ntoskrnl.exe中的ApphelpCacheLookupEntry在处理位于user-mode下的内存对象时存在竞争条件错误,允许本地攻击者利用漏洞以RING0权限执行任意代码。
PAGE:0063073E mov eax, [esi+18h]
PAGE:0063073E mov [edi], eax
PAGE:00630740 mov eax, [esi+1Ch]
PAGE:00630743 mov [edi+4], eax
PAGE:00630746 test byte ptr [esi+18h], 1
PAGE:0063074A jz short loc_63078E
PAGE:0063074C test byte ptr [esi+1Ch], 1
PAGE:00630750 jz short loc_63078E
PAGE:00630752 cmp dword ptr [esi+24h], 0
PAGE:00630756 jz short loc_63078E
PAGE:00630758 mov ecx, [edi+18h]
PAGE:0063075B test ecx, ecx
PAGE:0063075D jz short loc_63078E
PAGE:0063075F mov eax, [esi+20h]
PAGE:00630762 cmp [edi+14h], eax
PAGE:00630765 jnb short loc_630774
PAGE:00630767 mov [edi+14h], eax
PAGE:0063076A mov esi, 0C0000023h
PAGE:0063076F jmp loc_6307FB
PAGE:00630774 ; ---------------------------------------------------------------------------
PAGE:00630774
PAGE:00630774 loc_630774: ; CODE XREF: ApphelpCacheLookupEntry(x,x,x)+BC�j
PAGE:00630774 push 4 ; Alignment
PAGE:00630776 push eax ; Length
PAGE:00630777 push ecx ; Address 这里检查[edi+18h]是否为user-land的地址
PAGE:00630778 call _ProbeForWrite@12 ; ProbeForWrite(x,x,x)
PAGE:0063077D push dword ptr [esi+20h] ; size_t
PAGE:00630780 push dword ptr [esi+24h] ; void *
PAGE:00630783 push dword ptr [edi+18h] ; 如果 [edi+8]被另一个线程修改为kernel-land地址,将造成写内核地址漏洞
PAGE:00630786 call _memcpy
PAGE:0063078B add esp, 0Ch
PAGE:0063078E