mailing list archives
Re: EEYE: Windows VDM #UD Local Privilege Escalation
From: Barry Fitzgerald <bkfsec () sdf lonestar org>
Date: Wed, 13 Oct 2004 09:48:11 -0400
Derek Soeder wrote:
Windows VDM #UD Local Privilege Escalation
October 12, 2004
March 18, 2004
Medium (Local Privilege Escalation to Kernel)
[NOTE: This vulnerability was silently fixed by Microsoft in June,
approximately 90 days after it was reported, with the release of Windows
XP SP2 Release Candidate 2. All other versions of Windows remained
unpatched for over 120 additional days.]
120 days, people...
Roll that around for a few. 120 days. Granted, 4 months is better
than some other bugs that MS has taken greater than 10 months to fix...
But, it's still almost 4 months.
Think about this issue, and then think about the fact that it took them
4 months to fix it. Why are people using Microsoft-based systems, again?
Also, at least in MS Windows, it's my personal feeling that local
privilege escalation issues (particularly escalation to kernel or system
status) should be critical issues. Whether people can run arbitrary
code on MS Windows systems these days isn't an exercise for the mind
anymore, it's an exercise of "go look at your neighbors computer and see
that it's done regularly".
Adware, spyware, and trojans are bad enough without kernel-level
privileges. If properly crafted, an exploit like this could, with the
right conditions, take over an entire domain. Local system kernel
access is the keys to the city if the processes are structured to take
it over, as such. Granted, it's not as bad as a remote execution vuln,
but it can still be very useful to attackers.
Since this advisory is really dry and jargony, we have to throw in
something a little off-beat. We leave you with this:
T: Hey man, what're you reading?
N: Listen to this -- it's an advisory written by eEye in the
first-person. I am Jack's LDT; without me, Jack could not emulate his
legacy DOS applications like Doom on NT.
N: There's a whole series of these: I am Jill's null pointer. I am
T: Yeah, I get exploited, I completely compromise Jack in such a way
that necessitates a total system reinstallation.
Hope that clears things up. (With apologies to Chuck Palahniuk.)
That rocks. :)
Full-Disclosure - We believe in it.