Information

  • This crash occur at win32kbase!ulGetNearestIndexFromColorref+0x6f as result of null pointer dereference
  • We know that this Null pointer can be used as memory leak from the kernel for windows 7
    -We know that this pointer is used later after the return from function XEPALOBJ::ulGetNearestFromPalentryNoExactMatc to win32kfull!CreateXlateObject which can lead to out of bound write

BugCheck:

SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: ffffb1cc4763d81f, Address of the instruction which caused the bugcheck
Arg3: ffff9889380b1970, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.

Stack at crash:

nt!DbgBreakPointWithStatus
nt!KiBugCheckDebugBreak+0x12
nt!KeBugCheck2+0x952
nt!KeBugCheckEx+0x107
nt!KiBugCheckDispatch+0x69
nt!KiSystemServiceHandler+0x7c
nt!RtlpExecuteHandlerForException+0xf
nt!RtlDispatchException+0x4a5
nt!KiDispatchException+0x16e
nt!KiExceptionDispatch+0x11d
nt!KiPageFault+0x43f
win32kbase!ulGetNearestIndexFromColorref+0x6f
win32kfull!CreateXlateObject+0x1f0
win32kfull!EXLATEOBJ::bInitXlateObj+0x1b1
win32kfull!NtGdiAlphaBlend+0x11ea03
nt!KiSystemServiceCopyEnd+0x25
win32u!NtGdiAlphaBlend+0x14
gdi32full!GdiAlphaBlend+0xd0
poc!main+0xd3 [r:\\poc\poc\poc.c @ 18]

Registers:

rax=0000000000000000 rbx=0000000000000001 rcx=000000000000ffff
rdx=0000000000000000 rsi=ffffb4846f7b4da0 rdi=00000000ffffffff
rip=ffffb1cc4763d81f rsp=ffff9889380b2360 rbp=ffff9889380b2390
 r8=00000000ffffffff  r9=0000000000000001 r10=0000000000000001
r11=0000000000000000 r12=0000000000000000 r13=0000000000000208
r14=ffffb18182d72cc4 r15=ffffb18182d72c70
iopl=0         nv up ei pl zr na po cy
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00050247
win32kbase!ulGetNearestIndexFromColorref+0x6f:
ffffb1cc`4763d81f 3b4a1c          cmp     ecx,dword ptr [rdx+1Ch] ds:002b:00000000`0000001c=????????

Reproduce:

  1. Compile the poc attached and copy it to the target machine
  2. Run the compiled poc and machine will crash with BSOD

PoC:
attached


Attachments:
poc.c

References:
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1286