CVE-2020-17087 Windows内核驱动cng.sys整数溢出漏洞分析<\/h1>

漏洞概述<\/h2>
CVE-2020-17087是Windows内核驱动模块cng.sys中存在的一个整数溢出漏洞，攻击者可以利用此漏洞进行越界读写，最终实现本地提权。该漏洞曾被黑客用于Chrome沙箱逃逸(CVE-2020-15999)。<\/p>
受影响版本<\/strong>：Windows 10 2004及之前版本<\/p>

漏洞分析环境<\/h2>

Windows版本：Windows 10 1903 (10.0.18362.836)<\/li>
分析对象：cng.sys驱动模块<\/li> <\/ul>
漏洞原理<\/h2>
漏洞位于cng!CfgAdtpFormatPropertyBlock<\/code>函数中，关键问题在于对用户可控的size<\/code>参数进行6 * size<\/code>运算时，结果被强制转换为有符号16位整数，导致整数溢出。<\/p>
关键代码分析<\/h3> __int64<\/span> __fastcall<\/span> CfgAdtpFormatPropertyBlock<\/span>(char<\/span> *<\/span>a1, unsigned<\/span> __int16<\/span> size, __int64<\/span> a3) <\/span><\/span>{ <\/span><\/span> unsigned<\/span> int<\/span> v3; \/\/ ebx <\/span><\/span><\/span><\/span> char<\/span> *<\/span>v6; \/\/ r14 <\/span><\/span><\/span><\/span> __int16<\/span> v7; \/\/ di <\/span><\/span><\/span><\/span> _WORD *<\/span>pool_ptr; \/\/ rax <\/span><\/span><\/span><\/span> _WORD *<\/span>v9; \/\/ rdx <\/span><\/span><\/span><\/span> _WORD *<\/span>pool_ptr_w; \/\/ rcx <\/span><\/span><\/span><\/span> __int64<\/span> count; \/\/ r8 <\/span><\/span><\/span><\/span> _WORD *<\/span>v12; \/\/ rcx <\/span><\/span><\/span><\/span> char<\/span> v13; \/\/ al <\/span><\/span><\/span><\/span> <\/span><\/span> v3 =<\/span> 0<\/span>; <\/span><\/span> v6 =<\/span> a1; <\/span><\/span> if<\/span> (a1 &&<\/span> size &&<\/span> a3) <\/span><\/span> { <\/span><\/span> v7 =<\/span> 6<\/span> *<\/span> size; \/\/ 整数溢出点：6 * 0x2aab = 2 <\/span><\/span><\/span><\/span> pool_ptr =<\/span> BCryptAlloc((unsigned<\/span> __int16<\/span>)(6<\/span> *<\/span> size)); \/\/ 申请过小的内存池 <\/span><\/span><\/span><\/span> v9 =<\/span> pool_ptr; <\/span><\/span> if<\/span> (pool_ptr) <\/span><\/span> { <\/span><\/span> pool_ptr_w =<\/span> pool_ptr; <\/span><\/span> if<\/span> (size) <\/span><\/span> { <\/span><\/span> count =<\/span> size; <\/span><\/span> do<\/span> { <\/span><\/span> \/\/ 每次写入6字节 <\/span><\/span><\/span><\/span> *<\/span>pool_ptr_w =<\/span> (unsigned<\/span> __int8<\/span>)a0123456789abcd[(unsigned<\/span> __int64<\/span>)(unsigned<\/span> __int8<\/span>)*<\/span>v6 >><\/span> 4<\/span>]; <\/span><\/span> v12 =<\/span> pool_ptr_w +<\/span> 1<\/span>; <\/span><\/span> v13 =<\/span> *<\/span>v6++<\/span>; <\/span><\/span> *<\/span>v12++<\/span> =<\/span> (unsigned<\/span> __int8<\/span>)a0123456789abcd[v13 &<\/span> 0xF<\/span>]; <\/span><\/span> *<\/span>v12 =<\/span> 0x20<\/span>; <\/span><\/span> pool_ptr_w =<\/span> v12 +<\/span> 1<\/span>; <\/span><\/span> --<\/span>count; <\/span><\/span> } while<\/span> (count); \/\/ 循环次数为size(0x2ab)次 <\/span><\/span><\/span><\/span> } <\/span><\/span> *<\/span>(_QWORD *<\/span>)(a3 +<\/span> 8<\/span>) =<\/span> v9; <\/span><\/span> *<\/span>(_WORD *<\/span>)(a3 +<\/span> 2<\/span>) =<\/span> v7; <\/span><\/span> *<\/span>(_WORD *<\/span>)a3 =<\/span> v7 -<\/span> 2<\/span>; <\/span><\/span> } <\/span><\/span> else<\/span> <\/span><\/span> { <\/span><\/span> return<\/span> 0xC000009A<\/span>; <\/span><\/span> } <\/span><\/span> } <\/span><\/span> else<\/span> <\/span><\/span> { <\/span><\/span> return<\/span> 0xC000000D<\/span>; <\/span><\/span> } <\/span><\/span> return<\/span> v3; <\/span><\/span>} <\/span><\/span><\/code><\/pre>漏洞触发流程<\/h3> 当size<\/code>被控制为0x2ab<\/code>时，6 * 0x2ab = 0x1002<\/code>，但强制转换为16位有符号整数后结果为2<\/code><\/li> BCryptAlloc<\/code>函数根据这个过小的NumberOfBytes<\/code>(2)申请内存池空间<\/li> 但后续的do-while循环次数仍为原始的size<\/code>值(0x2ab)，每次写入6字节<\/li> 最终导致越界写入，触发蓝屏(BSOD)<\/li> <\/ol> 漏洞触发路径分析<\/h2> 1. 用户态调用路径<\/h3> 用户态通过DeviceIoControl<\/code>API发起IOCTL请求：<\/p> IO控制码(IoCode)：0x390400<\/code><\/li> 该请求最终会调用内核驱动模块中的DriverObject->MajorFunction[IRP_MJ_DEVICE_CONTROL]<\/code><\/li> <\/ul> 2. 内核态调用链<\/h3> 完整的调用链如下：<\/p> cng!CngDispatch cng!CngDeviceControl cng!ConfigIoHandler_Safeguarded cng!IoUnpack_SG_ParamBlock_Header cng!ConfigFunctionIoHandler cng!ConfigurationFunctionIoHandler cng!IoUnpack_SG_Configuration_ParamBlock cng!IoUnpack_SG_SzString cng!IoUnpack_SG_ContextFunctionConfig cng!IoUnpack_SG_Buffer cng!BCryptSetContextFunctionProperty cng!CfgReg_Acquire cng!CfgAdtReportFunctionPropertyModification cng!CfgAdtpFormatPropertyBlock (漏洞函数) <\/code><\/pre> 3. 关键函数分析<\/h3> cng!ConfigIoHandler_Safeguarded<\/h4> 该函数根据输入缓冲区的长度申请两个大小相同的池块(pool1和pool2)：<\/p> 将输入缓冲区内容拷贝至pool1<\/li> pool2初始化为0<\/li> 调用cng!IoUnpack_SG_ParamBlock_Header<\/code>进行初步处理<\/li> <\/ol> cng!IoUnpack_SG_ParamBlock_Header<\/h4> 该函数进行以下操作：<\/p> 检查pool1的前4字节必须为0x1A2B3C4D<\/code><\/li> 第3个参数保存pool1的第二个4字节(0x10400)<\/li> for循环内将pool2的前8字节置为0xFFFFFFFFFFFFFFFF<\/code><\/li> <\/ol> cng!ConfigurationFunctionIoHandler<\/h4> 根据输入缓冲区的第二个四字节(0x10400被截断为0x400)，进入分支：<\/p> if<\/span> (a1 ==<\/span> 