Information

  • This crash occur at win32kfull!vStrWrite01+0x8e as result of non-paged pointer dereference

BugCheck:

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try except.
Typically the address is just plain bad or it is pointing at freed memory.
Arguments:
Arg1: ffffff340f5fff7c, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: ffffff64de821aee, If non-zero, the instruction address which referenced the bad memory address.
Arg4: 0000000000000000, (reserved)

Stack at crash:

nt!DbgBreakPointWithStatus
nt!KiBugCheckDebugBreak+0x12
nt!KeBugCheck2+0x952
nt!KeBugCheckEx+0x107
nt!MiSystemFault+0x1d2ff1
nt!MmAccessFault+0x34f
nt!KiPageFault+0x35a
win32kfull!vStrWrite01+0x8e
win32kfull!EngStretchBltNew+0xc89
win32kfull!EngStretchBlt+0xd1
win32kfull!EngStretchBltROP+0x319
win32kfull!BLTRECORD::bStretch+0x37f
win32kfull!GreStretchBltInternal+0x721
win32kfull!NtGdiStretchBlt+0x68
nt!KiSystemServiceCopyEnd+0x25
win32u!NtGdiStretchBlt+0x14
gdi32full!StretchBlt+0xaf
GDI32!StretchBltStub+0x90
poc!main+0x77 [r:\poc\main.c @ 11] 

Registers:

rax=ffffffffffffffdf rbx=0000000000000000 rcx=000000000000001e
rdx=ffffff3400664038 rsi=0000000000000000 rdi=0000000000000000
rip=ffffff64de821aee rsp=ffff840dc3beeb50 rbp=ffff840dc3beebb9
 r8=ffffff340f5fff7c  r9=fffffffffffffbfe r10=0000000000000008
r11=ffffff64de800000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na po nc
win32kfull!vStrWrite01+0x8e:
ffffff64`de821aee 418b10          mov     edx,dword ptr [r8] ds:ffffff34`0f5fff7c=????????

Reproduce:

  1. Compile the poc attached and copy it to the target machine
  2. Enable verifier flags 0x9 to win32k drivers
  3. Run the compiled poc and machine will crash with BSOD

PoC:
attached


Attachments:
main.c

References:
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1164