search

sla-cker / google-security-research

Automatically exported from code.google.com/p/google-security-research
0 stars 0 forks source link

Kernel ASLR leak in win32k!zzzHideCursorNoCapture (via NtUserCallNoParam) #390

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
When calling the Win32k system call win32k!zzzHideCursorNoCapture (via 
NtUserCallNoParam), the return value of the function leaks a kernel-mode 
address to user-mode.

This function returns type void, and so RAX - which holds the kernel-mode 
address of a PCURSOR object in kernel memory - is inappropriately returned to 
usermode.

This vulnerability gives local attackers the ability to de-ASLR the kernel from 
any permission level, and could be used to stabilize a local kernel-mode 
read/write vulnerability as part of a kernel-mode exploit.

Labels:
Vendor-Microsoft
Product-Windows-Kernel
Severity-Medium
PublicOn-? (e.g. PublicOn-2014-Jul-26)
Finder-MattTait
Reported-2015-May-19

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Original issue reported on code.google.com by mattt...@google.com on 18 May 2015 at 9:15

Attachments:

GoogleCodeExporter commented 9 years ago 
Assigned MSRC case number MS-30380

Original comment by mattt...@google.com on 16 Jun 2015 at 1:12

GoogleCodeExporter commented 9 years ago 
Assigned MSRC case 30380

Fixed in July 2015 Patch Tuesday

Original comment by mattt...@google.com on 10 Jul 2015 at 8:00

GoogleCodeExporter commented 9 years ago

Original comment by haw...@google.com on 12 Aug 2015 at 12:05

GoogleCodeExporter commented 9 years ago

Original comment by mjurc...@google.com on 12 Aug 2015 at 11:31

GoogleCodeExporter commented 9 years ago

Original comment by mjurc...@google.com on 12 Aug 2015 at 11:35