background

  CVE-2021-40449 It's an existence in Win32k Kernel driver UAF Loophole . The flaw in the 2021 In late August and early September, it was Kaspersky Found in field attacks . adopt Hook win32k Drive execution NtGdiResetDC User mode callback that occurs during the process , Complete the release and occupation of the target object , Finally realize the call of the specified kernel function , To read and write kernel memory , Modify the of the utilization object Token jurisdiction , Realization EOP.

analysis

   This analysis is in Windows 10 1809 In the middle of .

   First, call... In user mode CreateDC when , Will be executed to win32k The kernel calls win32kfull!NtGdiResetDC, Then execute to win32kbase!hdcOpenDCW, The call stack is as follows :

......  win32kbase!PDEVOBJ::PDEVOBJ

......  win32kbase!hdcOpenDCW+0x240

......  win32kfull!GreResetDCInternal+0x11a

......  win32kfull!NtGdiResetDC+0xd6

......  nt!KiSystemServiceCopyEnd+0x25

......  win32u!NtGdiResetDC+0x14

......  gdi32full!ResetDCWInternal+0x16b

......  GDI32!ResetDCW+0x31

......  CVE_2021_40449!main

   The user callback executed mainly occurs in win32kbase!PDEVOBJ::PDEVOBJ in , The function should be a PDEV Object initialization function , and win32kfull!NtGdiResetDC The... In the passed in parameter HDC Related . There are two user callbacks in the initialization function :PDEVOBJ::EnablePDEVPDEVOBJ::CompletePDEV. These two user callbacks are mainly for HDC Medium PDEV Object to operate on ,PDEV Object passing PDEV::Allocate Allocate memory .





   After executing the initialization function , go back to hdcOpenDCW, Continue until GreCreateDisplayDC, This function initializes a PDC object , And initialize the above PDEV Put the memory address of the object into PDC The offset +0x30 It's about .



   Then return PDC0 At the offset DC Handle value HDC, This value is also used as win32kbase!hdcOpenDCW The return value of , Return value win32kfull!GreResetDCInternal.

  hdcOpenDCW Back to HDC Pass in DCOBJ::DCOBJ, return hdcOpenDCW The initialization of the PDC The memory address of the object .



   Then read PDEV object 0xAB8 Function pointer at offset and execute , Pay attention to PDEV Not in the last step hdcOpenDCW Initialized in , Instead, call in user mode ResetDC front , call CreateDC Generated . To distinguish , In this paper, it is called HDC_user.

  GreResetDCInternal The function parameter of HDC_user, Similarly passed DCOBJ::DCOBJ return PDC_user object , The object is offset 0x30 Place for PDEV_user The memory address of the object .

   take PDEV_user The offset 0xAB8 Function pointer , perform UMPDDrvResetPDEV, The incoming parameters are PDEV_user and PDEV_kernel The offset 0x708 Pointer at , Point to their respective DEVMODE structure , There will also be a user state function callback , However, the callback is not considered , Because this vulnerability is within the scope of exploitation , The pointer is mainly used .



   complete UMPDDrvResetPDEV After callback , perform win32kbase!HmgSwapLockedHandleContents, This function will PDC_user and PDC_kernel The first HDC Values and PDC Of Reference count value It's been interchanged , To complete the devmode Modified function .



   Then there are two PDC The reference count value of the object is subtracted by 1, And call win32kbase!bDeleteDCInternal take HDC_kernel It's indexed to PDC Object migration 0x30 Where the pointer points to PDEV Object reference count value minus 1, Value to 0. And because of the previous HmgSwap operation , there PDC and PDEV Actually, they are all passed in by the user HDC The object originally pointed to .

   according to MSDN said ,“ When the counter drops to zero , The object will be released ”“ Once the handle count is reduced to zero , The name of the object is deleted from the namespace of the object manager ”. Means that the object can be occupied , and hdcOpenDCW There are user callbacks in , In the user callback, the same HDC Do it once ResetDC, Then the HDC Corresponding PDEV The object reference value will be reduced to 0, Occupy the PDEV End callback after object , Back to the kernel .

