lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 17 Sep 2012 16:00:30 GMT
From: noreply@...ecurity.ru
To: bugtraq@...urityfocus.com
Subject: [Positive Research] Intel SMEP overview and partial bypass on
 Windows 8 (whitepaper)

Intel SMEP overview and partial bypass on Windows 8 (whitepaper).

"
<...>
It is natural to conclude that if you canít store your shellcode in the user-mode, you have to find a way to store it somewhere in the kernel space. The most obvious solution is using windows objects such as WinAPI (Events, Timers, Sections etc) or GDI (Brushes, DCs etc). They are accessed indirectly from the user-mode via WinAPI that uses system calls. The point is that the object body is kept in the kernel and somehow some object fields can be modified from the user-mode, so an attacker can transfer the needed shellcode bytes from the user-mode memory to the kernel-mode.
<...>
"

-----[ Full details ]
---[ Blog

http://blog.ptsecurity.com/2012/09/intel-smep-overview-and-partial-bypass.html

---[ Whitepapers

English version (PDF):
http://www.ptsecurity.com/download/SMEP_overview_and_partial_bypass_on_Windows_8.pdf

Russian version (PDF):
http://www.ptsecurity.ru/download/Technology_Overview_Intel_SMEP_and_partial_bypass_on_Windows_8.pdf

Thx!

---------------------------------
AShishkin[at]ptsecurity[dot]ru

http://www.ptsecurity.com
http://blog.ptsecurity.com
http://www.phdays.com

Powered by blists - more mailing lists