微软Windows FastFAT.sys FAT分区拒绝服务漏洞重现
还记得去年的MS14-063 FAT32驱动内核溢出漏洞么?今天出续集了,但是这一次是在FAT12分区。
演示视频
分析
- 受影响系统
从Windows NT到Windows 7 SP1
- 我测试的机型
* Windows XP SP3 x86 * Windows 7 SP1 x86/x64
BUG重现:创建FAT12分区并在0×16(Sectors per FAT)设置一个WORD,例如0×3000
注意:值不要超过0x3FFF
查阅Loopback Device资料建议,并且建议设置参数bs=512 count=32067
镜像可为空
细节:在FAT12引导扇区中“Sectors per FAT”字段中的值发生错误,导致在FAT1分区映射到缓存期间尝试读取未分配的内存区域。
错误的分区显示如下:
崩溃
Windows 7 SP1 x86
kd> !analyze -v ******************************************************************************* * * * Bugcheck Analysis * * * ******************************************************************************* PAGE_FAULT_IN_NONPAGED_AREA (50) Invalid system memory was referenced. This cannot be protected by try-except, it must be protected by a Probe. Typically the address is just plain bad or it is pointing at freed memory. Arguments: Arg1: a3f00000, memory referenced. Arg2: 00000000, value 0 = read operation, 1 = write operation. Arg3: 82a6a05e, If non-zero, the instruction address which referenced the bad memory address. Arg4: 00000000, (reserved) Debugging Details: ------------------ READ_ADDRESS: a3f00000 FAULTING_IP: nt!CcMapData+ae 82a6a05e 8a0e mov cl,byte ptr [esi] MM_INTERNAL_CODE: 0 DEFAULT_BUCKET_ID: WIN7_DRIVER_FAULT BUGCHECK_STR: 0x50 PROCESS_NAME: explorer.exe CURRENT_IRQL: 2 TRAP_FRAME: a2447414 -- (.trap 0xffffffffa2447414) ErrCode = 00000000 eax=000006e2 ebx=86eb8b98 ecx=a2447400 edx=00000011 esi=a3f00000 edi=0000000f eip=82a6a05e esp=a2447488 ebp=a24474c8 iopl=0 nv up ei pl nz ac po nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010212 nt!CcMapData+0xae: 82a6a05e 8a0e mov cl,byte ptr [esi] ds:0023:a3f00000=?? Resetting default scope LAST_CONTROL_TRANSFER: from 82916d5f to 828b27b8 STACK_TEXT: a2446f64 82916d5f 00000003 6641e18b 00000065 nt!RtlpBreakWithStatusInstruction a2446fb4 8291785d 00000003 00000000 00082982 nt!KiBugCheckDebugBreak+0x1c a2447378 828c5879 00000050 a3f00000 00000000 nt!KeBugCheck2+0x68b a24473fc 82878aa8 00000000 a3f00000 00000000 nt!MmAccessFault+0x104 a24473fc 82a6a05e 00000000 a3f00000 00000000 nt!KiTrap0E+0xdc a24474c8 975dbb32 86e819c0 004474ec 00721e00 nt!CcMapData+0xae a24474f4 975d9e1d a2b52fb8 85dad920 00001000 fastfat!FatReadVolumeFile+0x3a a2447580 975da534 a2b52fb8 a2447524 00000002 fastfat!FatExamineFatEntries+0x11f a24475e8 975ecd64 a2b52fb8 85dad920 3519a638 fastfat!FatSetupAllocationSupport+0x38a a2447774 975ee3cf a2b52fb8 8a9b0da8 a3392fa8 fastfat!FatMountVolume+0x418 a2447794 975ee478 a2b52fb8 93528e90 3519a6ac fastfat!FatCommonFileSystemControl+0x3f a24477e0 82b696c3 82275620 93528e90 93528e90 fastfat!FatFsdFileSystemControl+0x82 