Windows 10又现诡异Bug 使用Chrome访问特定路径立即蓝屏

不是一只耳

嗯，昨天又把办公室电脑装回7了

tbyoml

不乱折腾，就没啥事

wowocock

tdsskiller 发表于 2021-1-20 01:42
你得问大肉鸡

的确可以，直接创建快捷方式为\\.\GLOBALROOT\Device\ConDrv\KernelConnect，即可触发蓝屏。rax=ffff8509c116f9b8 rbx=ffff8509b3cc2e80 rcx=0000000000000000
rdx=ffff8509c116f8a0 rsi=0000000000000000 rdi=ffff8509c116f8a0
rip=fffff8038023b04f rsp=ffffbd8c527db2d0 rbp=0000000000000000
r8=ffff8509c116f8a0  r9=ffff8509c14dce10 r10=fffff8038023b030
r11=0000000000000000 r12=0000000000000000 r13=0000000000000000
r14=0000000000000000 r15=ffff8509c14dce10
iopl=0         nv up ei ng nz na pe nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00050282
condrv!CdpDispatchCleanup+0x1f:
fffff803`8023b04f 488b01          mov     rax,qword ptr [rcx] ds:002b:00000000`00000000=????????????????
Resetting default scope

PROCESS_NAME:  explorer.exe

STACK_TEXT:  
ffffbd8c`527db2d0 fffff803`7a431f79 : 00000000`00000000 fffff803`7a431e5d 00000000`00000000 00000000`00000000 : condrv!CdpDispatchCleanup+0x1f
ffffbd8c`527db300 fffff803`7a9e42b8 : 00000000`00000000 ffff8509`b3cc2e80 00000000`00000000 ffff8509`c116f8a0 : nt!IofCallDriver+0x59
ffffbd8c`527db340 fffff803`7a9e6939 : ffffbd8c`527db890 00000000`00000001 ffff8509`c116f8a0 fffff803`7a9e5b00 : nt!IopCloseFile+0x188
ffffbd8c`527db3d0 fffff803`7a9ed1bf : ffff8509`c14dce10 00000000`00000000 ffff8509`c13c09a0 00000000`00000001 : nt!IopParseDevice+0xd79
ffffbd8c`527db540 fffff803`7a9eb621 : ffff8509`c13c0900 ffffbd8c`527db788 00000000`00000040 ffff8509`b32f7e80 : nt!ObpLookupObjectName+0x78f
ffffbd8c`527db700 fffff803`7aaafc06 : ffff8509`00000001 00000000`0991d280 00000000`0991db28 00000000`0991e43c : nt!ObOpenObjectByNameEx+0x201
ffffbd8c`527db840 fffff803`7a5d2d15 : ffff8509`c02d8080 00000000`00000000 ffff8509`c02d8080 00000000`0991e43c : nt!NtQueryAttributesFile+0x1e6
ffffbd8c`527dbb00 00007fff`1ae1c864 : 00007fff`17f36345 00000000`00000000 00007fff`19004632 00000000`40000000 : nt!KiSystemServiceCopyEnd+0x25
00000000`0991d218 00007fff`17f36345 : 00000000`00000000 00007fff`19004632 00000000`40000000 00007fff`1ada4e00 : ntdll!NtQueryAttributesFile+0x14
00000000`0991d220 00007fff`17f1c57b : 00000000`00000000 00000000`00000001 00000000`0991e43c 00000000`00d750d0 : KERNELBASE!GetFileAttributesW+0x85
00000000`0991d2c0 00007fff`0c5c7e52 : 00000000`00000000 00000000`0991e43c 00000000`0991e43c 00000000`00000000 : KERNELBASE!PathFileExistsW+0x2b
00000000`0991d2f0 00007fff`0c5c8a2c : 00000000`00000001 00000000`0991e430 00000000`00000000 00000000`0002019c : appwiz!NextPushed+0x9a
00000000`0991d390 00007fff`1900879e : 00000000`00000001 00000000`0991d548 00000000`00000000 00000000`00000001 : appwiz!BrowseDlgProc+0x16c
00000000`0991d3c0 00007fff`19007f62 : 00000000`00000000 00007fff`0c5c88c0 00000000`0000004e 00007fff`1ada5013 : USER32!UserCallDlgProcCheckWow+0x18a
00000000`0991d4d0 00007fff`19007e6f : 00000000`0991db28 00000000`00000000 00000000`0000004e 00000000`00000000 : USER32!DefDlgProcWorker+0xd2
00000000`0991d590 00007fff`190063ed : 00000000`00000001 00000000`00000000 00000000`00000001 00000000`00000000 : USER32!DefDlgProcW+0x4f
00000000`0991d5d0 00007fff`190060be : 00000000`0002019c 00007fff`1ae1be50 00000000`0002019c 00000000`0000004e : USER32!UserCallWinProcCheckWow+0x2bd
00000000`0991d760 00007fff`0c4fdf35 : 00000000`0dc15e20 00000000`0991db28 00000000`00000000 00000000`0000004e : USER32!CallWindowProcW+0x8e
00000000`0991d7b0 00007ffe`f4d211d8 : 00000000`00000007 00000000`00000000 00000000`0000004e 00000000`0002019c : DUser!WndBridge::RawWndProc+0xa5
00000000`0991d830 00007fff`190063ed : 00000000`06a9fcf0 00000000`05d8e401 00000000`00000001 00000000`00000000 : atlthunk!AtlThunk_0x09+0x18
00000000`0991d870 00007fff`190059fc : 00000000`00d54e40 00007ffe`f4d211c0 00000000`0002019c 00007ffe`f4d211c0 : USER32!UserCallWinProcCheckWow+0x2bd
00000000`0991da00 00007fff`19005768 : 00000000`00000000 00000000`0dc72700 00000000`00000000 00000000`00d54e40 : USER32!SendMessageWorker+0x22c
00000000`0991daa0 00007fff`05e95ebc : 00000000`00000000 00000000`0002019c 00000000`ffffff31 00007fff`0c4fd7ad : USER32!SendMessageW+0xf8
00000000`0991db00 00007fff`05e94b0e : 00000000`00040000 00000000`00000004 00000000`0e9fa2f8 00000000`00040000 : comctl32!DuiWizardMarkupHost::SendWMNotifyToPage+0x7c
00000000`0991db90 00007fff`05e94f02 : 00000000`069e5e80 00000000`067fcae0 00000000`0000c065 00000000`0e967ac0 : comctl32!DuiWizardMarkupHost::NextOrBackPressed+0x4e
00000000`0991dbe0 00007fff`05e972cd : 00000000`00000000 00000000`00d69ec0 00000000`067fcae0 00007fff`1900387e : comctl32!DuiWizardMarkupHost::OnFrameButtonClicked+0xbe
00000000`0991dc10 00007fff`05d98d41 : 00000000`00000000 00000000`000402da 00000000`0000c065 00000000`0e93ca70 : comctl32!DuiWizardMarkupHost::WndProc+0x7d
00000000`0991dc70 00007fff`190063ed : 00000000`00000001 00000000`00000000 00000000`00000000 00000000`00000000 : comctl32!DirectUI::HWNDElement::StaticWndProc+0x51
00000000`0991dcb0 00007fff`190060be : 00000000`000402da 00007fff`05d98cf0 00000000`000402da 00000000`0000c065 : USER32!UserCallWinProcCheckWow+0x2bd
00000000`0991de40 00007fff`0c4f813e : 00000000`0000c065 00000000`00000000 00000000`06a9fcf0 00000000`00000000 : USER32!CallWindowProcW+0x8e
00000000`0991de90 00007fff`190063ed : 00000000`00006011 00000000`00000001 00000000`ffffffff 00000000`00000000 : DUser!ExtraInfoWndProc+0x8e
00000000`0991dee0 00007fff`19005de2 : 00000000`00d69ec0 00007fff`0c4f80b0 00000000`000402da 00000000`0991e118 : USER32!UserCallWinProcCheckWow+0x2bd
00000000`0991e070 00007fff`05e68c14 : 00007fff`0c4f80b0 00000000`0dc17860 00000000`00000000 000001cc`00000264 : USER32!DispatchMessageWorker+0x1e2
00000000`0991e0f0 00007fff`05e68fda : 00000000`0991e230 00000000`00000000 00000000`00000000 00000000`00000000 : comctl32!DuiWizardFrame::Run+0x4c
00000000`0991e160 00007fff`05e37ecf : 00000000`0dc17860 00000000`0991e230 00000000`0991e300 00000000`00000080 : comctl32!_AeroPropertySheet+0xf6
00000000`0991e1a0 00007fff`0c5e7045 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : comctl32!_PropertySheet+0x1b
00000000`0991e1d0 00007fff`0c5e355f : 00000000`00000000 10017450`00000005 00000000`0991e300 00000000`00000000 : appwiz!PropertySheetW+0x5d
00000000`0991e200 00007fff`0c5e36d9 : 00000000`0991e430 00000000`0991e430 00007fff`0c5ec898 00000000`80000022 : appwiz!DoWizard+0x14f
00000000`0991e3b0 00007fff`0c5d9bcd : 00000000`ffffffff 00007fff`0c5ec898 00000000`0e931388 00000000`00000000 : appwiz!LinkWizard+0x25
00000000`0991e3f0 00007fff`199cdce5 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000018 : appwiz!CNewShortcutHandler::s_NewShortcutThreadProc+0xfd
00000000`0991f8c0 00007fff`19627bd4 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : shcore!_WrapperThreadProc+0xf5
00000000`0991f9a0 00007fff`1adeced1 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : KERNEL32!BaseThreadInitThunk+0x14
00000000`0991f9d0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x21


