Fortinet Inc.

06/14/2018 | Press release | Distributed by Public on 06/14/2018 11:12

Microsoft Windows Remote Kernel Crash Vulnerability

PAGE:85D15618 [email protected] proc near ; CODE XREF:


PAGE:85D1571F mov edx, edi

PAGE:85D15721 mov ecx, [ebp+arg_4]

PAGE:85D15724 call [email protected] ; HashpHashBytes(x,x,x)

PAGE:85D15729 lea edx, [esi+0A0h]


PAGE:85D1572F loc_85D1572F: ; CODE XREF: CipImageGetImageHash(x,x,x,x,x,x,x,x,x)+CF↑j

PAGE:85D1572F mov edi, [ebp+arg_10]

PAGE:85D15732 mov eax, [edi+54h] ; -----> here [edi+54h] is obtained from poc.dll at offset 0x104, its value is 0x06.

PAGE:85D15735 sub eax, edx ; -----> here edx=83560150

PAGE:85D15737 add eax, [ebp+BaseAddress] ----> here [ebp+BaseAddress]=83560000

PAGE:85D1573A push eax ; ---------> So, after the above calculation, eax occurs integer subtraction overflow, result in eax=fffffeb6

PAGE:85D1573B mov ecx, [ebp+arg_4]

PAGE:85D1573E call [email protected] ------> the function call chain finally results in a kernel crash

PAGE:85D15743 mov esi, [edi+54h] ;

PAGE:85D15746 mov [ebp+var_30], esi

In following function, an insufficient bounds check is performed:

.text:85D0368C @[email protected] proc near

.text:85D0368C ; CODE XREF: SymCryptSha1Append(x,x,x)+10↑p

.text:85D0368C ; SymCryptMd5Append(x,x,x)+10↑p


.text:85D0368C var_18 = dword ptr -18h

.text:85D0368C var_14 = dword ptr -14h

.text:85D0368C var_10 = dword ptr -10h

.text:85D0368C var_C = dword ptr -0Ch

.text:85D0368C var_8 = dword ptr -8

.text:85D0368C var_4 = dword ptr -4

.text:85D0368C Src = dword ptr 8

.text:85D0368C MaxCount = dword ptr 0Ch


.text:85D0368C mov edi, edi

.text:85D0368E push ebp

.text:85D0368F mov ebp, esp .


85D0372D mov ecx, [ebp+var_8]

.text:85D03730 mov edx, [ebp+var_18]

.text:85D03733 jmp short loc_85D0373B

.text:85D03735 ; ---------------------------------------------------------------------------


.text:85D03735 loc_85D03735: ; CODE XREF: SymCryptHashAppendInternal(x,x,x,x)+46↑j

.text:85D03735 ; SymCryptHashAppendInternal(x,x,x,x)+52↑j

.text:85D03735 mov ecx, [ebp+Src]

.text:85D03738 mov [ebp+var_8], ecx


.text:85D0373B loc_85D0373B: ; CODE XREF: SymCryptHashAppendInternal(x,x,x,x)+A7↑j

.text:85D0373B cmp esi, [edx+18h] ; ----> here [edx+18h] equals 40h, esi equals fffffe7a, due to unsigned integer comparison, the crafted block size is not found

.text:85D0373E jb short loc_85D03769

.text:85D03740 mov edi, [edx+1Ch]

.text:85D03743 lea eax, [ebp+var_C]

.text:85D03746 push eax

.text:85D03747 push esi

.text:85D03748 mov esi, [edx+0Ch]

.text:85D0374B add edi, ebx

.text:85D0374D mov ecx, esi

.text:85D0374F call ds:___guard_check_icall_fptr ; _guard_check_icall_nop(x)

.text:85D03755 mov edx, [ebp+var_8]

.text:85D03758 mov ecx, edi

.text:85D0375A call esi