5. • High-performance bitmap composition with transforms,
effects and animations graphic engine
• Introduced from windows 8.
• Working based on dwm(desktop
windows manager).
Direct Composition Overview
7. Significant Change since win10 RS1
• kernel implement changed
• Interface changed
Remove lots of interface.
10+?
Lots of funcAon has been rewrite, not fix vuln
Add some interface. eg:
10. Why attack DirectComposition
• Reachable in AppContainer and out of win32k filter
• This part implement with c++ in kernel
• Introduced from windows 8, ever been focus by
another researchers, !!!as far as we know!!!
13. Resource Object
• know as visual in user interface
• similar to win32k surface
• It has a lots of types.
CScaleTransformMarshaler CTranslateTransformMarshaler
CRectangleClipMarshaler CBaseClipMarshaler
CSharedSecAonMarshaler CMatrixTransformMarshaler
CMatrixTransform3DMarshaler CShadowEffectMarshaler
. . .
14. Batch Buffer
• Associate with a channel
• Returned from NtDComposiAonCreateChannel
• NtDComposiAonProcessChannelBatchBuffer parse it
• This funcAon support a lot of commands
22. Root Cause
Free the resource(visual)'s property buffer forget to clear resource->Databuffer.
result in free again when resource is free
First time free
25. Exploition
Res1First time free ResY
Free this one
Res2 Res3 Res4 …
Res1 palette
Occupy with palette
Res2 Res3 Res4 …
Res1 palette
Free palette
Res2 Res3 Res4 …Second time free
Res1 ResX
Occupy with
ResX
Res2 Res3 Res4 …
26. Modify the palette->pEntries to what you want when
occupy palette with a ResourceBuffer
palette pEntries
ResX-
>DataBuf
xxxxx
occupy second time
Content Replace
palette
pEntries
bitma
pScan0
Usually, cover palette1->pEntries to a bitmap address
28. Fix BSOD
• We finished privilege escalation, but BSOD
when process exit
• There still has double either Palette or ResX's
DataBuffer, because they share the same kernel
buffer
• Double free happened in clear process
handle table when process exit
• Close palette handle first, Resource handle next
• So? must clear ResX->DataBuffer or remove ResX
handle from handle table before process exit
29. Clear ResX->DataBuffer
• It's a binary tree struct, search the binary tree to
find the channel that Resource belongs to.
• Channel handle table locate in:
_EPROCESS->Win32Process->GenericTable
GenericTable
channel1
channel2 channel3
channel4 channel5
1. Locate ResX address
2. Locate channel address
Resource address store in channel's resource
table
30. Resource table in channel implement as a array
void* ptrNull=0;
AddressWrite(&ResX->DataBuffer, sizeof(void*), &ptrNull);
Clear
33. Root cause
Integer overflow while dataOffset < DataSize-0xc if DataSize < 0xc
If (dwOffet < (DWORD)(0x1-0xc)) {
if (DataBuffer[dwOffset]==0x66) {
DataBuffer[dwOffset+0xc]=xxxx;
}
}
• By default,this->Databuffer==NULL
&& this->DataSize==0
• Write anywhere in x86 system.
• Not so easy in x64 system.
1.this->Databuffer must not NULL
2.this->DataSize < 0xC &&
this->DataSize!=0
3.*(this->Databuffer +
inbuf->offset)==(0x45 or 0x66)
Exploitation:
34. 1.this->Databuffer must not NULL
we could call CPropertyBagMarshaler::SetBufferProperty(...) with property==2
to alloc a buffer, then store in this->DataBuffer
41. 1. tagWND abuse
Write what? tagWND.strName ? (UNICODE_STRING)
GetWindowText ?
NtUserDefSetText ?
Unfortunately, the destination address has been modify when write to,
just desktop heap range is legal.
42. Maybe
2014
Pwn2Own:KeenTeam used once.
HackingTeam leaked 0day.
Someone write it to a public paper
2015.3
Pwn2Own: We used Twice.
Pwn2Own: KeenTeam used
Once.
2016.3
2016.8
2.BITMAP ABUSED
2016.10
We use Acclerator Object To Guess
Bitmap Object Address. Then We used
Twice again in PwnFast.
Coresecurity guys release a paper to
talk about is.