Alerts
Alerts
Zero-Day Tracker
Common Name:
Windows GDI Local Privilege Escalation
Date Disclosed:
11/06/2006
Date Patched:
4/3/2007
Vendor:
Microsoft
Application:
Windows 2000
Windows XP
Description:
A privileged handle leak vulnerability exists in WIN32K.SYS on Windows XP and earlier, that allows an unprivileged user to execute code with kernel access. Whenever a new process is created, WIN32K.SYS!GdiProcessCallout creates a handle for gpHmgrSharedHandleSection in the new process with SECTION_ALL_ACCESS permissions via ObOpenObjectByPointer. This handle is used to map a read-only view of the shared section into the process's memory, but is never closed, so the application can abuse the handle to re-map the section as a writable view, then tamper with data that will be used without proper validation by WIN32K.SYS.
gpHmgrSharedHandleSection is a table of 10h-byte GDI object handle entries, which have the following format:
A malicious user can create a GDI object, modify the kernel data pointer associated with its handle (the low word of the handle is the index into the handle table), then attempt to use the object in order to have WIN32K.SYS act upon his data. For instance, by creating a new region, modifying its handle table entry, then adding the region to a display context, the user can cause WIN32K.SYS to copy arbitrary data to a location in kernel memory, such as the LDT.
Starting with Windows 2003, WIN32K.SYS is not vulnerable because GdiProcessCallout specifies OBJ_KERNEL_HANDLE in the 'HandleAttributes' argument to ObOpenObjectByPointer.
Severity:
Medium
Code Execution:
Yes (Local Privilege Escalation)
Impact:
Arbitrary kernel code execution
Although this vulnerability requires an attacker to already be logged in or executing other code on a host, this does allow for the attacker to gain kernel privileges, allowing for complete system compromise no matter what credentials were used launch this vulnerability.
Mitigation:
Currently there is no mitigation available.
Protection:
Patch:
Microsoft Security Bulletin (925902)
Links:
CVE-2006-5758
Original Advisory
Status:
11/6/2006: Vulnerability Reported
4/3/2007: MS07-017 Patch Released
Common Name:
Windows GDI Local Privilege Escalation
Date Disclosed:
11/06/2006
Date Patched:
4/3/2007
Vendor:
Microsoft
Application:
Windows 2000
Windows XP
Description:
A privileged handle leak vulnerability exists in WIN32K.SYS on Windows XP and earlier, that allows an unprivileged user to execute code with kernel access. Whenever a new process is created, WIN32K.SYS!GdiProcessCallout creates a handle for gpHmgrSharedHandleSection in the new process with SECTION_ALL_ACCESS permissions via ObOpenObjectByPointer. This handle is used to map a read-only view of the shared section into the process's memory, but is never closed, so the application can abuse the handle to re-map the section as a writable view, then tamper with data that will be used without proper validation by WIN32K.SYS.
gpHmgrSharedHandleSection is a table of 10h-byte GDI object handle entries, which have the following format:
+00h PTR GDI object data (kernel data) pointer
+04h WORD Process ID
+06h WORD some flags
+08h WORD high word of GDI handle
+0Ah BYTE type
01h = DC 0Ah = Font
02h = Surface? 0Ch = Font Chunk?
03h = 3D Surface? 0Eh = Color Transform Object
04h = Region 10h = Brush
05h = Bitmap 15h = Metafile?
06h = Client Object? 16h = EnumFontStyle?
07h = Path 1Ch = Driver Object
08h = Palette 1Eh = Spool Object
09h = Color Space
+0Bh BYTE more flags
+0Ch PTR user data pointer
A malicious user can create a GDI object, modify the kernel data pointer associated with its handle (the low word of the handle is the index into the handle table), then attempt to use the object in order to have WIN32K.SYS act upon his data. For instance, by creating a new region, modifying its handle table entry, then adding the region to a display context, the user can cause WIN32K.SYS to copy arbitrary data to a location in kernel memory, such as the LDT.
Starting with Windows 2003, WIN32K.SYS is not vulnerable because GdiProcessCallout specifies OBJ_KERNEL_HANDLE in the 'HandleAttributes' argument to ObOpenObjectByPointer.
Severity:
Medium
Code Execution:
Yes (Local Privilege Escalation)
Impact:
Arbitrary kernel code execution
Although this vulnerability requires an attacker to already be logged in or executing other code on a host, this does allow for the attacker to gain kernel privileges, allowing for complete system compromise no matter what credentials were used launch this vulnerability.
Mitigation:
Currently there is no mitigation available.
Protection:
- eEye's Retina® Network Security Scanner scans devices to detect for this vulnerability.
Patch:
Microsoft Security Bulletin (925902)
Links:
CVE-2006-5758
Original Advisory
Status:
11/6/2006: Vulnerability Reported
4/3/2007: MS07-017 Patch Released
