Microsoft Windows 本地权限提升漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1121148 漏洞类型 权限许可和访问控制
发布时间 2012-05-18 更新时间 2012-06-04
CVE编号 CVE-2012-0181 CNNVD-ID CNNVD-201205-146
漏洞平台 Windows CVSS评分 7.2
|漏洞来源
https://www.exploit-db.com/exploits/18894
https://www.securityfocus.com/bid/53326
https://cxsecurity.com/issue/WLB-2012050077
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201205-146
|漏洞详情
MicrosoftWindows是美国微软(Microsoft)公司发布的一系列操作系统。MicrosoftWindowsXPSP2与SP3,WindowsServer2003SP2,WindowsVistaSP2,WindowsServer2008SP2、R2和R2SP1,Windows7Gold与SP1和Windows8ConsumerPreview中的内核模式驱动中的win32k.sys中存在漏洞,该漏洞源于未正确管理键盘布局文件。本地用户可利用该漏洞借助特制应用程序获取权限,也称“键盘布局文件漏洞”。
|漏洞EXP
===========
Description
===========

    Windows XP keyboard layouts pool corruption 0day PoC, post-MS12-034.

    Vulnerability exists in the function win32k!ReadLayoutFile(), that parses
    keyboard layout files data. Possible attack vector -- local privileges 
    escalation.

    Similar vuln (CVE-2012-0183) was patched recently, but I wonder, that
    Microsoft missed to rewrite vulnerable code on Windows XP, and this PoC
    still able to crash fully-patched XP SP3.
    
    However, pool corruption is not fully-controllable, and reliable code execution
    exploit development is quite a difficult task.

    --------------------------------

    By Oleksiuk Dmytro (aka Cr4sh)
    
    http://twitter.com/d_olex
    http://blog.cr4.sh
    mailto:dmitry@esagelab.com

    --------------------------------

    Typical bugcheck:


    *******************************************************************************
    *                                                                             *
    *                        Bugcheck Analysis                                    *
    *                                                                             *
    *******************************************************************************

    PAGE_FAULT_IN_NONPAGED_AREA (50)
    Invalid system memory was referenced.  This cannot be protected by try-except,
    it must be protected by a Probe.  Typically the address is just plain bad or it
    is pointing at freed memory.
    Arguments:
    Arg1: e10650d3, memory referenced.
    Arg2: 00000000, value 0 = read operation, 1 = write operation.
    Arg3: bf881fb6, If non-zero, the instruction address which referenced the bad memory
    address.
    Arg4: 00000001, (reserved)

    Debugging Details:
    ------------------


    READ_ADDRESS:  e10650d3 Paged pool

    FAULTING_IP: 
    win32k!ReadLayoutFile+183
    bf881fb6 803800          cmp     byte ptr [eax],0

    MM_INTERNAL_CODE:  1

    IMAGE_NAME:  win32k.sys

    DEBUG_FLR_IMAGE_TIMESTAMP:  4f85831a

    MODULE_NAME: win32k

    FAULTING_MODULE: bf800000 win32k

    DEFAULT_BUCKET_ID:  DRIVER_FAULT

    BUGCHECK_STR:  0x50

    PROCESS_NAME:  win32k_Keyboard

    TRAP_FRAME:  b191c884 -- (.trap 0xffffffffb191c884)
    ErrCode = 00000000
    eax=e10650d3 ebx=e105b008 ecx=e105b008 edx=00000000 esi=e106ac08 edi=e105c008
    eip=bf881fb6 esp=b191c8f8 ebp=b191c90c iopl=0         nv up ei ng nz na po nc
    cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010282
    win32k!ReadLayoutFile+0x183:
    bf881fb6 803800          cmp     byte ptr [eax],0           ds:0023:e10650d3=??
    Resetting default scope

    LAST_CONTROL_TRANSFER:  from 804f7b8b to 80527c24

    STACK_TEXT:  
    b191c3c0 804f7b8b 00000003 e10650d3 00000000 nt!RtlpBreakWithStatusInstruction
    b191c40c 804f8778 00000003 00000000 c0708328 nt!KiBugCheckDebugBreak+0x19
    b191c7ec 804f8ca3 00000050 e10650d3 00000000 nt!KeBugCheck2+0x574
    b191c80c 8051cc4f 00000050 e10650d3 00000000 nt!KeBugCheckEx+0x1b
    b191c86c 805405f4 00000000 e10650d3 00000000 nt!MmAccessFault+0x8e7
    b191c86c bf881fb6 00000000 e10650d3 00000000 nt!KiTrap0E+0xcc
    b191c90c bf881e25 e208f8e8 e10611c8 e105c008 win32k!ReadLayoutFile+0x183
    b191c92c bf8b9574 800003a4 00000000 00000000 win32k!LoadKeyboardLayoutFile+0x6a
    b191c9b4 bf92a002 82273e08 800003a4 04090409 win32k!xxxLoadKeyboardLayoutEx+0x1b1
    b191c9f0 bf8b91b5 82273e08 0000003c 04090409 win32k!xxxSafeLoadKeyboardLayoutEx+0xa9
    b191cd40 8053d6f8 0000003c 00000000 0012fec8 win32k!NtUserLoadKeyboardLayoutEx+0x164
    b191cd40 004011c4 0000003c 00000000 0012fec8 nt!KiFastCallEntry+0xf8
    0012ff7c 004015de 00000001 00363c48 00362e80 win32k_KeyboardLayout_expl!NtUserLoadKeyboardLayoutEx+0x14 [x:\dev\_exploits\_local\win32k_keyboardlayout_expl\win32k_keyboardlayout_expl\win32k_keyboardlayout_expl.cpp @ 37]
    0012ffc0 7c817077 00330036 00360038 7ffdd000 win32k_KeyboardLayout_expl!__tmainCRTStartup+0x10f [f:\dd\vctools\crt_bld\self_x86\crt\src\crtexe.c @ 586]
    0012fff0 00000000 00401726 00000000 78746341 kernel32!BaseProcessStart+0x23


    STACK_COMMAND:  kb

    FOLLOWUP_IP: 
    win32k!ReadLayoutFile+183
    bf881fb6 803800          cmp     byte ptr [eax],0

    SYMBOL_STACK_INDEX:  6

    SYMBOL_NAME:  win32k!ReadLayoutFile+183

    FOLLOWUP_NAME:  MachineOwner

    FAILURE_BUCKET_ID:  0x50_win32k!ReadLayoutFile+183

    BUCKET_ID:  0x50_win32k!ReadLayoutFile+183

    Followup: MachineOwner
    ---------

===
POC
===

https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/18894.zip
|受影响的产品
Microsoft Windows XP Service Pack 3 0 Microsoft Windows XP Professional x64 Edition SP2 Microsoft Windows Vista x64 Edition SP2 Microsoft Windows Vista SP2 Microsoft Windows Server 2008 R
|参考资料

来源:MS
名称:MS12-034
链接:http://technet.microsoft.com/security/bulletin/MS12-034
来源:SECUNIA
名称:49120
链接:http://secunia.com/advisories/49120
来源:NSFOCUS
名称:19568
链接:http://www.nsfocus.net/vulndb/19568