Kernel-mode ASLR leak via win32k!xxxDeferredDesktopRotation

[GoogleCodeExporter]

A Kernel-mode ASLR leak exists in the win32k!xxxDeferredDesktopRotation routine 
(exposed via win32k!NtUserCallNoParam).

This leak is caused by the function win32k!xxxDeferredDesktopRotation routine 
failing to sanitize the RAX/EAX return value, which is relayed back the 
unprivileged user-mode caller.

Most of the time, this function returns the value "1", and hence is not useful, 
however if a particular flag is set on the PDESKTOP object indicating that the 
desktop is currently undergoing a "smooth rotate" operation, the function 
instead leaks back the pointer value of the current PDESKTOP object to the 
user, and hence disclosing to the user the location of the kernel heap.

This flag is set during device rotation (for devices that have an integrated 
sensor, such as a Microsoft Surface device), however an equally valid (albeit 
less fun) way to trigger the vulnerability is via the 
win32k!xxxAutoRotateScreen, called via NtUserAutoRotateScreen.

Annoyingly, this syscall can only be called from within CSRSS, however it is 
possible to persuade CSRSS to make this call on a low-privileged accounts' 
behalf by connecting to CSRSS via a local ALPC to "\RPC 
Control\AutoRotateApiPort". CSRSS maintains a thread that listens on this ALPC 
port, and relays the "orientation" to the kernel.

Putting this altogether; a low privileged process "exploit.exe" can run one 
thread that sends a "device orientation" request to CSRSS via ALPC. CSRSS then 
calls NtUserAutoRotateScreen, which causes the "deferred rotate" flag to be set 
on the current user desktop. Back inside "exploit.exe" another thread 
continuously calls NtUserCallNoParam requesting the 
win32k!xxxDeferredDesktopRotation method. When the screen rotates, this leaks 
the PDESKTOP back to the usermode low-privileged "exploit.exe" on RAX.

This vulnerability affects Windows 8, Windows 8.1 and Windows 10; although the 
impact is limited for server editions of Windows (because CSRSS does not listen 
on the AutoRotateApi ALPC port for server editions) or for processes that make 
use of the "Win32kSyscallDisable" exploit mitigation in Windows 8.1 or Windows 
10.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by mattt...@google.com on 9 Jun 2015 at 1:03

Attachments:

• turnaround.c

[GoogleCodeExporter]

Assigned MSRC case number MS-30405

Original comment by mattt...@google.com on 16 Jun 2015 at 1:11

[GoogleCodeExporter]

Assigned MSRC case 30405. 

Fixed in July 2015 Patch Tuesday

Original comment by mattt...@google.com on 10 Jul 2015 at 8:01

[GoogleCodeExporter]

Marking as fixed and derestricting.

Original comment by mjurc...@google.com on 12 Aug 2015 at 11:34

• Changed state: Fixed
• Added labels: CVE-2015-2382, Fixed-2015-Jul-14, MSRC-30405
• Removed labels: Restrict-View-Commit