100 - DDR4 Rowhammer, Azure Bugs, "Essential 0days", and Backdoored IDA
Multiple bugs within the Microsoft RDP Client (Server being the attacker) found through fuzzing. None covered at this time are very impactful but there is some background in Virtual Channels within RDP and experieince getting a fuzzing envrionment setup that might be of value.
Out-of-Bounds Read in RDPSND
This vulnerabilities was found in the virtual channel for transporting audio data from server to client. A wFormatNo
controlled by an attacker is used to calculate the offset to for the targetFormat
targetFormat = *(AudioFormat **)(savedAudioFormats + 8 * wFormatNo);
The challenge with this one is that while there is not always length checking, if the lastFormatNo
is not equal to the current wFormatNo
then a call to CRdpAudioController::OnNewFormat(this, wFormatNo)
will be made. This function does do some input validation to ensure the value is not out of bounds.
To get around this one could change out the number of supported audio formats between messages. Sending an inital list of supported formats with n
entries, sending a message using wFormatNo
set to n
, then sending another list of supported formats with less than n
entries. Resulting in an out-of-bounds read when calculating the targetFormat
pointer.
Exploiting this bug may be a challenge though, as the targetFormat
is only used to read the wFormatTag
field, and check if it is equal to 1, leaking limited information.
Arbitrary Malloc
This issue was found twice, one in CLIPDR
the virtual channel for clipboard synchronization, and once in RDPDR
a virtual channel for redirecting file-system access.
For the clipboard case, the clipDataId
field would be used in a calculation (8 x (32+clipDataId)
) going into malloc. So a large value could lead to a malloc of up to around 32GB.
With RDPDR
the issue was a little less powerful, OutputBufferLength
being used in a malloc call directly, but since its a 32bit value, only able to allocate about 4GB, and only once per session.
Leaving out many of the specifics about how Azure Sphere devices work. Under normal circumstances it appears that you shoudl neither be able to downgrade a devices firmware, nor install any firmware without providing the Microsoft-signed manifest beforehand.
The issue Talos Found was that it was posisble to install the “Trusted Keystore” image wihtout any manifest or version restriction. So by installing a different version will result in the Pluton processor (root of trust on Azure Sphere) using a bad key when checking the firmware image, leading to a failed verification and rebooting the device (repeating the process).
Out of bounds access in the GPIO_SET_PIN_CONFIG_IOCTL
leading to information disclosure. When parsing the lineoffsets
field from the gpiopin_request
object, there’s no bounds checking on it before it’s used as an index into an array of descriptions to get a desc
pointer. This is only useful for information disclosure though, because the only useful avenue they found for exploiting the issue was a permission check that would use the desc->allowed_user
field and compare it against the current UID. By using this permission check as an oracle, they could scan memory for sequences of bytes that match the process UID. They use this to find and leak the address of the cred
structure in the heap.