a2447804 8286ebd5 00000001 93528ff4 82275620 nt!IovCallDriver+0x258 a2447818 85499a56 270d61d5 8229bde8 93528e90 nt!IofCallDriver+0x1b a2447878 85499c5b 8229bde8 93528e90 86f2c678 fltmgr!FltpFsControlMountVolume+0x180 a24478a8 82b696c3 8229bde8 93528e90 93528e90 fltmgr!FltpFsControl+0x5b a24478cc 8286ebd5 00000001 8296fb88 8229bde8 nt!IovCallDriver+0x258 a24478e0 829d1dd9 82804870 8a9b0da8 82804900 nt!IofCallDriver+0x1b a2447944 828df92e 8a9b0da8 85dac000 00000000 nt!IopMountVolume+0x1d8 a244797c 82a7ddfb 85dac008 a2447aa8 a2447a40 nt!IopCheckVpbMounted+0x64 a2447a60 82a5dd1e 8a9b0da8 851cfde8 85d66750 nt!IopParseDevice+0x7db a2447adc 82a6e147 00000000 a2447b30 00000040 nt!ObpLookupObjectName+0x4fa a2447b38 82a64c25 02effc44 851cfde8 828b1d01 nt!ObOpenObjectByName+0x165 a2447bb4 82a884a4 02effca0 00100081 02effc44 nt!IopCreateFile+0x673 a2447c00 828758c6 02effca0 00100081 02effc44 nt!NtCreateFile+0x34 a2447c00 776170f4 02effca0 00100081 02effc44 nt!KiSystemServicePostCall 02effc00 77615614 7573a9d9 02effca0 00100081 ntdll!KiFastSystemCallRet 02effc04 7573a9d9 02effca0 00100081 02effc44 ntdll!ZwCreateFile+0xc 02effca8 772ce99f 00004000 00100081 00000007 KERNELBASE!CreateFileW+0x35e 02effcd4 761a2fc5 03cc0038 00000001 00000007 kernel32!CreateFileWImplementation+0x69 02effd38 761a2bc9 03cc0038 00000001 00000000 SHELL32!CLocalInterruptSource::v_CreateEvent+0x41 02effd5c 761aac0f 0368f598 00000000 02effd94 SHELL32!CFSInterruptSource::GetEvent+0x7b 02effd9c 761aa92a 02effdc0 00000000 006e7a90 SHELL32!CChangeNotify::_GetInterruptEvents+0x93 02effdc8 7611561b 00000000 00000000 00000067 SHELL32!CChangeNotify::_MessagePump+0x67 02effde0 75fd43c0 006e7a90 00000000 00000000 SHELL32!CChangeNotify::s_ThreadProc+0x4f 02effe68 772cee1c 0201ed74 02effeb4 776337eb SHLWAPI!WrapperThreadProc+0x1b5 02effe74 776337eb 0201ed74 758640f9 00000000 kernel32!BaseThreadInitThunk+0xe 02effeb4 776337be 75fd42ed 0201ed74 00000000 ntdll!__RtlUserThreadStart+0x70 02effecc 00000000 75fd42ed 0201ed74 00000000 ntdll!_RtlUserThreadStart+0x1b STACK_COMMAND: kb FOLLOWUP_IP: nt!CcMapData+ae 82a6a05e 8a0e mov cl,byte ptr [esi] SYMBOL_STACK_INDEX: 5 SYMBOL_NAME: nt!CcMapData+ae FOLLOWUP_NAME: MachineOwner MODULE_NAME: nt IMAGE_NAME: ntkrpamp.exe DEBUG_FLR_IMAGE_TIMESTAMP: 521e9cb6 FAILURE_BUCKET_ID: 0x50_VRF_nt!CcMapData+ae BUCKET_ID: 0x50_VRF_nt!CcMapData+ae Followup: MachineOwner ---------
漏洞代码:
\wrk-v1.2\base\ntos\cache\pinsup.c
Line 72:
BOOLEAN
CcMapData (
__in PFILE_OBJECT FileObject,
__in PLARGE_INTEGER FileOffset,
__in ULONG Length,
__in ULONG Flags,
__out PVOID *Bcb,
__deref_out_bcount(Length) PVOID *Buffer
)
...