0x400<\/span>) <\/span><\/span> return<\/span> BCryptSetContextFunctionProperty(...); <\/span><\/span><\/code><\/pre>cng!BCryptSetContextFunctionProperty<\/h4> 该函数：<\/p> 使用cbValue<\/code>和pbValue<\/code>初始化DestinationString<\/code><\/li> 调用cng!CfgReg_Acquire<\/code>尝试访问注册表项<\/li> 初始化三个UnicodeString(使用pool1+0x100、pool1+0x200、pool1+0x400处的字符)<\/li> 调用cng!CfgAdtReportFunctionPropertyModification<\/code><\/li> <\/ol> cng!CfgAdtReportFunctionPropertyModification<\/h4> 该函数最终调用漏洞函数cng!CfgAdtpFormatPropertyBlock<\/code>，传入的关键参数：<\/p> 第二个参数(size)来自pool_ptr1 + 0x50<\/code>处的值(0x2aab)<\/li> <\/ul> 漏洞利用关键点<\/h2> 可控的size参数<\/strong>：通过精心构造的输入缓冲区，可以控制pool_ptr1 + 0x50<\/code>处的值<\/li> 整数溢出<\/strong>：6 * size<\/code>的结果强制转换为16位有符号整数导致溢出<\/li> 内存分配与写入不匹配<\/strong>：分配小内存但进行大量写入<\/li> 越界写入<\/strong>：最终导致相邻内存被破坏，可能实现任意代码执行<\/li> <\/ol> 补丁分析<\/h2> 微软通过以下方式修复了该漏洞：<\/p> 在cng!CfgAdtpFormatPropertyBlock<\/code>函数中增加了cng!RtlUShortMult<\/code>函数调用<\/li> RtlUShortMult<\/code>函数对size * 6<\/code>的结果进行溢出检查<\/li> <\/ol> 补丁后的关键代码：<\/p> __int64<\/span> __fastcall<\/span> RtlUShortMult<\/span>(unsigned<\/span> __int16<\/span> a1, __int64<\/span> a2, unsigned<\/span> __int16<\/span> *<\/span>a3) <\/span><\/span>{ <\/span><\/span> unsigned<\/span> int<\/span> v3; \/\/ ecx <\/span><\/span><\/span><\/span> unsigned<\/span> __int16<\/span> v4; \/\/ dx <\/span><\/span><\/span><\/span> <\/span><\/span> v3 =<\/span> 6<\/span> *<\/span> a1; <\/span><\/span> if<\/span> (v3 ><\/span> 0xFFFF<\/span>) <\/span><\/span> v4 =<\/span> 0xFFFF<\/span>; <\/span><\/span> else<\/span> <\/span><\/span> v4 =<\/span> v3; <\/span><\/span> *<\/span>a3 =<\/span> v4; <\/span><\/span> return<\/span> v3 ><\/span> 0xFFFF<\/span> ?<\/span> 0xC0000095<\/span> :<\/span> 0<\/span>; <\/span><\/span>} <\/span><\/span><\/code><\/pre>参考链接<\/h2> Google Project Zero分析报告<\/a><\/li> 微软官方漏洞指南<\/a><\/li> <\/ol>

CVE-2020-17087 Windows内核驱动cng.sys整数溢出漏洞分析<\/h1>

漏洞原理<\/h2> 漏洞位于cng!CfgAdtpFormatPropertyBlock<\/code>函数中，关键问题在于对用户可控的size<\/code>参数进行6 * size<\/code>运算时，结果被强制转换为有符号16位整数，导致整数溢出。<\/p>

漏洞触发路径分析<\/h2>

3. 关键函数分析<\/h3>

参考链接<\/h2> Google Project Zero分析报告<\/a><\/li> 微软官方漏洞指南<\/a><\/li> <\/ol>

漏洞原理<\/h2>
漏洞位于`cng!CfgAdtpFormatPropertyBlock<\/code>函数中，关键问题在于对用户可控的size<\/code>参数进行6 * size<\/code>运算时，结果被强制转换为有符号16位整数，导致整数溢出。<\/p>`

参考链接<\/h2>

Google Project Zero分析报告<\/a><\/li>
微软官方漏洞指南<\/a><\/li> <\/ol>