Re: Remote Windows Kernel Exploitation - Step Into the Ring 0

From: Eirik Schwenke (eirik.schwenke_at_STUDENT.UIB.NO)
Date: 03/09/05

  • Next message: Maxim S. Shatskih: "Re: Remote Windows Kernel Exploitation - Step Into the Ring 0"
    Date:         Wed, 9 Mar 2005 10:20:46 +0100
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    Den 02/17/05 10:00 skrev Marc Maiffret:
    > Remote Windows Kernel Exploitation - Step Into the Ring 0
    > http://www.eeye.com/html/resources/whitepapers/research/index.html

    Ah, I love the smell of assembler in the morning ;-p But one thing that struck
    me, is (how well) do these exploits work on EMT64/AMD64 windows machines with
    the no-exec bit enabled ?

    Does anyone on this list know if all kernel code is excepted from NX
    restrictions by default ? Because surely a utility-function like the keyboard
    buffer, or icmp handler should be read-execute only (ie trying to patch it
    should throw an exception of some kind) ?

    And if the pages are marked read-only, is it possible to patch the error-handler
    for that ?

    As the NX handling is toggable, it is obvious that some part of the kernel must
    be allowed to change it -- and it sounds reasonable that would mean all kernel
    code can change it, due to the NT memory model.

    Does anyone have more information on this ?

    [OFFTOPIC - PLEASE PUT ON ASBESTOS GEAR BEFORE READING]

    > Important Notice: This email is confidential, may be legally privileged,
    > and is for the intended recipient only. Access, disclosure, copying,
    > distribution, or reliance on any of it by anyone else is prohibited and
    > may be a criminal offense. Please delete if obtained in error and email
    > confirmation to the sender.

    Surely, such a signature goes against the spirit of bugtraq ? I am, in effect,
    not allowed to quote your message in my reply to this list ? I realize ofcourse
    that this is a standard signature, but it strikes me as somewhat comical that a
    message to a list with a publically searchable web-archive should be marked
    "confidential" and "... distribution ... on any of it by anyone else is
    prohibited". And "may be a criminal offence" ? Where ? What court would hold
    forwarding of this message a criminal offense ? Even if I got access to it
    because I'm sniffing my local lan, or reviewing my squid cache ?

    --
    Eirik Schwenke<eirik.schwenke@student.uib.no>
    http://www.student.uib.no/~st05861
    "I can't identify the software needed to play [DVDs] in Linux, but you can
    probably google for it. You may have to learn Norwegian, though."
    --Tom Brown in http://linuxgazette.net/issue97/defectors2.html
    --
    NTBugtraq Editor's Note:
    Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered.
    --
    

  • Next message: Maxim S. Shatskih: "Re: Remote Windows Kernel Exploitation - Step Into the Ring 0"