Windows Kernel ReadLayoutFile Heap Overflow
1. Advisory Information
Title: Windows Kernel ReadLayoutFile Heap Overflow
Advisory ID: CORE-2011-1123
Advisory URL: http://www.coresecurity.com/content/windows-kernel-readlayoutfile
Date published: 2012-05-08
Date of last update: 2012-07-11
Vendors contacted: Microsoft
Release mode: Coordinated release
2. Vulnerability Information
3. Vulnerability Description
There is a bug in the ReadLayoutFile Windows Kernel function that can be leveraged into a local privilege escalation exploit, potentially usable in a client-side attack scenario or after a remote intrusion by other means.
This bug is similar to another bug used by a client-side exploit in Stuxnet.
4. Vulnerable packages
- Windows XP SP3.
- Windows Vista SP2.
- Windows 7
- Windows 7 SP1.
- Windows Server 2003 SP2.
- Windows Server 2008 SP2.
- Other Windows versions might be vulnerable but were not tested.
5. Vendor Information, Solutions and Workarounds
Apply security patch MS12-047 
This vulnerability was discovered and researched by NicolÃ¡s Economou from Core Security Technologies. The publication of this advisory was coordinated by Fernando Russ.
7. Technical Description / Proof of Concept Code
There is a bug in the
ReadLayoutFile Windows Kernel (
win32k.sys) function that can be leveraged into a local privilege escalation exploit, potentially usable in a client-side attack scenario, or after a remote intrusion by other means.
Custom keyboard layouts are implemented using a .dll file exporting the
KbdLayerDescriptor function which, in theory, returns a pointer to a structure of type
KBDTABLES that is stored in the
.DATA sections of the PE file. The
NtUserLoadKeyboardLayoutEx is a private function used by
LoadKeyboardLayout  to load a custom keyboard layout, as arguments
NtUserLoadKeyboardLayoutEx uses an open file handle pointing to a keyboard layout library. When the function
NtUserLoadKeyboardLayoutEx is correctly called the PE file referenced by its arguments is mapped in kernel space.
The bug is due to a memory corruption: a double word can be overwritten in a position relative to the base of the allocated memory in kernel space. We have to distinguish the following constraints for exploiting this vulnerability:
- There is no bound check for the value used to index the
.DATAsection of the keyboard layout .dll where the actual where the actual layout descriptor table is stored. (So, we can reference spurious memory address)
- The file handle used to load the keyboard layout must refer to a file located in \Windows\System32.
- The value used to index the
.DATAsection of the keyboard layout is incorrectly bound checked.
We can confirm reliable exploitation for the following Microsoft Windows versions:
- Windows XP SP3,
- Windows Server 2003 SP2,
- Windows Server 2008 SP2.
8. Report Timeline
- 2011-11-23: Core Security Technologies notifies MSRC of the vulnerability, including technical details and a PoC that crashes Windows XP SP3.
- 2011-11-23: Vendor acknowledges the receipt of the information. Vendor warns Core Security Technologies that it may take longer than normal for a technical review of the bug because of the Thanksgiving holiday.
- 2011-11-24: Core acknowledges the aforementioned possible delay and wishes MSRC a happy Thanksgiving.
- 2011-11-25: MSRC opens case number "MSRC 12000gd" for report tracking.
- 2011-11-28: MSRC mentions over an unencrypted communication channel that they are currently investigating the issue, and that they'll let Core Security Technologies know of their findings when the investigation is complete.
- 2011-11-29: Core Security Technologies acknowledges the previous e-mail.
- 2011-12-08: MSRC contacts Core Security Technologies for a quick update, informing that they were able to reproduce the crash and that it is indeed very similar to bug publicly exploited at . MSRC informs that they are currently discussing the next steps they will take with Windows Product Team.
- 2012-01-09: Ivan Arce, current CTO and founder of the Core Advisories Team, leaves Core after 15 years. Thanks Wari!
- 2012-01-17: MSRC notifies that the release of a fix was scheduled for March 2012.
- 2012-01-18: Core acknowledges the previous update and notifies that Nicolas Economou has further analyzed the crash (publicly available in exploit-db) and concluded it is indeed a different issue. Core offers to compile Nicolas' findings into a private technical report.
- 2012-01-18: MSRC validates Nicolas' findings stating the two issues are separate, even though they share a same code area.
- 2012-03-09: Core asks if the March publication date still stands.
- 2012-03-12: MSRC notifies that, due to some late findings about app-compat concerns, they will need more time to issue the patch. MSRC asks to re-schedule the advisory publication to May 8th.
- 2012-03-09: Core re-schedules the advisory publication to May 8th.
- 2012-04-01: Pedro Varangot leaves the Core Advisories Team. Thanks Peter and good luck with your new challenges.
- 2012-04-02: Core asks for additional information regarding the actual vulnerable Windows' versions and specific workarounds for this vulnerability.
- 2012-04-03: MSRC notifies that the actual vulnerable systems are Windows XP/2003 as Elevation of Privileges and Windows Vista/2008 as Denial of Service. MSRC also notifies that no workaround has been identified for this vulnerability.
- 2012-05-08: The advisory CORE-2011-1123 is published.
- 2012-05-08: MSRC publishes the Security Bulletin MS12-034  for addressing this issue.
- 2012-05-11: Core notifies MSRC that the vulnerability was not correctly patched in  and re-sends a PoC to reproduce the issue.
- 2012-05-14: Based on the blog post , MSRC asks for a PoC which triggers the issue in a Vista/Windows 7 platform.
- 2012-05-14: Core clarifies that this issue seems to be not exploitable in Windows 7 (as it was noted in the blog post ), but it is still exploitable in Windows Vista and 2008. Core also notifies that the exploit for this vulnerability was sent to the Core Impact clients on May 8th, 2012.
- 2012-05-16: MSRC notifies that a new patch will be released and a new CVE number will be assigned to it.
- 2012-05-17: Core acknowledges the update and asks a publication date for this update.
- 2012-05-18: MSRC asks for a conference call to discuss this issue and asks Core to make no change on the advisory or the blog post until the publication day.
- 2012-05-18: Core requests to keep all the communication process via email in order to track all interactions and involve all people interested in it. Core also notifies that the advisory update will be released after the new patch is published.
- 2012-06-14: Core asks MSRC for additional information regarding this issue.
- 2012-06-18: MSRC notifies that they are targeting July as publication timeframe for this issue.
- 2012-06-21: Core acknowledges the publication date and asks for the new CVE number and any additional information that can be added in the advisory amendment.
- 2012-07-05: MSRC informs that the new bulletin will be published on July 10th, and the new CVE number is CVE-2012-1890.
- 2012-07-10: MSRC publishes the Security Bulletin Summary for July 2012 .
- 2012-07-11: The advisory CORE-2011-1123 is updated.
10. About CoreLabs
CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://corelabs.coresecurity.com.
11. About Core Security Technologies
Core Security Technologies enables organizations to get ahead of threats with security test and measurement solutions that continuously identify and demonstrate real-world exposures to their most critical assets. Our customers can gain real visibility into their security standing, real validation of their security controls, and real metrics to more effectively secure their organizations.
Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company's Security Consulting Services, CoreLabs and Engineering groups. Core Security Technologies can be reached at +1 (617) 399-6980 or on the Web at: http://www.coresecurity.com.
The contents of this advisory are copyright (c) 2012 Core Security Technologies and (c) 2012 CoreLabs, and are licensed under a Creative Commons Attribution Non-Commercial Share-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/
13. PGP/GPG Keys
This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at /legacy/files/attachments/core_security_advisories.asc.