Information

  • We know that HRGN handle which is used in GetDCEx need to be the same handle as win32kbase!ghrgnGDC. This handle is shared therefor we can get it from peb->GdiSharedHandleTable
  • We need to pass GetDCEx correct flag which is DCX_EXCLUDERGN
  • In order to trigger the crash it’s essential to enable special pool for win32kbase.sys and win32kfull.sys using the verifier.
  • We know that the crash occurs when the Height * Width in PlgBlt is bigger than the bitmap dimensions
  • This crash occur at win32kfull!GreUnlockRegion when trying to access freed memory

BugCheck:

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try-except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: ffffd2018e77af2c, memory referenced.
Arg2: 0000000000000002, value 0 = read operation, 1 = write operation.
Arg3: ffffd22d6924e50b, If non-zero, the instruction address which referenced the bad memory address.
Arg4: 0000000000000000, (reserved)

Stack at crash:

nt!DbgBreakPointWithStatus
nt!KiBugCheckDebugBreak+0x12
nt!KeBugCheck2+0x952
nt!KeBugCheckEx+0x107
nt!MiSystemFault+0x1d2ff1
nt!MmAccessFault+0x34f
nt!KiPageFault+0x35a
win32kbase!GreUnlockRegion+0xb
win32kfull!NtUserGetDCEx+0x94
nt!KiSystemServiceCopyEnd+0x25
win32u!NtUserGetDCEx+0x14
poc!main+0x80 [r:\poc\poc\main.c @ 68]

Registers:

rax=0000000000000000 rbx=0000000000000000 rcx=ffffd2018e77af20
rdx=0000000000000001 rsi=0000000000000000 rdi=0000000000000000
rip=ffffd22d6924e50b rsp=ffff9f0fe56efa48 rbp=ffffd2018e77af20
 r8=0000000000000000  r9=0000000000000000 r10=0000000000000001
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz na pe nc
win32kbase!GreUnlockRegion+0xb:
ffffd22d`6924e50b f0ff490c        lock dec dword ptr [rcx+0Ch] ds:ffffd201`8e77af2c=????????

Reproduce:

  1. Compile the poc attached and copy it to the target machine
  2. Enable verifier flags 0x9 to win32k drivers
  3. Run the compiled poc and machine will crash with BSOD

PoC:
attached


Attachments:
main.c

References:
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1159