This post is the first in a series of posts that will discuss several kernel bugs that i find in Windows Kernel. This post is about a bug found in the kernel of Windows 7 SP1 (64-bit).
Description:
With the "ThreadInformationClass" parameter set to ThreadIoPriority 0x16, passing certain signed values e.g. 0xFF3FFF3C or 0xFF3FFFFC in the variable pointed to by the "ThreadInformation" parameter to the ntdll "ZwSetInformationThread" function can be abused to arbitrarily set certain bit flags of the corresponding "_ETHREAD" structure e.g. ThreadIoPriority:3, ThreadPagePriority:3, RundownFail:1, or NeedsWorkingSetAging:1.
Bug Type:
This is due to a signedness error in the "nt!NtSetInformationThread" function.
32-Bit kernel:
64-bit kernel:
Impact:
1) The signed value leads to bypassing the check for the "SeIncreaseBasePriorityPrivile ge" privilege that is required to set the thread's IO priority to HIGH.
2) An unprivileged thread can use certain calculated signed values to escalate its IO priority and memory priority to maximum values e.g. Raise IO priority to CRITICAL or Page priority to 7.
3) Also, certain bit flags of the corresponding "_ETHREAD" structure can be set e.g. RundownFail and NeedsWorkingSetAging.
POC:
https://www.dropbox.com/s/x7zzx5r62h0k4uz/PriorityCheckBypass.exe
Code:
http://pastebin.com/TanNzkn9
Status:
Reported to the vendor and rejected for not being a security issue.
Any comments or ideas are very welcome. You can also follow me on Twitter @waleedassar
Description:
With the "ThreadInformationClass" parameter set to ThreadIoPriority 0x16, passing certain signed values e.g. 0xFF3FFF3C or 0xFF3FFFFC in the variable pointed to by the "ThreadInformation" parameter to the ntdll "ZwSetInformationThread" function can be abused to arbitrarily set certain bit flags of the corresponding "_ETHREAD" structure e.g. ThreadIoPriority:3, ThreadPagePriority:3, RundownFail:1, or NeedsWorkingSetAging:1.
Bug Type:
This is due to a signedness error in the "nt!NtSetInformationThread" function.
32-Bit kernel:
64-bit kernel:
Impact:
1) The signed value leads to bypassing the check for the "SeIncreaseBasePriorityPrivile
2) An unprivileged thread can use certain calculated signed values to escalate its IO priority and memory priority to maximum values e.g. Raise IO priority to CRITICAL or Page priority to 7.
3) Also, certain bit flags of the corresponding "_ETHREAD" structure can be set e.g. RundownFail and NeedsWorkingSetAging.
POC:
https://www.dropbox.com/s/x7zzx5r62h0k4uz/PriorityCheckBypass.exe
Code:
http://pastebin.com/TanNzkn9
Status:
Reported to the vendor and rejected for not being a security issue.
Any comments or ideas are very welcome. You can also follow me on Twitter @waleedassar
No comments:
Post a Comment