MS11-077: From Patch to Proof-of-Concept

In the October 2011 Patch Tuesday, Microsoft released update MS11-077 to fix a null pointer de-reference vulnerability (CVE-2011-1985). In this paper, we will reverse engineer the patch for MS11-077 (CVE-2011-1985) to get a better understanding of the vulnerability fixed by this patch.

Sample:

Unpatched File: win32k.sys (version: 5.1.2600.6119)
Patched File: win32k.sys (version: 5.1.2600.6149)

Patch Analysis:

Using binary diff, we can see the changes that were made to the vulnerable file win32k.sys. Figure 1 below shows the TurboDiff results.

MS11-077: From Patch to Proof-of-Concept

As you can see in Figure 1 above, while most of the functions are identical, there are a couple of functions that look ‘suspicious’ and some others that are ‘changed’. The large number of changes is not a surprise because Microsoft has fixed four different vulnerabilities with this patch.Taking a closer look at all the functions that were changed, you will see that the changes made to functions ‘NtUserfnINLBOXSTRING’, ‘NtUserfnSENTDDEMSG’ and ‘NtUserfnINCBOXSTRING’ are all the same. Figure 2, below shows the changes made.

Figure 2: Binary Diff for function NtUserfnINLBOXSTRING(x,x,x,x,x).
Looking at the binary difference, it is clear that the patch is checking that the arg_0 (first argument passed to the function) is 0xFFFFFFFF and if it is 0xFFFFFFFF, call _UserSetLastError() with 0x578 and return from the function.

Quest:

Everything until now is pretty simple and it looks easy to exploit this vulnerability. However, the really challenge here is finding a user mode function that will call the vulnerable function. It turns out this isn’t very straightforward, and we will need to understand the Windows GUI subsystem.

  • This gives us two pointers to exploit the vulnerability. The first is that the arg_0 has to be 0xFFFFFFFF. The second pointer is that the patched function bails out setting system error code to 0x578. This is the system error code for ERROR_INVALID_WINDOW_HANDLE, thus hinting us that the argument is of type HWND

Win32 GDI Subsystem:

MS11-077: From Patch to Proof-of-Concept

The GDI (Graphics Device Interface) APIs are implemented in the GDI32.DLL and include all the low-level graphics services such as drawing lines, displaying BMPs etc. The GDI APIs make system calls into the WIN32k.sys to implement most APIs. The User APIs are implemented in USER32.DLL module and include all higher-level GUI-related services such as window management, menus, dialog boxes, user controls etc. USER heavily relies on GDI to do its work.

One of the most important means of communication in Windows is Messages. Windows-based applications are event-driven and act upon messages sent to them. The way you program in Windows is by responding to events. These events are called Messages. Messages can signal many events, caused by the user, the operating system, or another program. Each window, owned by a thread, has a window procedure (function) for processing input messages and dispatching them to the operating system. If a thread accesses any of the user interface or GDI system calls (handled by win32k.sys), the kernel creates a THREADINFO structure which holds three message queues used to process input. These are the input queue, the post queue, and the send queue. The input queue is primarily used for mouse and keyboard messages, while the send and post queues are used for synchronous (send) and asynchronous (post) window messages respectively.

Asynchronous messages are used in one-way communication between window threads and are typically used to notify a window to perform a specific task. Asynchronous messages are handled by the PostMessage APIs and are sent to the post queue of the receiving thread. The sender does not wait for the processing to complete in the receiving thread and thus returns immediately.

Synchronous messages differ from asynchronous messages as the sender typically waits for a response to be provided or a timeout to occur before continuing execution. Thus, they require mechanisms to ensure that the threads are properly synchronized and in the expected state. Synchronous messages use the SendMessage APIs which in turn directs execution to the NtUserMessageCall system call in win32k.sys.

This information is enough for us to take our analysis further.

Hitting the vulnerable function:

As described above, the message mechanism plays an integral role in the user interface component of the Windows operating system. There are many different types of message codes and those less than 0x400 are reserved by operating system. Depending upon the type of message code, NtUserMessageCall() calls a particular function to handle the message. Let’s take a closer look at how NtUserMessageCall, calls the appropriate functions to handle different message types.

MS11-077: From Patch to Proof-of-Concept

As seen in the above figure, the function first checks if the Msg code is less than 0x400(EAX has the Msg code) to check if it’s a system message code. Each Message code denotes an index in the win32k!MessageTable byte array. This byte value is than logically AND to 0x3F, since the last 6bits of the byte obtained from win32k!MessageTable determines the function that will handle the Message code. _gapfnMessageCall is a function table that stores address of all the functions that can handle different messages. See Figures below to see how _gapfnMessageCall table looks.

MS11-077: From Patch to Proof-of-Concept

Thus if we can get the index of our vulnerable function in _gapfnMessageCall, we can easily compute how we can call the vulnerable function. The index of our vulnerable functions are 29(0x1D), 27(0x27) and 43(0x2B) for NtUserfnINLBOXSTRING(),NtUserfnINCBOXSTRING() and NtUserfnSENTDDEMSG() respectively

Following is the pseudo code to compute Msg codes for hitting the vulnerable function:

for i in range[0x00 to 0x400]
if MessageTable[i] & 0x3F == 0x1D //NtUserfnINLBOXSTRING() Hit!
if MessageTable[i] & 0x3F == 0x1B //NtUserfnINCBOXSTRING() Hit!
if MessageTable[i] & 0x3F == 0x2B //NtUserfnSENTDDEMSG() Hit!
Proof of Concept:

#include <windows.h>

int main(){

SendNotifyMessageA((HWND)0xFFFF,0x143,0,0);

}

OR

#include <windows.h>

int main(){

SendMessageCallbackA((HWND)0xFFFF,0x143,0,0);

}
Other Possible Msg codes for hitting vulnerable functions are:

0x143, 0x14A, 0x14C, 0x14D, 0x158, 0x180, 0x181, 0x18C, 0x18F, 0x1A2, 0x1AA, 0x1AB, 0x1AC, 0x1AD, 0x3E2, 0x3E3, 0x3E5, 0x3E6, 0x3E7, 0x3E8.

