PDF《请谨慎编码,哪怕它只是一句错误处理》

请谨慎编码,哪怕它只是一句错误处理 wang yu Hacks in Taiwan,

2013 ― 来自 win32k ! EPATHOBJ::pprFlattenRec 漏洞的启示 议题简介 第一部分 议题简介 ・关于作者 ( wangyu@360.

cn ) ・议题背景

2013 年3月Tavis Ormandy 前辈披露了一个微 软win32k 模块的问题 ―― 在内存压力测试的情况 下,例程 win32k!EPATHOBJ::bFlatten 发生了蓝屏. 接下来,关于该蓝屏的利用可谓是一波三折.5 月,随着对链表关系的深度分析,蓝屏问题终于上升 为本地提权问题,exploit-db 对此问题的关注度激 增. 本议题将聚焦于 win32k!EPATHOBJ 子系统数据 结构的设计与实现,以白盒的视角审视上述提权漏洞 的原理及利用细节. 议题简介 ・议题涵盖 - win32k!EPATHOBJ 子系统相关数据结构的背景、设计 与实现 - win32k!EPATHOBJ::pprFlattenRec 漏洞 ( CVE-2013-

3660 ) 的产生原因及几种可行的修复方案 - CVE-2013-3660 任意地址写入漏洞的利用思路及演进 过程 - 漏洞给我们带来的思考与启示 - 更多测试与审计 ・责任声明 PATH 子系统设计背景与数据结构 第二部分 让我们从这里开始 ...... EPATHOBJ::pprFlattenRec() is an internal routine for applying this process to a linked list of PATHRECORD objects. If you follow the logic, you can see that the PATHRECORD object retrieved from newpathrec() is mostly initialized, but with one obvious error: EPATHOBJ::pprFlattenRec(_PATHRECORD *)+33: .text:BFA122CD mov eax, [esi+PATHRECORD.prev] ;

load old prev .text:BFA122D0 push edi .text:BFA122D1 mov edi, [ebp+new] ;

get the new PATHRECORD .text:BFA122D4 mov [edi+PATHRECORD.prev], eax (1) ;

copy prev pointer over .text:BFA122D7 lea eax, [edi+PATHRECORD.count] ;

save address of count member .text:BFA122DA xor edx, edx ;

set count to zero .text:BFA122DC mov [eax], edx (2) .text:BFA122DE mov ecx, [esi+PATHRECORD.flags] ;

load flags .text:BFA122E1 and ecx, 0FFFFFFEFh ;

clear bezier flag .text:BFA122E4 mov [edi+PATHRECORD.flags], ecx (3) ;

copy old flags over The next pointer is never initialized!Tavis Ormandy 上下文中 next 指针是什么?未初始化意味着什么? (4) 吾将上下而求索 ― PATH 子系统 Windows 图形子系统绘制直线或曲线至少需要哪些要素?让 我们从面向对象的角度想想: 颜色?宽度?样式?(像素)点的坐标?点的类型? ...... Windows 图形子系统是怎么做的: ・The GDI pen objects manage pens. ・The device context objects manage other line and curve drawing attributes. ・Now we need something to manage geometric shapes. This brings us to the GDI path objects. ―― Feng Yuan GDI path objects ―― 坐标点与属性集合的管理者 吾将上下而求索 ― PATH 子系统 The Win32 API does not provide any functions to create PATH_TYPE objects directly, although you may have always suspected that some object must be created. GDI objects need to be selected into a Device Context to be used in GDI drawing calls. A path, unlike other GDI objects, does not have an explicit selection function. It'

s selected implicitly when it'

s created. ――《Windows Graphics Programming Win32 GDI and DirectDraw》 这一切让我充满好奇 ・静态逆向 ・动态跟踪 ・GDI Debugger Extension ・当然,理论上我还可以... 白盒分析 吾将上下而求索 ― GDI Debugger Extension 吾将上下而求索 ― PATH 数据结构 Ring-3 Ring-0 NtGdiBeginPath() BeginPath() DCOBJ::DCOBJ DHPDEV PDEV …….. …….. DCLEVEL …….. …….. hpath flPath win32k!PATH …….. …….. …….. DC object gcMaxHmgr PATH object XEPATHOBJ::XEPATHOBJ gpentHmgr +00 +10 +04 +08 +0C hHmgr Tid ExclusiveLock / Flag ShareCount object header WangYu, All Rights Reserved. +14 +18 ppachain pprfirst pprlast rcfxBoundBox +1C …….. PATHALLOC struct