BugTraq
CORE-2011-1123 - Windows Kernel ReadLayoutFile Heap Overflow Jul 17 2012 01:41PM
CORE Security Technologies Advisories (advisories coresecurity com)
Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/

Windows Kernel ReadLayoutFile Heap Overflow

1. *Advisory Information*

Title: Windows Kernel ReadLayoutFile Heap Overflow
Advisory ID: CORE-2011-1123
Advisory URL:
http://www.coresecurity.com/content/windows-kernel-readlayoutfile
Date published: 2012-05-08
Date of last update: 2012-07-11
Vendors contacted: Microsoft
Release mode: Coordinated release

2. *Vulnerability Information*

Class: Heap-based Buffer Overflow [CWE-122]
Impact: Code execution
Remotely Exploitable: No
Locally Exploitable: Yes
CVE Name: CVE-2012-1890

3. *Vulnerability Description*

There is a bug in the ReadLayoutFile Windows Kernel function that can be
leveraged into a local privilege escalation exploit, potentially usable
in a client-side attack scenario or after a remote intrusion by other
means.

This bug is similar to another bug used by a client-side exploit in
Stuxnet.

4. *Vulnerable packages*

. Windows XP SP3.
. Windows Vista SP2.
. Windows 7
. Windows 7 SP1.
. Windows Server 2003 SP2.
. Windows Server 2008 SP2.
. Other Windows versions might be vulnerable but were not tested.

5. *Vendor Information, Solutions and Workarounds*

Apply security patch MS12-047 [4]

6. *Credits*

This vulnerability was discovered and researched by Nicolás Economou
from Core Security Technologies. The publication of this advisory was
coordinated by Fernando Russ.

7. *Technical Description / Proof of Concept Code*

There is a bug in the 'ReadLayoutFile' Windows Kernel ('win32k.sys')
function that can be leveraged into a local privilege escalation
exploit, potentially usable in a client-side attack scenario, or after a
remote intrusion by other means.

Custom keyboard layouts are implemented using a .dll file exporting the
'KbdLayerDescriptor' function which, in theory, returns a pointer to a
structure of type 'KBDTABLES' that is stored in the '.DATA' sections of
the PE file. The 'NtUserLoadKeyboardLayoutEx' is a private function used
by 'LoadKeyboardLayout'[2] to load a custom keyboard layout, as
arguments 'NtUserLoadKeyboardLayoutEx' uses an open file handle pointing
to a keyboard layout library. When the function
'NtUserLoadKeyboardLayoutEx' is correctly called the PE file referenced
by its arguments is mapped in kernel space.

The bug is due to a memory corruption: a double word can be overwritten
in a position relative to the base of the allocated memory in kernel
space. We have to distinguish the following constraints for exploiting
this vulnerability:

. There is no bound check for the value used to index the '.DATA'
section of the keyboard layout .dll where the actual where the actual
layout descriptor table is stored. (So, we can reference spurious memory
address)
. The file handle used to load the keyboard layout must refer to a
file located in \Windows\System32.
. The value used to index the '.DATA' section of the keyboard layout
is incorrectly bound checked.

We can confirm reliable exploitation for the following Microsoft Windows
versions:

. Windows XP SP3,
. Windows Vista,
. Windows Server 2003 SP2,
. Windows Server 2008 SP2.

8. *Report Timeline*

. 2011-11-23:
Core Security Technologies notifies MSRC of the vulnerability, including
technical details and a PoC that crashes Windows XP SP3.

. 2011-11-23:
Vendor acknowledges the receipt of the information. Vendor warns Core
Security Technologies that it may take longer than normal for a
technical review of the bug because of the Thanksgiving holiday.

. 2011-11-24:
Core acknowledges the aforementioned possible delay and wishes MSRC a
happy Thanksgiving.

. 2011-11-25:
MSRC opens case number "MSRC 12000gd" for report tracking.

. 2011-11-28:
MSRC mentions over an unencrypted communication channel that they are
currently investigating the issue, and that they'll let Core Security
Technologies know of their findings when the investigation is complete.

. 2011-11-29:
Core Security Technologies acknowledges the previous e-mail.

. 2011-12-08:
MSRC contacts Core Security Technologies for a quick update, informing
that they were able to reproduce the crash and that it is indeed very
similar to bug publicly exploited at [1]. MSRC informs that they are
currently discussing the next steps they will take with Windows Product
Team.

. 2012-01-09:
Ivan Arce, current CTO and founder of the Core Advisories Team, leaves
Core after 15 years. Thanks Wari!

. 2012-01-17:
MSRC notifies that the release of a fix was scheduled for March 2012.

. 2012-01-18:
Core acknowledges the previous update and notifies that Nicolas Economou
has further analyzed the crash (publicly available in exploit-db) and
concluded it is indeed a different issue. Core offers to compile
Nicolas' findings into a private technical report.

. 2012-01-18:
MSRC validates Nicolas' findings stating the two issues are separate,
even though they share a same code area.

. 2012-03-09:
Core asks if the March publication date still stands.

. 2012-03-12:
MSRC notifies that, due to some late findings about app-compat concerns,
they will need more time to issue the patch. MSRC asks to re-schedule
the advisory publication to May 8th.

. 2012-03-09:
Core re-schedules the advisory publication to May 8th.