   As for the trigger point of the vulnerability , In the original UMPDDrvResetPDEV Invocation Office , The call occurs at hdcOpenDCW after , The address of the calling function is from PDEV_user In order to get , By occupying , You can get that the target of the modifier call is a kernel read-write function .

utilize

   The UAF The exploitation of vulnerabilities mainly includes the following steps :

  1. Use NtQuerySystemInformation Get the utilization process Token.Privileges Location in the kernel ;
  2. Leak a kernel function that can be used for kernel writing , The more common here is nt!RtlSetAllBits;
  3. Construct a Fake_RTL_BITMAP, As nt!RtlSetAllBits Function parameter , Most use ThreadName Constructed in a way , However, you can also manually apply for a piece of user state memory for construction ;
  4. HOOK User callback DrvEnablePDEV(Hook DrvCompletePDEV Although it can successfully occupy , But the vulnerability trigger point cannot be implemented ), stay Hook Function for the same HDC Execute it again ResetDC, Use the constructed after returning Fake Palette To occupy the released PDEV object , Then end the current callback ;
  5. Vulnerability trigger , The current process permission bits are all enabled , Complete the claim .

   stay Hook The comparison of the occupied memory layout in the function is as follows :



  PDEV After the object is occupied successfully , Complete callback , return GreResetDCInternal, You can see the successful call to nt!RtlSetAllBits.



  nt!RtlSetAllBits Only rcx As a parameter , And the first parameter at the vulnerability trigger rcx You can also specify by occupation .

  nt!RtlSetAllBits To take rcx Address 0x08 At the offset QWORD As the destination address for writing , and rcx The offset 0 Situated DWORD The value is divided by 0x40 As the count value , Write to the target address every time rax Register value ,rax Fixed for 0xffffffffffffffff.





  POC Code .

summary

   This time, when I analyze this vulnerability, I try not to look at what is publicly available on the Internet POC, Only according to Kaspersky The article looks for loopholes , It took a lot of time , Encountered a lot of problems . For example, when looking for loopholes , There will be no BSOD, also !pool You can't immediately see the object memory state change to free, I still took aim at some public POC, Make sure your direction is OK .

  emmm At last, I finished POC, Although it takes a long time and the code pulls the crotch , Compared with those excellent POC Low versatility , But there's also a lot to gain , At least every corner of the code around the vulnerability has been turned over , And some pits can be avoided next time .

Reference resources

[1] MysterySnail attacks with Windows zero-day

[2] CVE-2021-40449 Exploitation

CVE-2021-40449 NtGdiResetDC UAF More articles about

  1. In recent years CVE Hole number

    1.Office Loophole Office Vulnerabilities are most APT The organization's favorite vulnerability ,Office There is a large amount of use of personal office computers , It is the best Internet portal for targeted targets , The effect is also the most direct . CVE Number   Hole type Use the organization CVE-2 ...

  2. 【OWASP TOP10】2021 Year common web Security vulnerabilities TOP10 Ranking

    [2021] common web Security vulnerabilities TOP10 Ranking Application security risks Attackers can compromise enterprise business through many different paths in the application . Each path approach represents a risk , These risks deserve attention . What is? OWASP TO ...

  3. Python- Crawling CVE Vulnerability Library 👻

    Python- Crawling CVE Vulnerability Library Recently, I'm going to repeat the loopholes in recent years , It's too much trouble to find one by one . What page do you do today? You may not remember when you come back in a few days . So I want to get a reptile and climb him down to make a excel form , That's much clearer . How to return ...

  4. codevs 2021 Moderation in all things

    2021 Moderation in all things   The time limit : 1 s   Space restriction : 128000 KB   Question level : diamond Diamond       Title Description  Description Given a length of N Sequence , Yes Q Time to ask , Every time ...

  5. CVE: 2014-6271、CVE: 2014-7169 Bash Specially-crafted Environment Variables Code Injection Vulnerability Analysis

    Catalog . The cause of the leak . Analysis of loophole principle . The scope of the vulnerability . Exploit scenarios . Loopholes POC. The test method . Repair of loopholes Patch situation . How to avoid such loopholes continue to appear 1. The cause of the leak To understand this leak ...

