Posts

Showing posts from September, 2017
Image
Another day, another Windows kernel information disclosure discovered by Project Zero :)

In CVE-2017-8564 Google Security discloses yet another Windows kernel information disclosure bug that can be triggered through an undocumented WinAPI function.  They've really been grinding away at these lately, it seems like you can't even turn around without a new information disclosure bug being published.

This time, the bug has to do with an IOCTL handled by nsiproxy.sys (which eventually calls into netio.sys) originally dispatched by NsiGetParameter from Nsi.dll.  NsiGetParameter is an undocumented WinAPI call and isn't included in any of the Windows SDK Header files, but instead has to be resolved through a GetProcAddress call on Nsi.dll.

After all the checking and sanitizing that happens to any user to kernel mode call in the Windows environment, our little ioctl eventually makes its way to NsiGetparameterEx in netio.sys.  This is where our bug is.  Diffing the pre and post pat…