[ros-bugs] [Bug 1487] New: Information disclosure and DoS security
hole in MmCreatePeb
ReactOS.Bugzilla at reactos.org
ReactOS.Bugzilla at reactos.org
Mon May 15 07:35:50 CEST 2006
http://www.reactos.org/bugzilla/show_bug.cgi?id=1487
Summary: Information disclosure and DoS security hole in
MmCreatePeb
Product: ReactOS
Version: TRUNK
Platform: x86 Hardware
OS/Version: ReactOS
Status: NEW
Severity: minor
Priority: P3
Component: Kernel
AssignedTo: ros-bugs at reactos.org
ReportedBy: myriachan at cox.net
QAContact: ros-bugs at reactos.org
MmCreatePeb trusts the layout of the PE file mapped into the memory of a new
process. It is possible to abuse this trust to read arbitrary kernel memory
DWORDs or cause a bugcheck in the kernel.
>From ntoskrnl/mm/process.c:
ImageConfigData = RtlImageDirectoryEntryToData(Peb->ImageBaseAddress,
TRUE,
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG,
&ViewSize);
Here, the pointer returned to the load config table can be anything the user
EXE says, including within kernel space.
Later, MmCreatePeb copies the CSDVersion from the EXE's load config table to
the new PEB:
Peb->OSCSDVersion = ImageConfigData->CSDVersion;
If the EXE was intentionally corrupted to have a ImageConfigData pointing to
kernel memory, MmCreatePeb will copy it to the new PEB where the exploiting EXE
can read it.
Later:
ProcessAffinityMask = ImageConfigData->ProcessAffinityMask;
Again, same problem.
In addition to allowing reading of arbitrary memory locations, this can be used
to bluescreen the kernel - an exception in PspCreatePRocess is not handled.
The solution is to do a ProbeForRead and copy the ImageConfigData->CSDVersion
and ImageConfigData->ProcessAffinityMask entries from inside an _SEH_TRY block.
Microsft Windows is not affected, at least as of XP32 SP2.
--
Configure bugmail: http://www.reactos.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.
You are the assignee for the bug, or are watching the assignee.
More information about the Ros-bugs
mailing list