Remote Windows Kernel Exploitation - Step Into the Ring 0

From: Marc Maiffret (mmaiffret_at_EEYE.COM)
Date: 02/17/05

  • Next message: mikx: "Firescrolling [Firefox 1.0]"
    Date:         Thu, 17 Feb 2005 01:00:05 -0800
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    Remote Windows Kernel Exploitation - Step Into the Ring 0
    http://www.eeye.com/html/resources/whitepapers/research/index.html

    Over 5 years ago my friend and colleague Barnaby Jack wrote a seminal
    paper that brought a new level of awareness and understanding to Windows
    based buffer overflow exploitation. What was once a topic considered to
    be something to be spoken in dark corners is now a critical area of
    research by software firms wishing to write secure applications. Times
    have changed though and so has the vulnerability landscape. The demand
    for host based security solutions and improved application performance
    has caused many new software solutions to move more and more of their
    application code into the kernel. After reviewing various products it is
    apparent that the same security minded principles being applied to
    writing secure userland code, are not being enforced or thought-out for
    kernel based code. There has been a large increase in vulnerabilities
    discovered over the last year that affect kernel drivers. There has not
    however been an increase in awareness around the exploitability and the
    criticality of these vulnerabilities. Just as it was five years ago Mr.
    Jack has written a paper that embarks on a journey into demystifying
    remote windows kernel exploitation and settling the debate once and for
    all. We hope that writers of kernel code take note and think about how
    these types of attacks can affect their products. Does the same sort of
    peer-review, and source code analysis take place for your kernel code?
    And as researchers are we pushing ourselves hard enough to advance the
    science of security? Security can be an arms race and we need to be
    creating this technical awareness, instead of the next worm doing it for
    us.

    Signed,
    Marc Maiffret
    Chief Hacking Officer
    eEye Digital Security
    T.949.349.9062
    F.949.349.9538
    http://eEye.com/Retina - Network Security Scanner
    http://eEye.com/Iris - Network Traffic Analyzer
    http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities

    Important Notice: This email is confidential, may be legally privileged,
    and is for the intended recipient only. Access, disclosure, copying,
    distribution, or reliance on any of it by anyone else is prohibited and
    may be a criminal offense. Please delete if obtained in error and email
    confirmation to the sender.

    --
    NTBugtraq Editor's Note:
    Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.
    --
    

  • Next message: mikx: "Firescrolling [Firefox 1.0]"

    Relevant Pages

    • Remote Windows Kernel Exploitation - Step Into the Ring 0
      ... Remote Windows Kernel Exploitation - Step Into the Ring 0 ... for host based security solutions and improved application performance ...
      (Bugtraq)
    • [UNIX] Flaws Found in Recent Linux Kernels (newgrp, symblinks)
      ... Flaws Found in Recent Linux Kernels (newgrp, ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... An attacker can force the kernel to spend almost arbitrary amount of time ... script creates 5 symlinks, each of them containing 2*N+1 path elements. ...
      (Securiteam)
    • Re: thoughts on kernel security issues
      ... major security figure and/or haven't donated your life to security and ... the developer and more focus on the development. ... That's pretty complex in terms of kernel code, ... > most of the extra patches that distribution kernels apply are patches ...
      (Linux-Kernel)
    • [UNIX] Linux Kernel File Offset Pointer Handling
      ... Get your security news from a reliable source. ... The Linux kernel offers a file handling API to the userland applications. ... One of the properties of the file object is something called 'file offset' ... about one page of un-initialized kernel memory and can be exploited to ...
      (Securiteam)
    • [UNIX] Kmail HTML Support Allows Spoofing of Emails Content
      ... Get your security news from a reliable source. ... system call handler in the 2.4 Linux Kernel on the AMD64 platform a local attacker can gain root access using a simple program. ... it contains the sources that the binary kernel rpm packages are created from. ... Since the kernel-source.rpm is an installable package that contains sources for the linux kernel, it is not the source RPM for the kernel RPM binary packages. ...
      (Securiteam)