. 2012-04-01:
Pedro Varangot leaves the Core Advisories Team. Thanks Peter and good
luck with your new challenges.

. 2012-04-02:
Core asks for additional information regarding the actual vulnerable
Windows' versions and specific workarounds for this vulnerability.

. 2012-04-03:
MSRC notifies that the actual vulnerable systems are Windows XP/2003 as
Elevation of Privileges and Windows Vista/2008 as Denial of Service.
MSRC also notifies that no workaround has been identified for this
vulnerability.

. 2012-05-08:
The advisory CORE-2011-1123 is published.

. 2012-05-08:
MSRC publishes the Security Bulletin MS12-034 [3] for addressing this
issue.

. 2012-05-11:
Core notifies MSRC that the vulnerability was not correctly patched in
[3] and re-sends a PoC to reproduce the issue.

. 2012-05-14:
Based on the blog post [5], MSRC asks for a PoC which triggers the issue
in a Vista/Windows 7 platform.

. 2012-05-14:
Core clarifies that this issue seems to be not exploitable in Windows 7
(as it was noted in the blog post [5]), but it is still exploitable in
Windows Vista and 2008. Core also notifies that the exploit for this
vulnerability was sent to the Core Impact clients on May 8th, 2012.

. 2012-05-16:
MSRC notifies that a new patch will be released and a new CVE number
will be assigned to it.

. 2012-05-17:
Core acknowledges the update and asks a publication date for this update.

. 2012-05-18:
MSRC asks for a conference call to discuss this issue and asks Core to
make no change on the advisory or the blog post until the publication day.

. 2012-05-18:
Core requests to keep all the communication process via email in order
to track all interactions and involve all people interested in it. Core
also notifies that the advisory update will be released after the new
patch is published.

. 2012-06-14:
Core asks MSRC for additional information regarding this issue.

. 2012-06-18:
MSRC notifies that they are targeting July as publication timeframe for
this issue.

. 2012-06-21:
Core acknowledges the publication date and asks for the new CVE number
and any additional information that can be added in the advisory amendment.

. 2012-07-05:
MSRC informs that the new bulletin will be published on July 10th, and
the new CVE number is CVE-2012-1890.

. 2012-07-10:
MSRC publishes the Security Bulletin Summary for July 2012 [6].

. 2012-07-11:
The advisory CORE-2011-1123 is updated.

9. *References*

[1] http://www.exploit-db.com/exploits/18140/
[2]
http://msdn.microsoft.com/en-us/library/windows/desktop/ms646305(v=vs.85
).aspx
[3] http://technet.microsoft.com/en-gb/security/bulletin/ms12-034
[4] http://technet.microsoft.com/en-gb/security/bulletin/ms12-047
[5]
http://blog.coresecurity.com/2012/05/10/the-big-trick-behind-exploit-ms1
2-034/
[6] http://technet.microsoft.com/en-us/security/bulletin/ms12-jul

10. *About CoreLabs*

CoreLabs, the research center of Core Security Technologies, is charged
with anticipating the future needs and requirements for information
security technologies. We conduct our research in several important
areas of computer security including system vulnerabilities, cyber
attack planning and simulation, source code auditing, and cryptography.
Our results include problem formalization, identification of
vulnerabilities, novel solutions and prototypes for new technologies.
CoreLabs regularly publishes security advisories, technical papers,
project information and shared software tools for public use at:
http://corelabs.coresecurity.com.

11. *About Core Security Technologies*

Core Security Technologies enables organizations to get ahead of threats
with security test and measurement solutions that continuously identify
and demonstrate real-world exposures to their most critical assets. Our
customers can gain real visibility into their security standing, real
validation of their security controls, and real metrics to more
effectively secure their organizations.

Core Security's software solutions build on over a decade of trusted
research and leading-edge threat expertise from the company's Security
Consulting Services, CoreLabs and Engineering groups. Core Security
Technologies can be reached at +1 (617) 399-6980 or on the Web at:
http://www.coresecurity.com.

12. *Disclaimer*

The contents of this advisory are copyright (c) 2012 Core Security
Technologies and (c) 2012 CoreLabs, and are licensed under a Creative
Commons Attribution Non-Commercial Share-Alike 3.0 (United States)
License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/

13. *PGP/GPG Keys*

This advisory has been signed with the GPG key of Core Security
Technologies advisories team, which is available for download at
http://www.coresecurity.com/files/attachments/core_security_advisories.a
sc.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJQBWuaAAoJEK6bq3WCdh+Hz0AH/A/zxOqwsNvGrD88I+n/fAWl
Kgef85NXmNCixp+Eo3Q+Zx2pg/YBsFxiH0vmgI3sMNI9+omqknQjd+B3eMZBW87s
KzVsuljcx3GG7xKqFoGu5WM2jNJlQWfJXGm1oeAFRRYwdUrkI/Hexs/8KBl/zSMB
Cs72eakfrjWiXW/ZgA/oU0aGgLdBlyJKdD38im0CuJRdQRDl2UAA39cGiZJGfHmG
vXEPHmgxH6n2Nhu5rF+ICSGzgo/lLJ6dpvKQK3gr8E1lDJoZQJtpDCw+3GvA/Kqx
nDwnWF+v4l+v+xhve1PAcTvXlRTQFfgPxrLnJV9hL5G5ZoZ8hjDL3kRNc9ar6/Q=
=qnXR
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus