Microsoft windows kernel outofbounds read in nt!mirelocateimage while parsing malformed pe file Vulnerability / Exploit
/
/
/
Exploits / Vulnerability Discovered : 2019-10-10 |
Type : dos |
Platform : windows
This exploit / vulnerability Microsoft windows kernel outofbounds read in nt!mirelocateimage while parsing malformed pe file is for educational purposes only and if it is used you will do on your own risk!
[+] Code ...
We have encountered a Windows kernel crash in memcpy() called by nt!MiRelocateImage while trying to load a malformed PE image into the process address space as a data file (i.e. LoadLibraryEx(LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_IMAGE_RESOURCE)). An example crash log generated after triggering the bug is shown below:
--- cut ---
*** Fatal System Error: 0x00000050
(0xFFFFF8017519A200,0x0000000000000000,0xFFFFF801713CF660,0x0000000000000000)
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: fffff8017519a200, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffff801713cf660, If non-zero, the instruction address which referenced the bad memory
address.
Arg4: 0000000000000000, (reserved)
[...]
TRAP_FRAME: ffffc50241846ba0 -- (.trap 0xffffc50241846ba0)
NOTE: The trap frame does not contain all registers.
Some register values may be zeroed or incorrect.
rax=ffffcf84d2228de0 rbx=0000000000000000 rcx=ffffcf84d2228fb8
rdx=0000287ca2f71248 rsi=0000000000000000 rdi=0000000000000000
rip=fffff801713cf660 rsp=ffffc50241846d38 rbp=ffffc50241846fb0
r8=000000000000000c r9=0000000000000001 r10=00000000ffffffff
r11=ffffcf84d2228fb8 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na pe cy
nt!memcpy+0x20:
fffff801`713cf660 488b0411 mov rax,qword ptr [rcx+rdx] ds:fffff801`7519a200=????????????????
Resetting default scope
LAST_CONTROL_TRANSFER: from fffff801714a6642 to fffff801713c46a0
The issue reproduces on Windows 8.1, Windows 10 and their corresponding Server editions (32-bit and 64-bit, Special Pools not required). The crash occurs when any system component calls LoadLibraryEx(LOAD_LIBRARY_AS_DATAFILE | LOAD_LIBRARY_AS_IMAGE_RESOURCE) against the file, either directly or through another API such as GetFileVersionInfoSizeExW() or GetFileVersionInfoW(). In practice, this means that as soon as the file is displayed in Explorer, or the user hovers the cursor over it, or tries to open the file properties, or tries to rename it or perform any other similar action, the system will panic. In other words, just downloading such a file may permanently block the user's machine until they remove it through Recovery Mode etc. The attack scenario is similar to the one described in https://www.fortinet.com/blog/threat-research/microsoft-windows-remote-kernel-crash-vulnerability.html. Due to the nature of the bug (OOB read), it could be also potentially exploited as an information disclosure primitive.
We haven't managed to significantly minimize the test cases, but we determined that the crash is related to the invalid value of the Base Relocation Table directory address in the PE headers.
Attached is an archive with two proof-of-concept PE images and the corresponding original files used to generate them. Please be careful when unpacking the ZIP as Windows may crash immediately once it sees the corrupted files on disk.
Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/47489.zip
Microsoft windows kernel outofbounds read in nt!mirelocateimage while parsing malformed pe file