Information

  • We know that this Null pointer can be used for privilege escalation in windows 7
  • In case of correct flags in the HDC it is possible to call an arbitrary function at win32kfull!NtGdiGradientFill+0x4b6

BugCheck:

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: ffffc93928981c86, Address of the instruction which caused the bugcheck
Arg3: ffff8d8a2f7f1d10, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.

Stack at crash:

nt!DbgBreakPointWithStatus
nt!KiBugCheckDebugBreak+0x12
nt!KeBugCheck2+0x952
nt!KeBugCheckEx+0x107	
nt!KiBugCheckDispatch+0x69
nt!KiSystemServiceHandler+0x7c
nt!RtlpExecuteHandlerForException+0xf
nt!RtlDispatchException+0x4a5
nt!KiDispatchException+0x16e
nt!KiExceptionDispatch+0x11d
nt!KiPageFault+0x445
win32kfull!NtGdiGradientFill+0x416
win32kfull!NtGdiGradientFill+0x1c4
nt!KiSystemServiceCopyEnd+0x25
win32u!NtGdiGradientFill+0x14
gdi32full!GdiGradientFill+0x108

Registers:

rax=0000000000110000 rbx=0000000000000000 rcx=ffff8d8a2f7f2894
rdx=0000000000000002 rsi=0000000000000001 rdi=0000000000000000
rip=ffffc93928981c86 rsp=ffff8d8a2f7f2700 rbp=ffff8d8a2f7f2800
 r8=0000000000000003  r9=00000000000000a0 r10=ffffc90d4d1baf20
r11=0000000000000007 r12=0000000000000007 r13=ffffc90d4d34eff0
r14=ffffc90d49fb52c0 r15=ffffc90d4d34ef80
iopl=0         nv up ei pl zr na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b            efl=00050246
win32kfull!NtGdiGradientFill+0x416:
ffffc939`28981c86 8b4328          mov     eax,dword ptr [rbx+28h] ds:002b:00000000`00000028=????????

Reproduce:

  1. Compile the poc attached and copy it to the target machine
  2. Run the compiled poc and machine will crash with BSOD

PoC:
attached


Attachments:
poc.c

References:
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1256