Dailydave mailing list archives
Re: We hold these axioms to be self evident
From: Shane Macaulay <shane () security-objectives com>
Date: Tue, 19 Jan 2010 17:30:51 -0800
Very cool/deeply technical stuff from Travis as expected. It also does a good job at taking out VirtualBox when running under a 64bit Windows guest (Was testing in a VM since no x86 in 64 bit Windows 7 any more :\). I didn't look at any other VM but am guessing it would be a DoS also, probably a VM escape. I would of thought he tested VM's ? I forget what VMWare version (circa 2002-3), but this reminds me of a bug that you could trigger along the lines of; echo "THIS IS NOT A VALID EXECUTABLE FILE!!!!" > invalid.com (might of been invalid .exe) Inside of a VMWare on Windows 2000, then from command.com (or cmd.exe long time ago), you try to run it. You'd get to see your system go-critical via crashing out the vm guest/vmware/host OS and resulted in a blue screen. Even thinking of where to begin to debug that mess seemed too insane, I guess Travis has a few good analysis tricks, from his post on full-disc and code regarding the forged trap frame is very interesting. I also was reminded of a post I had read, http://x86asm.net/articles/calling-bios-from-driver-in-windows-xp-x64/index.html, I wonder if their are any exposed VDM facilities under 64 bit versions which would allow you to exploit this hole on those platforms. Also makes me think when (maybe has happened already) somebody will exploit those CPU errata flaws Theo was talking about. -- Shane On 1/19/2010 12:51 PM, dave wrote:
Code running in userspace can always run as Ring0. This is an axiom of information security that is often forgotten, but Tavis Ormandy has chosen to remind us of. http://lists.grok.org.uk/pipermail/full-disclosure/2010-January/072549.html Immunity's version of this exploit is available here: http://www.immunityinc.com/ceu-index.shtml We haven't tested it on Windows 3.1, but we have tested it on all the others. :> Thanks, Dave Aitel Immunity, Inc.
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- We hold these axioms to be self evident dave (Jan 19)
- Re: We hold these axioms to be self evident Shane Macaulay (Jan 20)
- Re: We hold these axioms to be self evident twiz (Jan 20)
- Message not available
- Re: We hold these axioms to be self evident Shane Macaulay (Jan 24)
- Re: We hold these axioms to be self evident twiz (Jan 20)
- Re: We hold these axioms to be self evident Shane Macaulay (Jan 20)