In this post i will show you the second kernel bug that i found in the Kernel of Windows 7 SP1 (64-bit). This one is in the "nt!NtSetInformationProcess" function.
Description:
With the "ProcessInformationClass" parameter set to ProcessIoPriority 0x21, passing certain signed values e.g. 0xFFFFFFFF or 0x8000F129 in the variable pointed to by the "ProcessInformation" parameter to the ntdll "ZwSetInformationProcess" function can be abused to arbitrarily set certain bit flags of the corresponding "_EPROCESS" structure e.g. DefaultIoPriority: Pos 27, ProcessSelfDelete : Pos 30, or SetTimerResolutionLink: Pos 31.
Bug Type:
This is due to a signedness error in the "nt!NtSetInformationProcess" function.
32-Bit kernel:
64-bit kernel:
Impact:
1) The signed value leads to bypassing the check for the "SeIncreaseBasePriorityPrivile
2) The signed value leads to bypassing the check for disallowed values for the process's IO priority e.g. the bug can be abused to set the process's IO priority to CRITICAL.
3) Setting the "ProcessSelfDelete" flag, which makes the target process non-killable by conventional methods.
4) Setting the "SetTimerResolutionLink" flag, which causes a BSOD (Bug check code of 0x3B) if we terminate the process due to a null pointer dereference bug.
Poc:
Non-Killable Process
BSOD
Code:
http://pastebin.com/QejGQXib
Status:
Reported to the vendor.
Any comments or ideas are very welcome. You can also follow me on Twitter @waleedassar
Description:
With the "ProcessInformationClass" parameter set to ProcessIoPriority 0x21, passing certain signed values e.g. 0xFFFFFFFF or 0x8000F129 in the variable pointed to by the "ProcessInformation" parameter to the ntdll "ZwSetInformationProcess" function can be abused to arbitrarily set certain bit flags of the corresponding "_EPROCESS" structure e.g. DefaultIoPriority: Pos 27, ProcessSelfDelete : Pos 30, or SetTimerResolutionLink: Pos 31.
Bug Type:
This is due to a signedness error in the "nt!NtSetInformationProcess" function.
32-Bit kernel:
64-bit kernel:
Impact:
1) The signed value leads to bypassing the check for the "SeIncreaseBasePriorityPrivile
2) The signed value leads to bypassing the check for disallowed values for the process's IO priority e.g. the bug can be abused to set the process's IO priority to CRITICAL.
3) Setting the "ProcessSelfDelete" flag, which makes the target process non-killable by conventional methods.
4) Setting the "SetTimerResolutionLink" flag, which causes a BSOD (Bug check code of 0x3B) if we terminate the process due to a null pointer dereference bug.
Poc:
Non-Killable Process
BSOD
Code:
http://pastebin.com/QejGQXib
Status:
Reported to the vendor.
Any comments or ideas are very welcome. You can also follow me on Twitter @waleedassar
Nice job! This is a fantastic find, glad the good guys got it first!
ReplyDeleteVery cool finds! I am very impressed.
ReplyDeleteNice code but it works only with win 7. On win 8 it doesn't matter which version (x86 / x64), it doesn't work.
ReplyDeleteUnfortunately, i don't have Win8 to test on. I guess you have to disassemble the "NtSetInformationProcess" function in ntoskrnl.exe to see if affected by the bug.
Deletewhats with lower operating Systems like Windows XP or Vista?
ReplyDeletebug http://astr0baby.wordpress.com/2013/07/01/windows-8-1-64bit-msv1_0-dll-patch-update/
ReplyDeletemsvppasswordvalidate bypass
This comment has been removed by a blog administrator.
ReplyDeleteaffects windows 8?
ReplyDelete