[ros-bugs] [Bug 1487] New: Information disclosure and DoS security hole in MmCreatePeb

ReactOS.Bugzilla at reactos.org ReactOS.Bugzilla at reactos.org
Mon May 15 07:35:50 CEST 2006 

http://www.reactos.org/bugzilla/show_bug.cgi?id=1487

           Summary: Information disclosure and DoS security hole in
                    MmCreatePeb
           Product: ReactOS
           Version: TRUNK
          Platform: x86 Hardware
        OS/Version: ReactOS
            Status: NEW
          Severity: minor
          Priority: P3
         Component: Kernel
        AssignedTo: ros-bugs at reactos.org
        ReportedBy: myriachan at cox.net
         QAContact: ros-bugs at reactos.org


MmCreatePeb trusts the layout of the PE file mapped into the memory of a new
process.  It is possible to abuse this trust to read arbitrary kernel memory
DWORDs or cause a bugcheck in the kernel.

>From ntoskrnl/mm/process.c:

        ImageConfigData = RtlImageDirectoryEntryToData(Peb->ImageBaseAddress,
                                                       TRUE,
                                                      
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG,
                                                       &ViewSize);

Here, the pointer returned to the load config table can be anything the user
EXE says, including within kernel space.

Later, MmCreatePeb copies the CSDVersion from the EXE's load config table to
the new PEB:

Peb->OSCSDVersion = ImageConfigData->CSDVersion;

If the EXE was intentionally corrupted to have a ImageConfigData pointing to
kernel memory, MmCreatePeb will copy it to the new PEB where the exploiting EXE
can read it.

Later:

ProcessAffinityMask = ImageConfigData->ProcessAffinityMask;

Again, same problem.

In addition to allowing reading of arbitrary memory locations, this can be used
to bluescreen the kernel - an exception in PspCreatePRocess is not handled.

The solution is to do a ProbeForRead and copy the ImageConfigData->CSDVersion
and ImageConfigData->ProcessAffinityMask entries from inside an _SEH_TRY block.

Microsft Windows is not affected, at least as of XP32 SP2.


-- 
Configure bugmail: http://www.reactos.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug, or are watching the QA contact.
You are the assignee for the bug, or are watching the assignee.

More information about the Ros-bugs mailing list