SYMBOL_NAME:  condrv!CdpDispatchCleanup+1f

MODULE_NAME: condrv

IMAGE_NAME:  condrv.sys

STACK_COMMAND:  .cxr 0xffffbd8c527da8e0 ; kb

BUCKET_ID_FUNC_OFFSET:  1f

FAILURE_BUCKET_ID:  0x3B_c0000005_condrv!CdpDispatchCleanup

OS_VERSION:  10.0.18362.1

BUILDLAB_STR:  19h1_release

OSPLATFORM_TYPE:  x64

OSNAME:  Windows 10

FAILURE_ID_HASH:  {4713cd15-5baf-96a2-7e8b-3fec2da6a08d}

Followup:     MachineOwner
PAGE:00000001C000AF50 CdpDispatchCleanup proc near            ; DATA XREF: .rdata:00000001C0002EE8↑o
PAGE:00000001C000AF50                                         ; .pdata:00000001C000548C↑o ...
PAGE:00000001C000AF50
PAGE:00000001C000AF50 ; FUNCTION CHUNK AT PAGE:00000001C000BDF0 SIZE 00000028 BYTES
PAGE:00000001C000AF50
PAGE:00000001C000AF50                 sub     rsp, 28h
PAGE:00000001C000AF54                 mov     rax, [rdx+0B8h]
PAGE:00000001C000AF5B                 mov     r8, rdx
PAGE:00000001C000AF5E                 mov     rcx, [rax+30h]
PAGE:00000001C000AF62                 test    rcx, rcx
PAGE:00000001C000AF65                 jz      loc_1C000BDF0
PAGE:00000001C000AF6B                 mov     rcx, [rcx+18h]
PAGE:00000001C000AF6F                 mov     rax, [rcx]
PAGE:00000001C000AF72                 mov     r9, [rax+20h]
PAGE:00000001C000AF76                 test    r9, r9
PAGE:00000001C000AF79                 jnz     short loc_1C000AF9D
PAGE:00000001C000AF7B                 xor     ecx, ecx
PAGE:00000001C000AF7D                 mov     [rdx+30h], ecx
PAGE:00000001C000AF80                 mov     [rdx+38h], rcx
PAGE:00000001C000AF84                 xor     edx, edx        ; PriorityBoost
PAGE:00000001C000AF86                 mov     rcx, r8         ; Irp
PAGE:00000001C000AF89                 call    cs:__imp_IofCompleteRequest
PAGE:00000001C000AF90                 nop     dword ptr [rax+rax+00h]
PAGE:00000001C000AF95                 xor     eax, eax
PAGE:00000001C000AF97
PAGE:00000001C000AF97 loc_1C000AF97:                          ; CODE XREF: CdpDispatchCleanup+5E↓j
PAGE:00000001C000AF97                                         ; CdpDispatchCleanup+EC3↓j
PAGE:00000001C000AF97                 add     rsp, 28h
PAGE:00000001C000AF9B                 retn