Line 155:
ULONG PageCount = ADDRESS_AND_SIZE_TO_SPAN_PAGES((ULongToPtr(FileOffset->LowPart)), Length);
PETHREAD Thread = PsGetCurrentThread();
BOOLEAN ReturnStatus;
DebugTrace(+1, me, "CcMapData\n", 0 );
MmSavePageFaultReadAhead( Thread, &SavedState );
ReturnStatus = CcMapDataCommon( FileObject,
FileOffset,
Length,
Flags,
&TempBcb,
Buffer );
...
Line 193
//
// Loop to touch each page
//
BaseAddress = *Buffer;
while (PageCount != 0) {
MmSetPageFaultReadAhead( Thread, PageCount - 1 );
ch = *((volatile UCHAR *)(BaseAddress)); // <---------- CRASH!!!!
BaseAddress = (PCHAR) BaseAddress + PAGE_SIZE;
PageCount -= 1;
}
PageCount基于控制长度值进行计算,在这种情况下(读取FATx)包括:
Sectors per FAT * Bytes per sector
kd> . frame /c 5 kd> dd ebp+10 L1 //get Length value f53e1510 00721e00 kd> ?00721e00 / 0x200(= Bytes per sector) Evaluate expression: 14607 = 0000390f (= Sectors per FAT)
FileOffset也就等于:
kd> dt _LARGE_INTEGER poi(ebp+c) nt!_LARGE_INTEGER 0x200 +0x000 LowPart : 0x200 +0x004 HighPart : 0 +0x000 u : __unnamed +0x000 QuadPart : 512
调用PageCount计算的这些值:
Evaluate expression: 1826 = 00000722
while迭代循环,通过PAGE_SIZE增加BaseAddress指针。所以在这种情况下内存区域会被“覆盖”:
kd> ?(0x722 * 0x1000) / 0x400 ------------^-----------^----------^---- PageCount PAGE_SIZE 1KB Evaluate expression: 7304 = 00001c88 kd> ?00001c88 / 0x400 Evaluate expression: 7 = 00000007 ~ 7MB
接下来检测一下我们能够缓存多少字节:
\wrk-v1.2\base\ntos\cache\pinsup.c
Line 241:
BOOLEAN
CcMapDataCommon (
IN PFILE_OBJECT FileObject,
IN PLARGE_INTEGER FileOffset,
IN ULONG Length,
IN ULONG Flags,
OUT PVOID *Bcb,
OUT PVOID *Buffer
)
...
Line 350:
//
// Get pointer to SharedCacheMap.
//
SharedCacheMap = FileObject->SectionObjectPointer->SharedCacheMap;
//
// Call local routine to Map or Access the file data. If we cannot map
// the data because of a Wait condition, return FALSE.
//
if (FlagOn(Flags, MAP_WAIT)) {
*Buffer = CcGetVirtualAddress( SharedCacheMap,
*FileOffset,
(PVACB *)&TempBcb,
&ReceivedLength );
ASSERT( ReceivedLength >= Length ); // maybe convert it to IF ?
}
在CcGetVirtualAddress中检测ReceiveLength:
\wrk-v1.2\base\ntos\cache\vacbsup.c
Line 388: ULONG VacbOffset = FileOffset.LowPart & (VACB_MAPPING_GRANULARITY - 1); ... Line 449: *ReceivedLength = VACB_MAPPING_GRANULARITY - VacbOffset;
VACB_MAPPING_GRANULARITY的值是多少?
\wrk-v1.2\base\ntos\inc\cache.h
Line 31: #define VACB_MAPPING_GRANULARITY (0x40000)
从上面的代码片段中获知ReceiveLength应该是大于等于0×40000 bytes也就是256KB.
