Monday, July 11, 2016

Vulnerability Spotlight: Local Code Execution via the Intel HD Graphics Windows Kernel Driver

This vulnerability was discovered by Piotr Bania.

Talos, in coordination with Intel, is disclosing the discovery of TALOS-2016-0087, a local arbitrary code execution vulnerability within the Intel HD Graphics Windows Kernel Driver. This vulnerability exists in the communication functionality of the driver and can be exploited if a specially crafted message is sent to the driver, resulting in a denial of service or arbitrary code execution. Note that exploitation of this vulnerability is only achievable in local contexts. This vulnerability has been responsibly disclosed to Intel in accordance with our Vulnerability Reporting and Disclosure guidelines. 

Details on TALOS-2016-0087


TALOS-2016-0087 (CVE-2016-5647) is an arbitrary code execution vulnerability in the Intel HD Graphics Kernel Mode Driver for Windows. This vulnerability can be triggered by sending a specially crafted D3DKMTEscape request to the Intel HD Graphics driver, resulting in a NULL dereference. An attacker could leverage this vulnerability to achieve a denial of service attack or execute arbitrary code on an affected system. Exploitation of this flaw is limited to local contexts, such as a user executing a binary designed to exploit a system affected by TALOS-2016-0087.

The severity of this flaw varies depending on the system an adversary would be trying to exploit. On systems running Windows 7 or earlier, exploiting this vulnerability results in arbitrary code execution in the context of SYSTEM while on systems running Windows 8 or later, exploiting this vulnerability would likely just result in a system crash (denial of service).

To achieve arbitrary code execution, an adversary would need the ability to allocate or map the NULL page in Windows. When a NULL dereference occurs in kernel space, the user-mode application that caused a context switch is still mapped in lower memory. An attacker can take advantage of this and map the NULL page before triggering the vulnerability to control the contents of the dereference. In this case, the user-controlled value could be a function pointer and lead to arbitrary code execution. 

On systems running Windows 7 and earlier, it is possible to allocate or map the NULL page through the use of the NTVDM (NT Virtual DOS Machine) subsystem. However as of Windows 8 and newer, this functionality was removed as a mitigation against these very types of attacks. In addition, systems running a 32-bit version of Windows 8 or later have the NTVDM is disabled by default and must re-enabled manually in Control Panel. Systems running a 64-bit version of Windows do not have the NTVDM subsystem present in the operating system. Note that these mitigations are not foolproof. For example, another driver could possibly be manipulated into placing user controlled data at the NULL page, but this is not a generic case like the usermode mapping.

For the full technical details regarding this vulnerability, please refer to the vulnerability advisory which can be found on our website here.

Conclusion


While backwards compatibility is a huge benefit to users and organizations who can't upgrade immediately, it also poses a potential security risk. Adversaries are well aware many organizations cannot upgrade to newer operating systems due to legacy application requirements. Thus, preventing attacks that leverage legacy functionality will require other ways of mitigating attacks. Ensuring the latest security updates for your operating system and its drivers are installed and using anti-malware software is one way to help mitigate this risk. 

Talos will continue to investigate and identify zero-day vulnerabilities in third-party libraries and packages in a programmatic fashion to help secure our customers and the entire internet community.

The following Snort Rules can help detect and mitigate attempts to exploit TALOS-2016-0087:

37519-37520

1 comment:

  1. "On systems running Windows 7 and earlier, it is possible to allocate or map the NULL page through the use of the NTVDM (NT Virtual DOS Machine) subsystem."

    ...you just need to call ZwAllocateVirtualMemory with the right parameters. :)

    ReplyDelete

Post a Comment