BUGTRAQ ID: 31651,31652,31653
CVE(CAN) ID: CVE-2008-2250,CVE-2008-2252,CVE-2008-2251
Microsoft Windows是微软发布的非常流行的操作系统。
Windows内核未正确验证新窗口创建过程中所传递的窗口属性,未正确验证某些用户态输出,或可能处于双重释放的状态。成功利用此漏洞的攻击者可以运行任意内核态代码。攻击者可随后安装程序;查看、更改或删除数据;或者创建拥有完全用户权限的新帐户。
以下是双重释放漏洞的代码段:<pre>// Attacker controls lParam
void win32k_entry_point(…) {
[…]
// lParam has already passed successfully the ProbeForRead
my_struct = (PMY_STRUCT)lParam;
if (my_struct ->lpData) {
cbCapture = sizeof(MY_STRUCT) + my_struct->cbData; // [1] first fetch
[…]
// my_struct ->lpData has already passed successfully the ProbeForRead
[…]
if ( my_allocation = UserAllocPoolWithQuota(cbCapture, TAG_SMS_CAPTURE)) != NULL) {
RtlCopyMemory(my_allocation, my_struct->lpData, my_struct->cbData); // [2] second fetch
}
}
[…]
}</pre>在上面的代码中,两次取了相同的用户态数据([1]和[2])。由于内核无法保证这两次取值都拥有相同的值,在[1]可能出现较小的内存分配而之后在[2]内核拷贝了较长的数据,导致内存池溢出。
Microsoft已经为此发布了一个安全公告(MS08-061)以及相应补丁:
MS08-061:Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (954211)
链接:<a href=“http://www.microsoft.com/technet/security/Bulletin/MS08-061.mspx?pf=true” target=“_blank”>http://www.microsoft.com/technet/security/Bulletin/MS08-061.mspx?pf=true</a>