  6. All browsers resist uaf Mechanism

    In the middle of this year , Microsoft aims at ie There are a lot of problems in the browser uaf Loophole , Yes ie The browser's security mechanism has been greatly upgraded , The two mechanisms are isolated heap and delayed release , All of a sudden uaf The exploitation of loopholes has raised a big hurdle , But similar to ...

  7. CVE

    One . brief introduction CVE Our English full name is "Common Vulnerabilities & Exposures" Public vulnerabilities and exposures .CVE It's like a dictionary table , For widely recognized information security vulnerabilities or ...

  8. Xiao Bai's diary 15:kali Vulnerability scanning of penetration testing - There are three ways to sweep 、 Vulnerability management 、CVE、CVSS、NVD

    Find a hole Vulnerability detection methods : 1. Version information based on port service scan results , Compare whether it is the latest version , If it's not, go ahead Check the patch list on the official website , And then try one by one , But this law has many disadvantages , Because there are many applications of various ports , It's time consuming . 2. The search has been completed ...

  9. CVE Bug crawler java Code dependency -TestNG

    TestNG yes Java A test framework in , And the CVE The vulnerability crawler example involves java In the code , \Crawler\src\com\***\ThreaderRun.java The file is being imported import org.t ...

  10. UAF Loophole --iOS It's the prison break principle

    Use After Free UAF Namely Use After Free Abbreviation , It is a common memory error utilization . quite a lot iOS All of them use this method to escape from prison . Here is a simple example to illustrate UAF What happened The code says everything ...

Random recommendation

  1. DescriptionResourcePathLocationType Dynamic Web Module 3.0 requires Java

    First of all ide All of the jdk All in 1.6 And above , If it's still wrong, try the following stay <build></build> Add <plugins> <plugin> < ...

  2. jQuery.Callbacks Interpretation of the source code

    In the last article jQuery.Callbacks And demo It mainly said Callbacks Object initialization common options , This article mainly analyzes Callbacks Object's source code , To give two more tedious demo // String to ...

  3. tc 2014 college tour 250 500

    The question : You are given a long long n. Return the largest divisor of n that is a perfect square. That is, ...

  4. Chromium

    Chromium Multi process architecture Multi process architecture Reprint please indicate the source :https://ahangchen.gitbooks.io/chromium_doc_zh/content/zh//Start_Here_Bac ...

  5. from websphere6.1 Migrate to weblogic10.3 Summary of problems

     System USES war Package deployment . Question 1 : ####<2011-3-29 Afternoon 05 when 17 branch 43 second CST> <Info> <ServletContext-/MIS-be ...

  6. sql Automatic generation golang Structure struct Entity class

    No more nonsense, just go to the address Use the address http://www.linkinstars.com:8090/auto-code project github https://github.com/LinkinStars/Au ...

  7. What is? CSS

    CSS yes Cascading Style Sheet Abbreviation . translation ” Cascading style forms “. Is used for ( enhance ) A markup language that controls web page styles and allows the separation of style information from web content . Use CSS Styles can control many, using only HTML Can't control ...

  8. 【THUSC2017】【LOJ2977】 chocolate Steiner tree

    The main idea of the topic There is a grid ( Or you can think of it as a graph ), Every dot has a color \(c_i\) Sum point weight \(a_i\). Find the smallest connected block , Satisfy the number of colors of points in this connected block \(\geq k\). On the premise that the number of points is the least , ...

  9. Study Xposed -- remember WX The process of functional analysis

    First , This is not for a novice , The content is rough , Make a list of the key points , To take notes First , I am right. andriod Don't understand, , Yes java I'm not very familiar with it , I've never written andriod or java The program , But based on the understanding of programming ...

  10. oracle Study note 1 : User management (3) User password management

    It's dangerous when a user keeps trying to log in to the database with a password , So for passwords ( password ) The management of is very important . Fortunately, we can limit the number of logins , Logging in more than a certain number of times will lock the user , Allow them to log in after a period of time , Is this a bit like your mobile phone , Yours ...