
Bitmap object Use-after-Free #2

The attached PoC triggers a blue screen due to a use after free vulnerability. The crashes are unreliable, however you can use Special Pool in order to get reliable crashes ( see below ). The crashes indicate that it is possible to write to arbitrary addresses. Crash without Special Pool:


*** Fatal System Error: 0x0000000a
                       (0x00000000,0x00000002,0x00000001,0x82AB566F)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows 7 7601 x86 compatible target at (Tue Mar 31 11:24:03.150 2015 (UTC + 2:00)), ptr64 FALSE
Loading Kernel Symbols
...............................................................
................................................................
.........................
Loading User Symbols
...............................................
Loading unloaded module list
....
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck A, {0, 2, 1, 82ab566f}

*** WARNING: Unable to verify checksum for a31.exe
*** ERROR: Module load completed but symbols could not be loaded for a31.exe
Probably caused by : win32k.sys ( win32k!W32PIDLOCK::vLockSingleThread+14 )

Followup: MachineOwner
---------

Assertion: *** DPC watchdog timeout
    This is NOT a break in update time
    This is most likely a BUG in an ISR
    Perform a stack trace to find the culprit
    The period will be doubled on continuation
    Use gh to continue!!

nt!KeAccumulateTicks+0x3c5:
82aba38c cd2c            int     2Ch
kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: 00000000, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, bitfield :
	bit 0 : value 0 = read operation, 1 = write operation
	bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 82ab566f, address which referenced memory

Debugging Details:
------------------


WRITE_ADDRESS:  00000000 

CURRENT_IRQL:  1c

FAULTING_IP: 
nt!KeWaitForSingleObject+373
82ab566f 8939            mov     dword ptr [ecx],edi

DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT

BUGCHECK_STR:  0xA

PROCESS_NAME:  a31.exe

TRAP_FRAME:  97433acc -- (.trap 0xffffffff97433acc)
ErrCode = 00000002
eax=85247580 ebx=85247578 ecx=00000000 edx=00000000 esi=8531fd48 edi=8531fe08
eip=82ab566f esp=97433b40 ebp=97433ba0 iopl=0         nv up ei pl zr na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010246
nt!KeWaitForSingleObject+0x373:
82ab566f 8939            mov     dword ptr [ecx],edi  ds:0023:00000000=????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from 82ab9853 to 82aba38c

STACK_TEXT:  
97433568 82ab9853 0002625a 00000000 0000a600 nt!KeAccumulateTicks+0x3c5
974335a8 82ab9700 82a210a8 b44c75c4 00000000 nt!KeUpdateRunTime+0x145
97433600 82ab8f03 97433602 97433602 000000d1 nt!KeUpdateSystemTime+0x613
97433600 82a210a8 97433602 97433602 000000d1 nt!KeUpdateSystemTimeAssist+0x13
97433684 82a0fb8c 00001000 00000000 974336e4 hal!READ_PORT_USHORT+0x8
97433694 82a0fcf5 82b1df92 3235ebba 00000065 hal!HalpCheckPowerButton+0x2e
97433698 82b1df92 3235ebba 00000065 00000000 hal!HaliHaltSystem+0x7
974336e4 82b1ea39 00000003 00000000 82ab566f nt!KiBugCheckDebugBreak+0x73
97433aac 82a7fb4f 0000000a 00000000 00000002 nt!KeBugCheck2+0x68b
97433aac 82ab566f 0000000a 00000000 00000002 nt!KiTrap0E+0x1b3
97433ba0 9539a4c6 85247578 00000006 00000000 nt!KeWaitForSingleObject+0x373
97433bb8 95397337 fe9e3728 97433be8 95396115 win32k!W32PIDLOCK::vLockSingleThread+0x14
97433bc4 95396115 210109de 0026f74c 953fb057 win32k!DC::vSetRendering+0x53
97433bd8 953ead4d ffb84008 00000001 00000000 win32k!DEVLOCKOBJ::bLock+0x265
97433c20 82a7c896 210109de 00000003 00000010 win32k!GreSetICMMode+0x3d
97433c20 778e70f4 210109de 00000003 00000010 nt!KiSystemServicePostCall
0026f734 77341864 7734181e 210109de 00000003 ntdll!KiFastSystemCallRet
0026f738 7734181e 210109de 00000003 00000010 GDI32!NtGdiSetIcmMode+0xc
0026f750 773417cf 210109de 000e0740 00000000 GDI32!IcmSelectColorTransform+0x4a
0026f770 77341870 210109de 000e0740 00000000 GDI32!IcmDeleteLocalDC+0x21
0026f790 76075439 210109de 0026f808 000512ef GDI32!GdiReleaseDC+0x6b
0026f79c 000512ef 00000000 210109de 001f0334 USER32!ReleaseDC+0x18
WARNING: Stack unwind information not available. Following frames may be wrong.
0026f808 000516d8 00000001 00292d08 00292d48 a31+0x12ef
0026f850 75d5ee1c 7ffdf000 0026f89c 779037eb a31+0x16d8
0026f85c 779037eb 7ffdf000 77b85930 00000000 kernel32!BaseThreadInitThunk+0xe
0026f89c 779037be 00051755 7ffdf000 00000000 ntdll!__RtlUserThreadStart+0x70
0026f8b4 00000000 00051755 7ffdf000 00000000 ntdll!_RtlUserThreadStart+0x1b


