member

. Text: BF89ED27 cmp edx, esi; compare whether NumberOfSections members are equal to 0

. Text: BF89ED29 movzx ecx, word ptr [eax + 14 h]; IMAGE_FILE_HEADER structure 0x14 offset save SizeOfOptionalHeader members,

. Text: BF89ED29; used to indicate the size of the IMAGE_OPTIONAL_HEADER32 Structure

. Text: BF89ED2D lea eax, [ecx + eax + 18 h]; ecx + eax + 18h points to the OptionalHeader Member of the IMAGE_NT_HEADER structure,

. Text: BF89ED2D; that is, it points to the IMAGE_OPTIONAL_HEADER32 structure, and eax obtains the corresponding address pointer.

. Text: BF89ED31 push edi

. Text: BF89ED32 mov [ebp + var_8], edx

. Text: BF89ED35 mov [ebp + FileHandle], eax; filehandle Save the OptionalHeader address from here

. Text: BF89ED38 jbe short loc_BF89ED50; run the unsigned comparison.

. Text: BF89ED3A

. Text: BF89ED3A loc_BF89ED3A:; code xref: ReadLayoutFile (x, x)-A23j

. Text: BF89ED3A push 6

. Text: BF89ED3C mov edi, offset a_data; ". data"; jump here for comparison, with little impact on the program process

. Text: BF89ED41 mov esi, eax

. Text: BF89ED43 pop ecx

. Text: BF89ED44 xor edx, edx

. Text: BF89ED46 repe cmpsb

. Text: BF89ED48 jnz loc_BF89E26C

. Text: BF89ED4E

. Text: BF89ED4E loc_BF89ED4E:; code xref: ReadLayoutFile (x, x)-A29j

. Text: BF89ED4E xor esi, esi

. Text: BF89ED50

. Text: BF89ED50 loc_BF89ED50:; code xref: ReadLayoutFile (x, x) + 9Aj

. Text: BF89ED50 cmp [ebp + var_8], esi; [ebp + var_8] Save the value of NumberOfSections members

. Text: BF89ED53 jz loc_BF89EEB2; if the NumberOfSections value is equal to 0, the program ends.

. Text: BF89ED59 mov edi, [ebp + arg_8]; arg8 should be the file size ????

. Text: BF89ED5C sub edi, [eax + 0Ch]; eax points to the IMAGE_OPTIONAL_HEADER32 structure, and eax + 0xc points to SizeofUninitializedData

. Text: BF89ED5C; total size of all uninitialized data blocks

. Text: BF89ED5F mov eax, [eax + 8]; eax points to the IMAGE_OPTIONAL_HEADER32 structure, and eax + 0x8 points to SizeofinitializedData

. Text: BF89ED5F; total size of all initialized data blocks

. Text: BF89ED62 push esi; int

. Text: BF89ED63 push 746B7355h; Tag

. Text: BF89ED68 push eax; NumberOfBytes

. Text: BF89ED69 mov [ebp + arg_8], eax

. Text: BF89ED6C call _ HeavyAllocPool @ 12; HeavyAllocPool (x, x, x)

. Text: BF89ED71 cmp eax, esi

. Text: BF89ED73 mov [ebp + var_8], eax; Save the allocated address <------------ the problem is here

. Text: BF89ED76 jz loc_BF89EEB2

. Text: BF89ED7C mov ebx, [ebp + arg_0]

. Text: BF89ED7F mov ecx, [ebp + FileHandle]

. Text: BF89ED82 push [ebp + arg_8]; size_t controllable, from the value at 0x140 of the file

. Text: BF89ED85 mov [ebx + 0Ch], eax

. Text: BF89ED88 mov ecx, [ecx + 14 h]; ecx controllable, read from file 0x156

. Text: BF89ED8B add ecx, [ebp + BaseAddress]

. Text: BF89ED8E push ecx; void * ecx controllable, read from the file

. Text: BF89ED8F push eax; void *

. Text: BF89ED90 call _ memmove

 

From the process above, we can see that the ReadLayoutFile function calls ZwCreateSection and ZwMapViewOfSection to map the input keyboard layout file to the memory, and then runs PE

File Format Parsing. Ecx + 3Ch will get the e_lfanew member, and eaxeax points to the IMAGE_FILE_HEADER structure address.

 

. Text: BF89ED1E mov eax, [ecx + 3Ch]; 0x3c is the e_lfanew member of IMAGE_DOS_HEADER_STRUCT, which saves the offset pointing to the PE file.

. Text: BF89ED21 add eax, ecx; in addition to the file ing memory base address, eax points to the IMAGE_FILE_HEADER Structure

From the POC code, we can see that it is the fuzz of the e_lfanew member that causes eax to point to an Invalid Address and generates a memory access error command.

. Text: BF89ED23 movzx edx, word ptr [eax + 6]; IMAGE_FILE_HEADER structure 0x6 offset save NumberOfSections Member

 

By modifying the POC file appropriately, You can execute the program flow to BF89ED62, allocate a space for calling _ HeavyAllocPool, and then execute _ memmove.

 

From the code flow analysis, the source and length of the copied data are from the 0x140 and 0x156 values of the keyboard layout file. The data source and Data Length are controllable, but the purpose is uncontrollable (:

 

From the subsequent procedures, we cannot find the available features.

Author: Drawing Hz