[REVS] Remote Windows Kernel Exploitation - Step Into the Ring 0

From: SecuriTeam (support_at_securiteam.com)
Date: 02/21/05

  • Next message: SecuriTeam: "[UNIX] Multiple Vulnerabilities in glFTPd's Plugins" 
    To: list@securiteam.com
Date: 21 Feb 2005 10:52:43 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Remote Windows Kernel Exploitation - Step Into the Ring 0
    ------------------------------------------------------------------------

    SUMMARY

    Over eight years have passed and almost every possible method and
    technique regarding Windows exploitation has been discussed in depth.
    Surprisingly, a topic that has yet to be touched on publicly is the remote
    exploitation of Win32 kernel vulnerabilities; a number of kernel
    vulnerabilities have been published, yet no exploit code has surfaced in
    the public arena.

    DETAILS

    Introduction:
    It was almost a decade ago when Solar Designer posted a message to the
    Bugtraq mailing list providing exploit code and detailing a remote buffer
    overflow in the product Website v1.1e for Windows NT.

    This was probably the first published buffer overflow exploit for Windows.
    Over eight years have passed and almost every possible method and
    technique regarding Windows exploitation has been discussed in depth.
    Surprisingly, a topic that has yet to be touched on publicly is the remote
    exploitation of Win32 kernel vulnerabilities; a number of kernel
    vulnerabilities have been published, yet no exploit code has surfaced in
    the public arena.

    It is predicted we will see more kernel vulnerabilities in the future,
    since more and more networking services are being implemented at the
    driver level. One good example of this is Internet Information Services,
    which now contains a network driver that performs processing of HTTP
    requests. With the release of XP SP2 and wide use of personal firewalls,
    many software and security companies are making claims of secure systems.
    Those wishing to disprove this claim are going to have to adapt to new
    methods of exploitation. But a firewall is a security product; therefore
    it must be secure, right? After all, it has been designed to protect
    against the very type of threats that are proposed here.

    Don't be discouraged though, if the last two years have shown us anything,
    it is that security solutions have the same bugs and vulnerabilities as
    every other piece of software out there.
    Certainly, the developers of kernel code are of a very high caliber, and
    are few and far between. For this exact same reason, the code may not
    undergo the same level of peer scrutiny as that of a user based
    application. It only takes one mistake. In the article that follows, we
    will walk through the remote exploitation of a kernel-based vulnerability.
    The example used here was a flaw in the Symantec line of personal
    firewalls. The flaw existed due to incorrect handling of DNS responses.
    This issue was patched long ago, but it was chosen as it demonstrates
    certain obstacles relating to the communication layers that must be
    overcome when exploiting a host-based firewall.

    Provided in the document are two shell code examples: the first is a
    kernel loader , which will allow you to plug in and execute any user-land
    code you wish; the second operates entirely at the kernel level. A
    keystroke logger is installed and the keystroke buffer may be retrieved
    from a remote system. This example demonstrates more of an old school
    software crack than that of network shell code. This article assumes the
    reader has knowledge of x86 assembler language, and previous experience
    with Win32 exploitation.

    ADDITIONAL INFORMATION

    The original article can be found at:
    <http://www.eeye.com/~data/publish/whitepapers/research/OT20050205.FILE.pdf> http://www.eeye.com/~data/publish/whitepapers/research/OT20050205.FILE.pdf

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] Multiple Vulnerabilities in glFTPd's Plugins"

    Relevant Pages

    • [UNIX] Flaws Found in Recent Linux Kernels (newgrp, symblinks)
      ... Flaws Found in Recent Linux Kernels (newgrp, ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... An attacker can force the kernel to spend almost arbitrary amount of time ... script creates 5 symlinks, each of them containing 2*N+1 path elements. ...
      (Securiteam)
    • [UNIX] Linux Kernel File Offset Pointer Handling
      ... Get your security news from a reliable source. ... The Linux kernel offers a file handling API to the userland applications. ... One of the properties of the file object is something called 'file offset' ... about one page of un-initialized kernel memory and can be exploited to ...
      (Securiteam)
    • [UNIX] Kmail HTML Support Allows Spoofing of Emails Content
      ... Get your security news from a reliable source. ... system call handler in the 2.4 Linux Kernel on the AMD64 platform a local attacker can gain root access using a simple program. ... it contains the sources that the binary kernel rpm packages are created from. ... Since the kernel-source.rpm is an installable package that contains sources for the linux kernel, it is not the source RPM for the kernel RPM binary packages. ...
      (Securiteam)
    • Re: thoughts on kernel security issues
      ... major security figure and/or haven't donated your life to security and ... the developer and more focus on the development. ... That's pretty complex in terms of kernel code, ... > most of the extra patches that distribution kernels apply are patches ...
      (Linux-Kernel)
    • [NEWS] OpenSSH Challenge-Response Buffer Overflow (Update)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... the platforms on which this vulnerability may be exploited. ... their platforms invulnerable to exploitation. ... Mandrake Secure Linux: ...
      (Securiteam)