Windows Kernel stack memory disclosure in DeviceApi (PiDqIrpQueryGetResult, PiDqIrpQueryCreate, PiDqQueryCompletePendedIrp)
CVE-2017-8474
We have discovered that it is possible to disclose portions of uninitialized kernel stack memory to user-mode applications in Windows 10 through the PiDqIrpQueryGetResult, PiDqIrpQueryCreate, PiDqQueryCompletePendedIrp IOCTLs sent to the \Device\DeviceApi device. The analysis shown below was performed on Windows 10 1607 32-bit.
The output buffer size expected for each of the aforementioned IOCTLs is 16 (0x10), and the copying of the output data takes place in the nt!PiDqIrpComplete function:
--- cut ---
PAGE:0068183C cmp dword ptr [eax+0Ch], 470007h
PAGE:00681843 jz short loc_681867
PAGE:00681845 mov esi, [ebp+arg_4]
PAGE:00681848 mov edi, [ecx+0Ch]
PAGE:0068184B movsd
PAGE:0068184C movsd
PAGE:0068184D movsd
PAGE:0068184E movsd
[...]
PAGE:00681867 loc_681867:
PAGE:00681867 and [ebp+ms_exc.registration.TryLevel], 0
PAGE:0068186B mov esi, [ebp+arg_4]
PAGE:0068186E mov edi, [ecx+3Ch]
PAGE:00681871 movsd
PAGE:00681872 movsd
PAGE:00681873 movsd
PAGE:00681874 movsd
--- cut ---
Clearly, all 16 bytes are unconditionally copied from kernel to user-mode memory. In the cases of all three IOCTL handlers, the kernel copies of the structure are placed on the local stack. Interestingly, the only function responsible for filling out the structure (nt!PiDqQueryGetNextIoctlInfo) only ever touches its first 8 bytes:
--- cut ---
PAGE:00680927 mov dword ptr [eax], 470007h
[...]
PAGE:00680940 mov [eax+4], ecx
[...]
PAGE:00680948 cmp [eax+4], ecx
[...]
PAGE:0068094D cmp [eax+4], edx
[...]
PAGE:00680952 cmp [eax+4], edi
[...]
PAGE:00680957 mov [eax+4], edi
[...]
PAGE:0068095C mov dword ptr [eax], 470008h
PAGE:00680962 mov dword ptr [eax+4], 10h
[...]
PAGE:0068097E mov [eax+4], ecx
[...]
PAGE:00680983 mov [eax+4], edx
--- cut ---
As a result, the trailing 8 bytes of the structure remain uninitialized and are leaked in their original form to user-mode. This can be easily tested with a kernel debugger (WinDbg), by setting a breakpoint on e.g. nt!PiDqIrpQueryGetResult, manually filling out the structure memory with a marker byte (0xcc), then setting a breakpoint on nt!PiDqIrpComplete and observing that half of the memory area being copied into ring-3 still has the marker data:
--- cut ---
1: kd> bp nt!PiDqIrpQueryGetResult
1: kd> g
Breakpoint 0 hit
nt!PiDqIrpQueryGetResult:
81e91324 6a44 push 44h
1: kd> p
nt!PiDqIrpQueryGetResult+0x2:
81e91326 686807e181 push offset nt!RtlpMuiRegValidateConfigNode+0x8ff (81e10768)
1: kd> p
nt!PiDqIrpQueryGetResult+0x7:
81e9132b e86460ebff call nt!_SEH_prolog4 (81d47394)
1: kd> p
nt!PiDqIrpQueryGetResult+0xc:
81e91330 8bc1 mov eax,ecx
1: kd> eb ebp-54 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc
1: kd> ? ebp-54
Evaluate expression: -868562492 = cc3ac9c4
1: kd> bp PiDqIrpComplete+4b
1: kd> g
Breakpoint 1 hit
nt!PiDqIrpComplete+0x4b:
81e94871 a5 movs dword ptr es:[edi],dword ptr [esi]
1: kd> ? esi
Evaluate expression: -868562492 = cc3ac9c4
1: kd> ? edi
Evaluate expression: 141332072 = 086c8e68
1: kd> u
nt!PiDqIrpComplete+0x4b:
81e94871 a5 movs dword ptr es:[edi],dword ptr [esi]
81e94872 a5 movs dword ptr es:[edi],dword ptr [esi]
81e94873 a5 movs dword ptr es:[edi],dword ptr [esi]
81e94874 a5 movs dword ptr es:[edi],dword ptr [esi]
81e94875 c745fcfeffffff mov dword ptr [ebp-4],0FFFFFFFEh
81e9487c ebd1 jmp nt!PiDqIrpComplete+0x29 (81e9484f)
81e9487e 83611c00 and dword ptr [ecx+1Ch],0
81e94882 ebd1 jmp nt!PiDqIrpComplete+0x2f (81e94855)
1: kd> db esi esi+10-1
cc3ac9c4 08 00 47 00 10 00 00 00-cc cc cc cc cc cc cc cc ..G.............
--- cut ---
Repeatedly triggering the vulnerability could allow local authenticated attackers to defeat certain exploit mitigations (kernel ASLR) or read other secrets stored in the kernel address space.
This bug is subject to a 90 day disclosure deadline. After 90 days elapse or a patch has been made broadly available, the bug report will become visible to the public.
Found by: mjurczyk