[REVS] Remote Windows Kernel Exploitation - Step Into the Ring 0

From: SecuriTeam (support_at_securiteam.com)
Date: 02/21/05

  • Next message: SecuriTeam: "[UNIX] Multiple Vulnerabilities in glFTPd's Plugins" 
    To: list@securiteam.com
Date: 21 Feb 2005 10:52:43 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Remote Windows Kernel Exploitation - Step Into the Ring 0
    ------------------------------------------------------------------------

    SUMMARY

    Over eight years have passed and almost every possible method and
    technique regarding Windows exploitation has been discussed in depth.
    Surprisingly, a topic that has yet to be touched on publicly is the remote
    exploitation of Win32 kernel vulnerabilities; a number of kernel
    vulnerabilities have been published, yet no exploit code has surfaced in
    the public arena.

    DETAILS

    Introduction:
    It was almost a decade ago when Solar Designer posted a message to the
    Bugtraq mailing list providing exploit code and detailing a remote buffer
    overflow in the product Website v1.1e for Windows NT.

    This was probably the first published buffer overflow exploit for Windows.
    Over eight years have passed and almost every possible method and
    technique regarding Windows exploitation has been discussed in depth.
    Surprisingly, a topic that has yet to be touched on publicly is the remote
    exploitation of Win32 kernel vulnerabilities; a number of kernel
    vulnerabilities have been published, yet no exploit code has surfaced in
    the public arena.

    It is predicted we will see more kernel vulnerabilities in the future,
    since more and more networking services are being implemented at the
    driver level. One good example of this is Internet Information Services,
    which now contains a network driver that performs processing of HTTP
    requests. With the release of XP SP2 and wide use of personal firewalls,
    many software and security companies are making claims of secure systems.
    Those wishing to disprove this claim are going to have to adapt to new
    methods of exploitation. But a firewall is a security product; therefore
    it must be secure, right? After all, it has been designed to protect
    against the very type of threats that are proposed here.

    Don't be discouraged though, if the last two years have shown us anything,
    it is that security solutions have the same bugs and vulnerabilities as
    every other piece of software out there.
    Certainly, the developers of kernel code are of a very high caliber, and
    are few and far between. For this exact same reason, the code may not
    undergo the same level of peer scrutiny as that of a user based
    application. It only takes one mistake. In the article that follows, we
    will walk through the remote exploitation of a kernel-based vulnerability.
    The example used here was a flaw in the Symantec line of personal
    firewalls. The flaw existed due to incorrect handling of DNS responses.
    This issue was patched long ago, but it was chosen as it demonstrates
    certain obstacles relating to the communication layers that must be
    overcome when exploiting a host-based firewall.

    Provided in the document are two shell code examples: the first is a
    kernel loader , which will allow you to plug in and execute any user-land
    code you wish; the second operates entirely at the kernel level. A
    keystroke logger is installed and the keystroke buffer may be retrieved
    from a remote system. This example demonstrates more of an old school
    software crack than that of network shell code. This article assumes the
    reader has knowledge of x86 assembler language, and previous experience
    with Win32 exploitation.

    ADDITIONAL INFORMATION

    The original article can be found at:
    <http://www.eeye.com/~data/publish/whitepapers/research/OT20050205.FILE.pdf> http://www.eeye.com/~data/publish/whitepapers/research/OT20050205.FILE.pdf

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] Multiple Vulnerabilities in glFTPd's Plugins"

    Relevant Pages