STACK_COMMAND:  kb

FOLLOWUP_IP: 
win32k!W32PIDLOCK::vLockSingleThread+14
9539a4c6 c3              ret

SYMBOL_STACK_INDEX:  b

SYMBOL_NAME:  win32k!W32PIDLOCK::vLockSingleThread+14

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: win32k

IMAGE_NAME:  win32k.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  54ee8ecd

FAILURE_BUCKET_ID:  0xA_win32k!W32PIDLOCK::vLockSingleThread+14

BUCKET_ID:  0xA_win32k!W32PIDLOCK::vLockSingleThread+14

Followup: MachineOwner
---------




The issue reproduces reliably with Special Pool ( https://msdn.microsoft.com/en-us/library/windows/hardware/ff551832%28v=vs.85%29.aspx ) enabled for win32k.sys. The resulting crash output looks as follows:


*******************************************************************************
*
* This is the string you add to your checkin description
* Driver Verifier: Enabled for win32k.sys on Build 7601 Swoke0cxHt9I3y4CfWvmAH
*
*******************************************************************************
nt!DbgLoadImageSymbols+0x47:
82a36578 cc              int     3
kd> g

*** Fatal System Error: 0x0000000a
                       (0xBFBFBFE7,0x00000002,0x00000001,0x82A94579)

Break instruction exception - code 80000003 (first chance)

A fatal system error has occurred.
Debugger entered on first try; Bugcheck callbacks have not been invoked.

A fatal system error has occurred.

Connected to Windows 7 7601 x86 compatible target at (Tue Mar 31 11:55:25.308 2015 (UTC + 2:00)), ptr64 FALSE
Loading Kernel Symbols
...............................................................
................................................................
.........................
Loading User Symbols
...............................................
Loading unloaded module list
....
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

Use !analyze -v to get detailed debugging information.

BugCheck A, {bfbfbfe7, 2, 1, 82a94579}

*** WARNING: Unable to verify checksum for a31.exe
*** ERROR: Module load completed but symbols could not be loaded for a31.exe
Probably caused by : win32k.sys ( win32k!W32PIDLOCK::vLockSingleThread+14 )

Followup: MachineOwner
---------

Assertion: *** DPC watchdog timeout
    This is NOT a break in update time
    This is most likely a BUG in an ISR
    Perform a stack trace to find the culprit
    The period will be doubled on continuation
    Use gh to continue!!

nt!KeAccumulateTicks+0x3c5:
82a9938c cd2c            int     2Ch
kd> !analyze -v
*******************************************************************************
*                                                                             *
*                        Bugcheck Analysis                                    *
*                                                                             *
*******************************************************************************

IRQL_NOT_LESS_OR_EQUAL (a)
An attempt was made to access a pageable (or completely invalid) address at an
interrupt request level (IRQL) that is too high.  This is usually
caused by drivers using improper addresses.
If a kernel debugger is available get the stack backtrace.
Arguments:
Arg1: bfbfbfe7, memory referenced
Arg2: 00000002, IRQL
Arg3: 00000001, bitfield :
	bit 0 : value 0 = read operation, 1 = write operation
	bit 3 : value 0 = not an execute operation, 1 = execute operation (only on chips which support this level of status)
Arg4: 82a94579, address which referenced memory

Debugging Details:
------------------


WRITE_ADDRESS:  bfbfbfe7 

CURRENT_IRQL:  1c

FAULTING_IP: 
nt!KeWaitForSingleObject+27d
82a94579 f00fba2807      lock bts dword ptr [eax],7