问题出在 condrv.sys,应该是打开失败了，触发了关闭操作，但只检测了IRPSP->FileObject有效性，但没检测IRPSP->FileObject->FsContext 的有效性，就直接去操作这个FsContext ，导致了访问空指针的蓝屏BUG.
1: kd> dt nt!_FILE_OBJECT  ffff8509`b3cc2e80
   +0x000 Type             : 0n5
   +0x002 Size             : 0n216
   +0x008 DeviceObject     : 0xffff8509`c14dce10 _DEVICE_OBJECT
   +0x010 Vpb              : (null)
   +0x018 FsContext        : (null)
   +0x020 FsContext2       : (null)
   +0x028 SectionObjectPointer : (null)
   +0x030 PrivateCacheMap  : (null)
   +0x038 FinalStatus      : 0n0
   +0x040 RelatedFileObject : (null)
   +0x048 LockOperation    : 0 ''
   +0x049 DeletePending    : 0 ''
   +0x04a ReadAccess       : 0 ''
   +0x04b WriteAccess      : 0 ''
   +0x04c DeleteAccess     : 0 ''
   +0x04d SharedRead       : 0 ''
   +0x04e SharedWrite      : 0 ''
   +0x04f SharedDelete     : 0 ''
   +0x050 Flags            : 0x40000
   +0x058 FileName         : _UNICODE_STRING "\KernelConnect"
   +0x068 CurrentByteOffset : _LARGE_INTEGER 0x0
   +0x070 Waiters          : 0
   +0x074 Busy             : 0
   +0x078 LastLock         : (null)
   +0x080 Lock             : _KEVENT
   +0x098 Event            : _KEVENT
   +0x0b0 CompletionContext : (null)
   +0x0b8 IrpListLock      : 0
   +0x0c0 IrpList          : _LIST_ENTRY [ 0xffff8509`b3cc2f40 - 0xffff8509`b3cc2f40 ]
   +0x0d0 FileObjectExtension : (null)

360主动防御

360安全卫士已经支持此漏洞的免疫，可前往360安全卫士官网下载最新版本，已经安装的用户将会自动更新防护引擎，自动免疫该漏洞的风险。https://mp.weixin.qq.com/s/tTWOcQGLbaxBiKJbAoHsUw

