Information

  • A short after the read a write is made which allows Out of Bound Write and might lead to Local Privilege Escalation.
  • This crash occur at win32kfull!vStrWrite01+0x212 as result of non-paged pointer dereference

BugCheck:

PAGE_FAULT_IN_NONPAGED_AREA (50)
Invalid system memory was referenced.  This cannot be protected by try except.
Typically the address is just plain bad or it is pointing at freed memory. Arguments:
Arg1: fffffed68ca0d000, memory referenced.
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation.
Arg3: fffffea0a686b9d2, If non-zero, the instruction address which referenced the bad memory address.
Arg4: 0000000000000002, (reserved)

Stack at crash:

nt!DbgBreakPointWithStatus
nt!KiBugCheckDebugBreak+0x12
nt!KeBugCheck2+0x952
nt!KeBugCheckEx+0x107
nt!MiSystemFault+0x1d6966
nt!MmAccessFault+0x34f
nt!KiPageFault+0x360
win32kfull!vStrWrite01+0x212
win32kfull!EngStretchBltNew+0xc89
win32kfull!EngStretchBlt+0xd1
win32kfull!EngStretchBltROP+0x158
win32kfull!BLTRECORD::bStretch+0x37f
win32kfull!GreStretchBltInternal+0x721
win32kfull!BltIcon+0x106
win32kfull!_DrawIconEx+0x1b1
win32kfull!NtUserDrawIconEx+0xc2
nt!KiSystemServiceCopyEnd+0x25
win32u!NtUserDrawIconEx+0x14
USER32!DrawIconEx+0xbf
repro+0x1095

Registers:

Some register values may be zeroed or incorrect.
rax=0000000000000000 rbx=0000000000000000 rcx=0000000000000000
rdx=fffffed68ca0d000 rsi=0000000000000000 rdi=0000000000000000
rip=fffffea0a686b9d2 rsp=ffffa182124ee9b0 rbp=ffffa182124eea19
 r8=fffffed58a19efa0  r9=0000000000000020 r10=fffffea0a6800000
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei ng nz ac po cy
win32kfull!vStrWrite01+0x212:
fffffea0`a686b9d2 458b7500        mov     r14d,dword ptr [r13] ds:00000000`00000000=????????

Reproduce:

  1. Compile the poc attached and copy it to the target machine
  2. Enable verifier flag 0x1 to win32k drivers
  3. Run the compiled poc and machine will crash with BSOD

PoC:
attached


Attachments:
repro.c

References:
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-1054