Conclusion:

As we've seen above, it is pretty easy to trigger this vulnerability. We would recommend our customers to scan their environment for QID 90746 and apply this security update as soon as possible.

References:

http://www.codeproject.com/KB/dialog/messagehandling.aspx

http://c0decstuff.blogspot.com/2011/03/desynchronization-issues-in-windows.html

http://en.wikipedia.org/wiki/Reversing:_Secrets_of_Reverse_Engineering

http://doxygen.reactos.org/d3/d69/include_2reactos_2win32k_2ntuser_8h_a14fd6fae7992b1218ed08fbaec9396b8.html

http://uninformed.org/index.cgi?v=10&a=2#MSFT:2

分类:默认分类 时间:2012-01-04 人气:3
本文关键词:
分享到:

相关文章

  • CSRF Proof of Concept 与OWASP ZAP 2014-07-13

    1.导言 这篇文章介绍 CSRF (跨站请求伪造) 漏洞,并演示如何使用 OWASP ZAP 检测 CSRF。 2.跨站请求伪造 该漏洞允许攻击者伪造一个用户请求。因此,攻击者想要用户执行什么操作。下面是一个示例: (一).社会工程用来引诱到攻击者的网站用户。同时,用户登录到 X银行。 (二) .让我们假设,X银行的钱汇款形式是易受到 csrf 攻击 (没有 CSRF 令牌,没有授权密码)。攻击者准备利用此漏洞,将用户的钱转移到自己的账户,并把它放在自己的网站上。 (三).当用户访问攻击者的网站

  • 了解Oracle Critical Patch Update 2013-09-01

    Oracle Critical Patch Update是什么? Critical Patch Update(以下简称CPU),是Oracle在2005年开始引入的产品安全更新策略。一般来说CPU包含了Oracle产品安全漏洞的修复补丁集(set of security bug fix)。CPU最早的雏形出现在2005年,该项目致力于为客户周期性地提供累积性的补丁以修复安全漏洞。 通常CPU补丁会在每季度开始第一个月的15号发布,按照发布日期的不同可以划分为: January : CPU JAN

  • Shellshock漏洞回顾与分析测试 2012-04-09

    0x00 漏洞概述 很多人或许对2014上半年发生的安全问题“心脏流血”(Heartbleed Bug)事件记忆颇深,2014年9月,又出现了另外一个“毁灭级”的漏洞——Bash软件安全漏洞。这个漏洞由法国GNU/Linux爱好者Stéphane Chazelas所发现。随后,美国电脑应急响应中心(US-CERT)、红帽以及多家从事安全的公司于周三(北京时间2014年9月24日)发出警告。 关于这个安全漏洞的细节可参看:CVE-2014-6271 和 CVE-2014-7169。 漏洞概况信息如

  • Magento eCommerce Platform XXE Injection利用 2012-01-21

    0x2 今天看packetstormsecurity时看到了这个漏洞的细节:http://packetstormsecurity.org/files/114710/Magento-eCommerce-Platform-XXE-Injection.html 利用方法其中也说的很明白: Proof of concept: ----------------- Magento uses a vulnerable Zend_XmlRpc_Server() class (Zend\XmlRpc\Server

  • Server-Side XSS Attack Detection with ModSecurity and PhantomJS 2012-10-24

    Client-Side JS Overriding Limitations What is PhantomJS Using PhantomJS for Server-Side XSS Detection Server-Side JS Overriding Example Testing Access Attempts for documentcookie DOM Object Request Mimicking with PhantomJS XSSAuditor Alerts with Phan

  • Mongodb未授权访问漏洞全网探测报告 2013-06-23

    [+] Author: f1,2,4 [+] Team: FF0000 TEAM <http://www.ff0000.cc> [+] From: HackerSoul <http://www.hackersoul.com> [+] Create: 2014-12-10 Introduction Domain list Proof of Concept Scan results IP location Evil hackers 0. Introduction Mongod

  • Running w3af plugins in Burp Suite 2014-05-12

    Attachments : BurpExtender-w3af.py I am quite enthusiastic about the Burp Suite Python extension I wrote. This is a Python (Jython) binding written in Java implementing the Burp Suite extension API. In the to-do list, I mentioned that more examples n

  • Linux下暴力破解工具Hydra详解 2015-02-02

    一、简介 Number one of the biggest security holes are passwords, as every password security study shows. Hydra is a parallized login cracker which supports numerous protocols to attack. New modules are easy to add, beside that, it is flexible and very fa

  • 利用oracle opatch打补丁 2013-06-21

    本文主要介绍了如何利用ORACLE的OPATCH工具安装补丁,同时通过本文的描述,我们也应该了解确认BUG一般步骤:分析、排查相关错误信息、对比环境、最终确认。 关键字: ORACLE、OPATCH、补丁 1. 引言 近几年,随着我们ORACLE数据库的应用越来越深入,用户的环境越来越复杂,一些ORACLE常见的BUG也会偶尔的被触发。因此,我们对技术人员要求不能再象以前一样只要求会安装数据库,还应该要求其掌握如何安装补丁才行,下面我们就结合一个案例,介绍下如何利用ORACLE OPATCH工具

Copyright (C) quwantang.com, All Rights Reserved.

趣玩堂 版权所有 京ICP备15002868号

processed in 0.067 (s). 10 q(s)