DEFAULT_BUCKET_ID:  WIN7_DRIVER_FAULT

BUGCHECK_STR:  0xA

PROCESS_NAME:  a31.exe

TRAP_FRAME:  930fca9c -- (.trap 0xffffffff930fca9c)
ErrCode = 00000002
eax=bfbfbfe7 ebx=bfbfbfe7 ecx=8a4737c0 edx=00000000 esi=8a473760 edi=8a473820
eip=82a94579 esp=930fcb10 ebp=930fcb70 iopl=0         nv up ei pl zr na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010246
nt!KeWaitForSingleObject+0x27d:
82a94579 f00fba2807      lock bts dword ptr [eax],7   ds:0023:bfbfbfe7=????????
Resetting default scope

LAST_CONTROL_TRANSFER:  from 82a98853 to 82a9938c

STACK_TEXT:  
930fc538 82a98853 0002625a 00000000 00007100 nt!KeAccumulateTicks+0x3c5
930fc578 82a98700 82e4b0a8 40799a77 00000000 nt!KeUpdateRunTime+0x145
930fc5d0 82a97f03 930fc502 930fc502 000000d1 nt!KeUpdateSystemTime+0x613
930fc5d0 82e4b0a8 930fc502 930fc502 000000d1 nt!KeUpdateSystemTimeAssist+0x13
930fc654 82e39b8c 00001000 00000000 930fc6b4 hal!READ_PORT_USHORT+0x8
930fc664 82e39cf5 82afcf92 26f0a881 00000065 hal!HalpCheckPowerButton+0x2e
930fc668 82afcf92 26f0a881 00000065 00000000 hal!HaliHaltSystem+0x7
930fc6b4 82afda39 00000003 bfbfbfe7 82a94579 nt!KiBugCheckDebugBreak+0x73
930fca7c 82a5eb4f 0000000a bfbfbfe7 00000002 nt!KeBugCheck2+0x68b
930fca7c 82a94579 0000000a bfbfbfe7 00000002 nt!KiTrap0E+0x1b3
930fcb70 82d5b9b3 bfbfbfe7 00000006 00000000 nt!KeWaitForSingleObject+0x27d
930fcba0 9366a4c6 bfbfbfe7 00000006 00000000 nt!VerifierKeWaitForSingleObject+0xfe
930fcbb8 93667337 fbf1e728 930fcbe8 93666115 win32k!W32PIDLOCK::vLockSingleThread+0x14
930fcbc4 93666115 0c01021a 0016fbf0 936cb057 win32k!DC::vSetRendering+0x53
930fcbd8 936bad4d fef78130 00000001 00000000 win32k!DEVLOCKOBJ::bLock+0x265
930fcc20 82a5b896 0c01021a 00000003 00000010 win32k!GreSetICMMode+0x3d
930fcc20 774770f4 0c01021a 00000003 00000010 nt!KiSystemServicePostCall
0016fbd8 76871864 7687181e 0c01021a 00000003 ntdll!KiFastSystemCallRet
0016fbdc 7687181e 0c01021a 00000003 00000010 GDI32!NtGdiSetIcmMode+0xc
0016fbf4 768717cf 0c01021a 00050740 00000000 GDI32!IcmSelectColorTransform+0x4a
0016fc14 76871870 0c01021a 00050740 00000000 GDI32!IcmDeleteLocalDC+0x21
0016fc34 759e5439 0c01021a 0016fcac 002c12ef GDI32!GdiReleaseDC+0x6b
0016fc40 002c12ef 00000000 0c01021a 0003017c USER32!ReleaseDC+0x18
WARNING: Stack unwind information not available. Following frames may be wrong.
0016fcac 002c16d8 00000001 00362a70 00362ab0 a31+0x12ef
0016fcf4 771bee1c 7ffdb000 0016fd40 774937eb a31+0x16d8
0016fd00 774937eb 7ffdb000 7740fde2 00000000 kernel32!BaseThreadInitThunk+0xe
0016fd40 774937be 002c1755 7ffdb000 00000000 ntdll!__RtlUserThreadStart+0x70
0016fd58 00000000 002c1755 7ffdb000 00000000 ntdll!_RtlUserThreadStart+0x1b


STACK_COMMAND:  kb

FOLLOWUP_IP: 
win32k!W32PIDLOCK::vLockSingleThread+14
9366a4c6 c3              ret

SYMBOL_STACK_INDEX:  c

SYMBOL_NAME:  win32k!W32PIDLOCK::vLockSingleThread+14

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: win32k

IMAGE_NAME:  win32k.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  54ee8ecd

FAILURE_BUCKET_ID:  0xA_VRF_win32k!W32PIDLOCK::vLockSingleThread+14

BUCKET_ID:  0xA_VRF_win32k!W32PIDLOCK::vLockSingleThread+14

Followup: MachineOwner
---------


