Information

  • We know that this UAF depends on a provider (GUID {487D6E37-1B9D-46D3-A8FD-54CE8BDF8A53}) with certain value
  • In the provider above we know that MatchAnyKeyword & 0x400000000000 is set. In case that is not, it is possible to change it with the following command: “Set-EtwTraceProvider -GUID “{487d6e37-1b9d-46d3-a8fd-54ce8bdf8a53}” -MatchAnyKeyword 0xC00000000000”
  • The crash occurs at win32kfull!_OpenClipboard+0xd7439 while it access memory that was freed
  • We know that there is a race condition that cause this bug and it involve process termination

BugCheck:

DRIVER_PAGE_FAULT_IN_FREED_SPECIAL_POOL (d5)
Memory was referenced after it was freed.
This cannot be protected by try-except.
When possible, the guilty driver's name (Unicode string) is printed on
the bugcheck screen and saved in KiBugCheckDriver.
Arguments:
Arg1: fffffb934bed4bd0, memory referenced
Arg2: 0000000000000000, value 0 = read operation, 1 = write operation
Arg3: fffffbc948f89a09, if non-zero, the address which referenced memory.
Arg4: 0000000000000000, (reserved)

Stack at crash:

nt!DbgBreakPointWithStatus
nt!KiBugCheckDebugBreak+0x12
nt!KeBugCheck2+0x957
nt!KeBugCheckEx+0x107
nt!MiSystemFault+0x1ac22a
nt!MmAccessFault+0x327
nt!KiPageFault+0x343
win32kfull!_OpenClipboard+0xd7439
win32kfull!NtUserOpenClipboard+0x14a
nt!KiSystemServiceCopyEnd+0x25
win32u!NtUserOpenClipboard+0x14
USER32!OpenClipboard+0x11
test!main+0xa1 [r:\test\test\main.cpp @ 20]

Registers:

Some register values may be zeroed or incorrect.
rax=0000000000000001 rbx=0000000000000000 rcx=0000000000000000
rdx=fffffb934bed4a30 rsi=0000000000000000 rdi=0000000000000000
rip=fffffbc948f89a09 rsp=ffff9d0bb7632520 rbp=ffff9d0bb7632579
r8=0000000000000001  r9=ffff9d0bb7632520 r10=0000000000000004
r11=ffff9d0bb76325c0 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=0000000000000000
iopl=0         nv up ei pl nz na pe nc
win32kfull!_OpenClipboard+0xd7439:
fffffbc9`48f89a09 488b82a0010000  mov     rax,qword ptr [rdx+1A0h] ds:fffffb93`4bed4bd0=????????????????

Reproduce:

  1. Make sure that MatchAnyKeyword & 0x400000000000 is set in the GUID {487D6E37-1B9D-46D3-A8FD-54CE8BDF8A53}
  2. Make sure Special pool is set on win32kfull.sys using verifier
  3. Compile the poc attached and copy it to the target machine
  4. Run the compiled poc and machine will crash with BSOD

PoC:

attached


Attachments:
main.c

References:
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2019-1014
https://research.checkpoint.com/2020/bugs-on-the-windshield-fuzzing-the-windows-kernel/