Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: EEYE: Windows VDM #UD Local Privilege Escalation
From: Barry Fitzgerald <bkfsec () sdf lonestar org>
Date: Wed, 13 Oct 2004 09:48:11 -0400

Derek Soeder wrote:

Windows VDM #UD Local Privilege Escalation

Release Date:
October 12, 2004

Date Reported:
March 18, 2004

Medium (Local Privilege Escalation to Kernel)

[NOTE: This vulnerability was silently fixed by Microsoft in June,
approximately 90 days after it was reported, with the release of Windows
XP SP2 Release Candidate 2.  All other versions of Windows remained
unpatched for over 120 additional days.]

120 days, people...

Roll that around for a few. 120 days. Granted, 4 months is better than some other bugs that MS has taken greater than 10 months to fix... But, it's still almost 4 months.

Think about this issue, and then think about the fact that it took them 4 months to fix it. Why are people using Microsoft-based systems, again?

Also, at least in MS Windows, it's my personal feeling that local privilege escalation issues (particularly escalation to kernel or system status) should be critical issues. Whether people can run arbitrary code on MS Windows systems these days isn't an exercise for the mind anymore, it's an exercise of "go look at your neighbors computer and see that it's done regularly".

Adware, spyware, and trojans are bad enough without kernel-level privileges. If properly crafted, an exploit like this could, with the right conditions, take over an entire domain. Local system kernel access is the keys to the city if the processes are structured to take it over, as such. Granted, it's not as bad as a remote execution vuln, but it can still be very useful to attackers.

Since this advisory is really dry and jargony, we have to throw in
something a little off-beat.  We leave you with this:

T: Hey man, what're you reading?

N: Listen to this -- it's an advisory written by eEye in the
first-person.  I am Jack's LDT; without me, Jack could not emulate his
legacy DOS applications like Doom on NT.

N: There's a whole series of these:  I am Jill's null pointer.  I am
Jack's kernel--

T: Yeah, I get exploited, I completely compromise Jack in such a way
that necessitates a total system reinstallation.

Hope that clears things up.  (With apologies to Chuck Palahniuk.)

That rocks.  :)


Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]