| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <201209171600.q8HG0UBP003047@sf01web2.securityfocus.com> Date: Mon, 17 Sep 2012 16:00:30 GMT From: noreply@...ecurity.ru To: bugtraq@...urityfocus.com Subject: [Positive Research] Intel SMEP overview and partial bypass on Windows 8 (whitepaper) Intel SMEP overview and partial bypass on Windows 8 (whitepaper). " <...> It is natural to conclude that if you can’t store your shellcode in the user-mode, you have to find a way to store it somewhere in the kernel space. The most obvious solution is using windows objects such as WinAPI (Events, Timers, Sections etc) or GDI (Brushes, DCs etc). They are accessed indirectly from the user-mode via WinAPI that uses system calls. The point is that the object body is kept in the kernel and somehow some object fields can be modified from the user-mode, so an attacker can transfer the needed shellcode bytes from the user-mode memory to the kernel-mode. <...> " -----[ Full details ] ---[ Blog http://blog.ptsecurity.com/2012/09/intel-smep-overview-and-partial-bypass.html ---[ Whitepapers English version (PDF): http://www.ptsecurity.com/download/SMEP_overview_and_partial_bypass_on_Windows_8.pdf Russian version (PDF): http://www.ptsecurity.ru/download/Technology_Overview_Intel_SMEP_and_partial_bypass_on_Windows_8.pdf Thx! --------------------------------- AShishkin[at]ptsecurity[dot]ru http://www.ptsecurity.com http://blog.ptsecurity.com http://www.phdays.com
Powered by blists - more mailing lists