In this post i will show you the second kernel bug that i found in the Kernel of Windows 7 SP1 (64-bit). This one is in the "nt!NtSetInformationProcess" function.
Description:
With the "ProcessInformationClass" parameter set to ProcessIoPriority 0x21, passing certain signed values e.g. 0xFFFFFFFF or 0x8000F129 in the variable pointed to by the "ProcessInformation" parameter to the ntdll "ZwSetInformationProcess" function can be abused to arbitrarily set certain bit flags of the corresponding "_EPROCESS" structure e.g. DefaultIoPriority: Pos 27, ProcessSelfDelete : Pos 30, or SetTimerResolutionLink: Pos 31.
Bug Type:
This is due to a signedness error in the "nt!NtSetInformationProcess" function.
32-Bit kernel:
64-bit kernel:
Impact:
1) The signed value leads to bypassing the check for the "SeIncreaseBasePriorityPrivile ge" privilege that is required to set the process's IO priority to HIGH.
2) The signed value leads to bypassing the check for disallowed values for the process's IO priority e.g. the bug can be abused to set the process's IO priority to CRITICAL.
3) Setting the "ProcessSelfDelete" flag, which makes the target process non-killable by conventional methods.
4) Setting the "SetTimerResolutionLink" flag, which causes a BSOD (Bug check code of 0x3B) if we terminate the process due to a null pointer dereference bug.
Poc:
Non-Killable Process
BSOD
Code:
http://pastebin.com/QejGQXib
Status:
Reported to the vendor.
Any comments or ideas are very welcome. You can also follow me on Twitter @waleedassar
Description:
With the "ProcessInformationClass" parameter set to ProcessIoPriority 0x21, passing certain signed values e.g. 0xFFFFFFFF or 0x8000F129 in the variable pointed to by the "ProcessInformation" parameter to the ntdll "ZwSetInformationProcess" function can be abused to arbitrarily set certain bit flags of the corresponding "_EPROCESS" structure e.g. DefaultIoPriority: Pos 27, ProcessSelfDelete : Pos 30, or SetTimerResolutionLink: Pos 31.
Bug Type:
This is due to a signedness error in the "nt!NtSetInformationProcess" function.
32-Bit kernel:
64-bit kernel:
Impact:
1) The signed value leads to bypassing the check for the "SeIncreaseBasePriorityPrivile
2) The signed value leads to bypassing the check for disallowed values for the process's IO priority e.g. the bug can be abused to set the process's IO priority to CRITICAL.
3) Setting the "ProcessSelfDelete" flag, which makes the target process non-killable by conventional methods.
4) Setting the "SetTimerResolutionLink" flag, which causes a BSOD (Bug check code of 0x3B) if we terminate the process due to a null pointer dereference bug.
Poc:
Non-Killable Process
BSOD
Code:
http://pastebin.com/QejGQXib
Status:
Reported to the vendor.
Any comments or ideas are very welcome. You can also follow me on Twitter @waleedassar