lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: bkfsec at sdf.lonestar.org (Barry Fitzgerald)
Subject: EEYE: Windows VDM #UD Local Privilege Escalation

Derek Soeder wrote:

>Windows VDM #UD Local Privilege Escalation
>
>Release Date:
>October 12, 2004
>
>Date Reported:
>March 18, 2004
>
>Severity:
>Medium (Local Privilege Escalation to Kernel)
>
>
>[NOTE: This vulnerability was silently fixed by Microsoft in June,
>approximately 90 days after it was reported, with the release of Windows
>XP SP2 Release Candidate 2.  All other versions of Windows remained
>unpatched for over 120 additional days.]
>
>
>  
>

120 days, people...

Roll that around for a few.  120 days.   Granted, 4 months is better 
than some other bugs that MS has taken greater than 10 months to fix... 
But, it's still almost 4 months.

Think about this issue, and then think about the fact that it took them 
4 months to fix it.   Why are people using Microsoft-based systems, again?

Also, at least in MS Windows, it's my personal feeling that local 
privilege escalation issues (particularly escalation to kernel or system 
status) should be critical issues.  Whether people can run arbitrary 
code on MS Windows systems these days isn't an exercise for the mind 
anymore, it's an exercise of "go look at your neighbors computer and see 
that it's done regularly".

Adware, spyware, and trojans are bad enough without kernel-level 
privileges.   If properly crafted, an exploit like this could, with the 
right conditions, take over an entire domain.  Local system kernel 
access is the keys to the city if the processes are structured to take 
it over, as such.  Granted, it's not as bad as a remote execution vuln, 
but it can still be very useful to attackers.


>Since this advisory is really dry and jargony, we have to throw in
>something a little off-beat.  We leave you with this:
>
>T: Hey man, what're you reading?
>
>N: Listen to this -- it's an advisory written by eEye in the
>first-person.  I am Jack's LDT; without me, Jack could not emulate his
>legacy DOS applications like Doom on NT.
>
>N: There's a whole series of these:  I am Jill's null pointer.  I am
>Jack's kernel--
>
>T: Yeah, I get exploited, I completely compromise Jack in such a way
>that necessitates a total system reinstallation.
>
>Hope that clears things up.  (With apologies to Chuck Palahniuk.)
>
>  
>
That rocks.  :)

       -Barry

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