CVE-2019-1256
Information
- We know that this Null pointer can be used for privilege escalation in windows 7
- In case of correct flags in the HDC it is possible to call an arbitrary function at win32kfull!NtGdiGradientFill+0x4b6
BugCheck:
SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: ffffc93928981c86, Address of the instruction which caused the bugcheck
Arg3: ffff8d8a2f7f1d10, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.
Stack at crash:
nt!DbgBreakPointWithStatus
nt!KiBugCheckDebugBreak+0x12
nt!KeBugCheck2+0x952
nt!KeBugCheckEx+0x107
nt!KiBugCheckDispatch+0x69
nt!KiSystemServiceHandler+0x7c
nt!RtlpExecuteHandlerForException+0xf
nt!RtlDispatchException+0x4a5
nt!KiDispatchException+0x16e
nt!KiExceptionDispatch+0x11d
nt!KiPageFault+0x445
win32kfull!NtGdiGradientFill+0x416
win32kfull!NtGdiGradientFill+0x1c4
nt!KiSystemServiceCopyEnd+0x25
win32u!NtGdiGradientFill+0x14
gdi32full!GdiGradientFill+0x108
Registers:
rax=0000000000110000 rbx=0000000000000000 rcx=ffff8d8a2f7f2894
rdx=0000000000000002 rsi=0000000000000001 rdi=0000000000000000
rip=ffffc93928981c86 rsp=ffff8d8a2f7f2700 rbp=ffff8d8a2f7f2800
r8=0000000000000003 r9=00000000000000a0 r10=ffffc90d4d1baf20
r11=0000000000000007 r12=0000000000000007 r13=ffffc90d4d34eff0
r14=ffffc90d49fb52c0 r15=ffffc90d4d34ef80
iopl=0 nv up ei pl zr na po nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00050246
win32kfull!NtGdiGradientFill+0x416:
ffffc939`28981c86 8b4328 mov eax,dword ptr [rbx+28h] ds:002b:00000000`00000028=????????
Reproduce:
- Compile the poc attached and copy it to the target machine
- Run the compiled poc and machine will crash with BSOD
PoC:
attached
Attachments:
poc.c
References:
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1256
https://research.checkpoint.com/2020/bugs-on-the-windshield-fuzzing-the-windows-kernel/