- Jul 27, 2015
- 5,456
The patch source code.
Source : 0patch Blog
Code:
;Micropatch for wer.dll version 10.17134.471
;
;How it works:
; a vulnerable call CreateFileW responsible for creating a temporary report XML file
; which inherits loose C:\ProgramData\Microsoft\Windows\WER\Temp\ permissions is replaced by
; a call to ConvertStringSecurityDescriptorToSecurityDescriptor which creates a new security
; descriptor from ACE string that gets supplied to a new CreateFileW call.
; The new security descriptor has no DELETE permissions for AuthenticatedUsers group
; on report XML so a regular user can no longer change it to a hard link.
MODULE_PATH "..\AffectedModules\wer.dll_10.17134.471_64bit\wer.dll"
PATCH_ID 344
PATCH_FORMAT_VER 2
VULN_ID 4657
PLATFORM win64
patchlet_start
PATCHLET_ID 1
PATCHLET_TYPE 2
PIT kernel32.dll!CreateFileW,advapi32.dll!ConvertStringSecurityDescriptorToSecurityDescriptorA,kernel32.dll!LocalFree
PATCHLET_OFFSET 0x00059bd7
JUMPOVERBYTES 11
N_ORIGINALBYTES 2
code_start
mov qword [rsp+10h], r8 ; dwShareMode
mov qword [rsp+8h], rdi ; storing a global variable
mov qword [rsp], rcx ; lpFileName
call arg0_StringSecurityDescriptor
; args for ConvertStringSecurityDescriptorToSecurityDescriptor
; we changed (A;;0x13019f;;;AU) to (A;;GRSD;;;AU) - meaning
; AuthenticatedUsers can Read and Delete only
db "D:(A;;FA;;;BA)(A;;GRGW;;;AU)(A;;0x13019f;;;SU)(A;;0x13019f;;;LS)(A;;0x13019f;;;NS)(A;;0x13019f;;;WR)(A;;0x13019f;;;AC)(A;;0x13019f;;;S-1-15-2-2)",0
arg0_StringSecurityDescriptor:
pop rcx ; rcx=arg0_StringSecurityDescriptor
mov rdx, 01h ; arg1: StringSDRevision=SDDL_REVISION_1
;arg2: this arg is part of SECURITY_ATTRIBUTES struct so we have to create this first
; sa requires 18h of space
sub rsp, 20h ; but we're allocating 8 more than required nLength to keep stack alignment
lea r8, [rsp+8h] ;arg2: SecurityDescriptor=&sa.lpSecurityDescriptor
;init sa:
mov dword [rsp],18h ;sa.nLength = sizeof(SECURITY_ATTRIBUTES);
mov dword [rsp+10h],1h ;sa.bInheritHandle=FALSE
xor r9d,r9d ; SecurityDescriptorSize=NULL
sub rsp, 20h ; allocate homespace
call PIT_ConvertStringSecurityDescriptorToSecurityDescriptorA
;copy CreateFileW args 5,6 and 7 to a new stack frame
mov rax, [rsp+60h] ; dwCreationDisposition
mov qword [rsp],rax
mov rax, [rsp+68h] ; dwFlagsAndAttributes
mov qword [rsp+8h],rax
mov rax, [rsp+70h] ; hTemplateFile
mov qword [rsp+10h],rax
;obtain CreateFileW args 1,2,3,4
mov rcx, [rsp+40h] ; lpFileName
mov edx, 0C0000000h ; dwDesiredAccess
mov r8, [rsp+50h] ; dwShareMode
lea r9,[rsp+20h] ;lpSecurityAttributes
sub rsp, 20h ; alloc homespace
call PIT_CreateFileW
mov [rsp+28h],rax ; store result
;free the security descriptor:
mov rcx,[rsp+48h] ; sa.lpSecurityDescriptor
call PIT_LocalFree ;LocalFree(sa.lpSecurityDescriptor)
mov rax,[rsp+28h] ;restore result
mov rdi,[rsp+68h] ;restore the global variable
add rsp, 60h ;restore stack
code_end
patchlet_end