CVE-2019-1164
Information
- This crash occur at win32kfull!vStrWrite01+0x8e as result of non-paged pointer dereference
BugCheck:
PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced. This cannot be protected by try except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: ffffff340f5fff7c, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: ffffff64de821aee, If non-zero, the instruction address which referenced the bad memory address.
Arg4: 0000000000000000, (reserved)
Stack at crash:
nt!DbgBreakPointWithStatus
nt!KiBugCheckDebugBreak+0x12
nt!KeBugCheck2+0x952
nt!KeBugCheckEx+0x107
nt!MiSystemFault+0x1d2ff1
nt!MmAccessFault+0x34f
nt!KiPageFault+0x35a
win32kfull!vStrWrite01+0x8e
win32kfull!EngStretchBltNew+0xc89
win32kfull!EngStretchBlt+0xd1
win32kfull!EngStretchBltROP+0x319
win32kfull!BLTRECORD::bStretch+0x37f
win32kfull!GreStretchBltInternal+0x721
win32kfull!NtGdiStretchBlt+0x68
nt!KiSystemServiceCopyEnd+0x25
win32u!NtGdiStretchBlt+0x14
gdi32full!StretchBlt+0xaf
GDI32!StretchBltStub+0x90
poc!main+0x77 [r:\poc\main.c @ 11]
Registers:
rax=ffffffffffffffdf rbx=0000000000000000 rcx=000000000000001e
rdx=ffffff3400664038 rsi=0000000000000000 rdi=0000000000000000
rip=ffffff64de821aee rsp=ffff840dc3beeb50 rbp=ffff840dc3beebb9
r8=ffffff340f5fff7c r9=fffffffffffffbfe r10=0000000000000008
r11=ffffff64de800000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0 nv up ei pl nz na po nc
win32kfull!vStrWrite01+0x8e:
ffffff64`de821aee 418b10 mov edx,dword ptr [r8] ds:ffffff34`0f5fff7c=????????
Reproduce:
- Compile the poc attached and copy it to the target machine
- Enable verifier flags 0x9 to win32k drivers
- Run the compiled poc and machine will crash with BSOD
PoC:
attached
Attachments:
main.c
References:
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1164
https://research.checkpoint.com/2020/bugs-on-the-windshield-fuzzing-the-windows-kernel/