For the past few months, Google has been notoriously revealing flaws in other companies’ software, especially Microsoft. Last month, it discovered a “crazy bad” vulnerability in Windows, and in November 2016, it disclosed a potential exploit in the operating system just 10 days after telling Microsoft, for which it received a lot of backlash. There have been numerous other similar incidents as well.
Now, the company has disclosed yet another security flaw in Windows which allows access to kernel memory.
The exploit was reported back in March 2017 as a part of Google’s Project Zero program – which not only discloses bugs in other companies’ software but in Google’s own as well – and was actually fixed in June’s Patch Tuesday, according to Microsoft. This fix was delivered after Microsoft requested an extension past Google’s standard 90-day deadline. However, Google now states that the issue wasn’t fixed correctly, and as such, the bug has been made public again. According to the company, Microsoft has confirmed this as well.
The vulnerability allows anyone to access kernel memory. The nt!NtNotifyChangeDirectoryFile system call in Windows reportedly allows people in user-mode to view and access uninitialized pool memory due to output structure alignment holes. Google demonstrates that:
— cut —
00000000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff …………….
00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ?? ?? …………….
— cut —
Where 00 denote bytes which are properly initialized, while ff indicate uninitialized values copied back to user-mode. The output data is returned in a list of FILE_NOTIFY_INFORMATION structures . If we map the above shadow bytes to the structure definition, it turns out that the uninitialized bytes correspond to the alignment hole between the end of the FileName string and the beginning of the adjacent FILE_NOTIFY_INFORMATION structure, if that string is of an odd length (and therefore not 4-byte aligned).
The issue can be reproduced by running the attached proof-of-concept program on a system with the Special Pools mechanism enabled for ntoskrnl.exe. Then, it is clearly visible that bytes at the aforementioned offsets are equal to the markers inserted by Special Pools, and would otherwise contain leftover data that was previously stored in that memory region […]
Google claims that repeatedly triggering the vulnerability allows locally authenticated attackers to “defeat certain exploit mitigations (kernel ASLR)” and to read other portions of the kernel address space.
Google says that Microsoft has informed it that the vulnerability can be reproduced on machines running on Windows 7 through Windows 10. A fix is expected in next month’s Patch Tuesday or in August. Until then, the severity of the exploit has been marked as “Medium”.