wowocock

执行这个操作会触发  CdCreateKernelConnection
1: kd> kv
# Child-SP          RetAddr           : Args to Child                                                           : Call Site
00 ffffad8e`6f6d12b0 fffff805`3ebaafb5 : 00000000`00000000 00000000`00000001 00000000`00000000 ffffad8e`6f6d1340 : condrv!CdCreateKernelConnection+0x2f
01 ffffad8e`6f6d1310 fffff805`3d831f79 : fffff805`3dde5b45 ffffad8e`6f6d1640 ffffad8e`6f6d15b0 ffffad8e`6f6d1890 : condrv!CdpDispatchCreate+0x85
02 ffffad8e`6f6d1340 fffff805`3d831024 : 00000000`00000000 00000000`00000000 ffffd004`850e5170 ffffd004`850e5010 : nt!IofCallDriver+0x59
03 ffffad8e`6f6d1380 fffff805`3dde61eb : ffffad8e`6f6d1640 fffff805`3dde5b45 ffffad8e`6f6d15b0 ffffad8e`6f6d1890 : nt!IoCallDriverWithTracing+0x34
04 ffffad8e`6f6d13d0 fffff805`3dded1bf : ffffd004`78877df0 ffffd004`78877d45 ffffd004`77046010 00000000`00000001 : nt!IopParseDevice+0x62b
05 ffffad8e`6f6d1540 fffff805`3ddeb621 : ffffd004`77046000 ffffad8e`6f6d1788 00000000`00000040 ffffd004`6ecf5900 : nt!ObpLookupObjectName+0x78f
06 ffffad8e`6f6d1700 fffff805`3deafc06 : ffffd004`00000001 00000000`0e86d4a0 00000000`0e86dd48 00000000`0e86e65c : nt!ObOpenObjectByNameEx+0x201
07 ffffad8e`6f6d1840 fffff805`3d9d2d15 : ffffd004`8640f080 00000000`00000000 ffffd004`8640f080 00000000`0e86e65c : nt!NtQueryAttributesFile+0x1e6
08 ffffad8e`6f6d1b00 00007ffb`335fc864 : 00007ffb`31026345 00000000`00000000 00007ffb`32d34632 00000000`40000000 : nt!KiSystemServiceCopyEnd+0x25 (TrapFrame @ ffffad8e`6f6d1b00)
09 00000000`0e86d438 00007ffb`31026345 : 00000000`00000000 00007ffb`32d34632 00000000`40000000 00007ffb`33584e00 : ntdll!NtQueryAttributesFile+0x14
0a 00000000`0e86d440 00000000`00000000 : 00007ffb`32d34632 00000000`40000000 00007ffb`33584e00 00000000`00560054 : 0x00007ffb`31026345
这里会判断当前的请求模式，也就是说这个请求只允许内核模式打开，不允许应用模式打开，否则会返回DENY
if ( Irp->RequestorMode )
    return 0xC0000022;,而触发蓝屏的操作则是为应用模式，所以会被禁止，返回失败，所以不会有FSCONTEXT，但在关闭回调里确没判断而去使用，所以触发了这个蓝屏。
condrv!CdCreateKernelConnection:
fffff805`3ebacc40 48895c2410      mov     qword ptr [rsp+10h],rbx
1: kd> p
condrv!CdCreateKernelConnection+0x5:
fffff805`3ebacc45 55              push    rbp
1: kd> p
condrv!CdCreateKernelConnection+0x6:
fffff805`3ebacc46 56              push    rsi
1: kd> p
condrv!CdCreateKernelConnection+0x7:
fffff805`3ebacc47 57              push    rdi
1: kd> p
condrv!CdCreateKernelConnection+0x8:
fffff805`3ebacc48 4154            push    r12
1: kd> p
condrv!CdCreateKernelConnection+0xa:
fffff805`3ebacc4a 4155            push    r13
1: kd> p
condrv!CdCreateKernelConnection+0xc:
fffff805`3ebacc4c 4156            push    r14
1: kd> p
condrv!CdCreateKernelConnection+0xe:
fffff805`3ebacc4e 4157            push    r15
1: kd> p
condrv!CdCreateKernelConnection+0x10:
fffff805`3ebacc50 4883ec20        sub     rsp,20h
1: kd> p
condrv!CdCreateKernelConnection+0x14:
fffff805`3ebacc54 33ed            xor     ebp,ebp
1: kd> p
condrv!CdCreateKernelConnection+0x16:
fffff805`3ebacc56 4532e4          xor     r12b,r12b
1: kd> p
condrv!CdCreateKernelConnection+0x19:
fffff805`3ebacc59 488bd9          mov     rbx,rcx
1: kd> p
condrv!CdCreateKernelConnection+0x1c:
fffff805`3ebacc5c 448bf5          mov     r14d,ebp
1: kd> p
condrv!CdCreateKernelConnection+0x1f:
fffff805`3ebacc5f 48896c2460      mov     qword ptr [rsp+60h],rbp
1: kd> p
condrv!CdCreateKernelConnection+0x24:
fffff805`3ebacc64 48896c2470      mov     qword ptr [rsp+70h],rbp
1: kd> p
condrv!CdCreateKernelConnection+0x29:
fffff805`3ebacc69 40386940        cmp     byte ptr [rcx+40h],bpl
1: kd> r
rax=fffff8053ebacc40 rbx=ffffd004850e5010 rcx=ffffd004850e5010
rdx=0000000000000000 rsi=ffffd0048668a110 rdi=0000000000000020
rip=fffff8053ebacc69 rsp=ffffad8e6f6d12b0 rbp=0000000000000000
r8=0000000000000001  r9=ffff800b6830264c r10=0000000000000074
r11=000077f9d68a1030 r12=ffffd00478877d00 r13=0000000000000000
r14=0000000000000000 r15=ffffd004850e5170
iopl=0         nv up ei pl zr na po nc
cs=0010  ss=0018  ds=002b  es=002b  fs=0053  gs=002b             efl=00040246
condrv!CdCreateKernelConnection+0x29:
fffff805`3ebacc69 40386940        cmp     byte ptr [rcx+40h],bpl ds:002b:ffffd004`850e5050=01
1: kd> db ffffd004850e5010
ffffd004`850e5010  06 00 38 02 01 00 00 00-00 00 00 00 00 00 00 00  ..8.............
ffffd004`850e5020  84 08 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
ffffd004`850e5030  00 f7 40 86 04 d0 ff ff-00 f7 40 86 04 d0 ff ff  ..@.......@.....
ffffd004`850e5040  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
ffffd004`850e5050  01 00 02 02 00 00 00 04-a0 14 6d 6f 8e ad ff ff  ..........mo....
ffffd004`850e5060  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
ffffd004`850e5070  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
ffffd004`850e5080  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00  ................
1: kd> p
condrv!CdCreateKernelConnection+0x2d:
fffff805`3ebacc6d 740a            je      condrv!CdCreateKernelConnection+0x39 (fffff805`3ebacc79)
1: kd> p
condrv!CdCreateKernelConnection+0x2f:
fffff805`3ebacc6f be220000c0      mov     esi,0C0000022h
当然微软会狡辩说本来就不应该那么去访问，但是原则是不管怎么样，都不应该蓝。

天天哈

用wint7就好了

nmyh

win7打了2016年之后的补丁，用一些软件也会蓝屏。

3c89

？？   那我台机危险了

    等有时间  我测测看

wowocock

https://bbs.pediy.com/thread-265495.htm