MSDN CcMapData
微软官方CcMapData文档[点我]
在缓存管理器中CcMapData无法通过视图边界映射数据,系统缓存管理器中的文件标准大小为256 KB(缓存管理器的视图的大小是通过系统定义常数VACB_MAPPING_GRANULARITY指定的,其大小在ntifs.h中设置为256 KB),映射区域不能超越256 KB。因此最大映射区域为256 KB,从文件中的偏移量从256 KB开始。
代码和文档都清晰的指出映射文件数据不能超过256 KB,在我们这个例子中内核大于有7M可用空间,迭代这个超过256 KB
会导致崩溃。
为何存在这个BUG
长度值缺少验证,会导致这个迭代无限循环
\wrk-v1.2\base\ntos\cache\pinsup.c
Line 198
while (PageCount != 0) {
MmSetPageFaultReadAhead( Thread, PageCount - 1 );
ch = *((volatile UCHAR *)(BaseAddress)); // <---------- CRASH!!!!
BaseAddress = (PCHAR) BaseAddress + PAGE_SIZE;
PageCount -= 1;
}
超过可用映射/分配区域
并非每次都触发
在实验中我发现不是每一个Sectors per FAT的值都会超过0×0200从而导致崩溃,例如Sectors per FAT设置为0×4000就是一个例外!FatCommonRead:
堆栈跟踪:Sectors per FAT == 40 00
Windows XP SP3 ChildEBP RetAddr Args to Child bad46fc0 b7e0d505 86a69e50 bad46fec 804e24f1 Fastfat!FatExceptionFilter+0x5 bad46fcc 804e24f1 bad46ff4 00000000 bad46ff4 Fastfat!FatFsdRead+0x12b bad46ff4 804db49a bad470d8 bad47518 bad47128 nt!_except_handler3+0x61 bad47018 804db46b bad470d8 bad47518 bad47128 nt!ExecuteHandler2+0x26 bad470c8 804dc6a1 bad470d8 bad47128 c000000d nt!ExecuteHandler+0x24 bad473fc b7e12fc4 c000000d 86a69e50 8667b888 nt!ExRaiseStatus+0xb5 bad474b8 b7e0d69a 86a69e50 8667b888 86a501e8 Fastfat!FatCommonRead+0x66b bad47528 804e37f7 8686ba98 8667b888 00000000 Fastfat!FatFsdRead+0x13d bad47538 804f95d8 00000000 86b01ad0 86b01ae0 nt!IopfCallDriver+0x31 bad4754c 804f95ff 8686ba98 86b01b08 86b01ae8 nt!IopPageReadInternal+0xf4 bad4756c 804f9264 86a501e8 86b01b08 86b01ae8 nt!IoPageRead+0x1b bad475e0 804eba6a 0dead8c0 c7fc0000 c031ff00 nt!MiDispatchFault+0x274 bad47630 804e1718 00000000 c7fc0000 00000000 nt!MmAccessFault+0x5bc bad47630 8056d716 00000000 c7fc0000 00000000 nt!KiTrap0E+0xcc bad47708 b7e15b25 86a501e8 bad47734 00001000 nt!CcMapData+0xef bad4773c b7e1e8b6 86a84e28 8698b3a8 00000000 Fastfat!FatReadDirectoryFile+0x92 bad47770 b7e137b7 86a84e28 8686bb90 bad47880 Fastfat!FatLocateVolumeLabel+0x7f bad4790c b7e10a93 86a84e28 86b6a718 86bd3af0 Fastfat!FatMountVolume+0x49b bad4792c b7e10a38 86a84e28 8690eaf0 8690ec78 Fastfat!FatCommonFileSystemControl+0x49 bad47978 804e37f7 86a2d928 8690eaf0 8690ec9c Fastfat!FatFsdFileSystemControl+0x85 EXCEPTION: Fastfat!FatExceptionFilter+0x5: b7e0d485 53 push ebx kd> .exr poi(poi(ebp+c)) ExceptionAddress: b7e12fc4 (Fastfat!FatCommonRead+0x0000066b) ExceptionCode: c000000d // STATUS_INVALID_PARAMETER ExceptionFlags: 00000001 NumberParameters: 0
我并没有深入下去,当然也就无法指出在代码中哪个地方导致的这个例外。所以我猜测可能是已经存在一个长度验证,但是精准度还不够!
* 参考来源:Icewall,编译/ 鸢尾,转载请注明来自FreeBuf黑客与极客(FreeBuf.COM)