Information

  • We know that HDC that is used in PlgBlt need to be LAYOUT_RTL
  • The first POINT that PlgBlt should contain y < 0
  • We know that the crash occurs when the Height * Width in PlgBlt is bigger than the bitmap dimensions
  • This crash occur at win32kfull!prunPlgRead32+0xd5 bigger as result of non-paged pointer dereference

BugCheck:

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: ffffabc084403370, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: ffffaba237e10c75, If non-zero, the instruction address which referenced the bad memory
	address.
Arg4: 0000000000000000, (reserved)

Stack at crash:

nt!DbgBreakPointWithStatus
nt!KiBugCheckDebugBreak+0x12
nt!KeBugCheck2+0x962
nt!KeBugCheckEx+0x107
nt!MiSystemFault+0x16ef8b
nt!MmAccessFault+0x1f8
nt!KiPageFault+0x3c7
win32kfull!prunPlgRead32+0xd5
win32kfull!EngPlgBlt+0xd7d
win32kfull!BLTRECORD::bRotate+0x570
win32kfull!GrePlgBlt+0x4aa
win32kfull!NtGdiPlgBlt+0x11a
nt!KiSystemServiceCopyEnd+0x13
win32u!NtGdiPlgBlt+0x14
gdi32full!PlgBlt+0xcf
poc!main+0xb2 [r:\poc\poc\main.c @ 19] 

Registers:

Some register values may be zeroed or incorrect.
rax=000000000000077f rbx=0000000000000000 rcx=0000000000000001
rdx=0000000000000000 rsi=0000000000000000 rdi=0000000000000000
rip=ffffaba237e10c75 rsp=ffffeb0748146f40 rbp=ffffeb0748147630
 r8=000002a09a590000  r9=ffffabc084402c60 r10=ffffaba237c90ef0
r11=ffffabc084402c60 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na pe nc
win32kfull!prunPlgRead32+0xd5:
ffffaba2`37e10c75 458b26          mov     r12d,dword ptr [r14] ds:00000000`00000000=????????

Note: This appear in Windbg as null deref because it’s not in the same frame, if you place a breakpoint you can see that this is pointing to non-paged memory

Reproduce:

  1. Compile the poc attached and copy it to the target machine
  2. Run the compiled poc and machine will crash with BSOD

PoC:
attached


Attachments:
poc.c

References:
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1096