Tuesday, February 12, 2013

Kernel Bug #1 ProcessIoPriority

In this post i will show you the second kernel bug that i found in the  Kernel of Windows 7 SP1 (64-bit). This one is in the "nt!NtSetInformationProcess" function.

Description:
With the "ProcessInformationClass" parameter set to ProcessIoPriority 0x21, passing certain signed values e.g.  0xFFFFFFFF or 0x8000F129 in the variable pointed to by the "ProcessInformation" parameter to the ntdll "ZwSetInformationProcess" function can be abused to arbitrarily set certain bit flags of the corresponding "_EPROCESS" structure e.g. DefaultIoPriority: Pos 27, ProcessSelfDelete : Pos 30, or SetTimerResolutionLink: Pos 31.

Bug Type:
This is due to a signedness error in the "nt!NtSetInformationProcess" function.


32-Bit kernel:


64-bit kernel:

 Impact:
1) The signed value leads to bypassing the check for the "SeIncreaseBasePriorityPrivilege" privilege that is required to set the process's IO priority to HIGH.


2) The signed value leads to bypassing the check for disallowed values for the process's IO priority e.g. the bug can be abused to set the process's IO priority to CRITICAL.

3) Setting the "ProcessSelfDelete" flag, which makes the target process non-killable by conventional methods.

4) Setting the "SetTimerResolutionLink" flag, which causes a BSOD (Bug check code of 0x3B)  if we terminate the process due to a null pointer dereference bug.

Poc:

Non-Killable Process

BSOD

Code:
http://pastebin.com/QejGQXib

Status:
Reported to the vendor.

Any comments or ideas are very welcome. You can also follow me on Twitter @waleedassar

7 comments:

  1. Nice job! This is a fantastic find, glad the good guys got it first!

    ReplyDelete
  2. Very cool finds! I am very impressed.

    ReplyDelete
  3. Nice code but it works only with win 7. On win 8 it doesn't matter which version (x86 / x64), it doesn't work.

    ReplyDelete
    Replies
    1. Unfortunately, i don't have Win8 to test on. I guess you have to disassemble the "NtSetInformationProcess" function in ntoskrnl.exe to see if affected by the bug.

      Delete
  4. whats with lower operating Systems like Windows XP or Vista?

    ReplyDelete
  5. bug http://astr0baby.wordpress.com/2013/07/01/windows-8-1-64bit-msv1_0-dll-patch-update/

    msvppasswordvalidate bypass

    ReplyDelete
  6. This comment has been removed by a blog administrator.

    ReplyDelete