Dailydave mailing list archives
Re: We hold these axioms to be self evident
From: twiz <twiz () email it>
Date: Wed, 20 Jan 2010 08:17:15 -0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Shane Macaulay wrote:
echo "THIS IS NOT A VALID EXECUTABLE FILE!!!!" > invalid.com (might of been invalid .exe) Inside of a VMWare on Windows 2000, then from command.com (or cmd.exe long time ago), you try to run it. You'd get to see your system go-critical via crashing out the vm guest/vmware/host OS and resulted in a blue screen.
Uhm, to start, integer overflow on executable header? (well, you should first recall about .exe or .com :-)). Just a guess.
Even thinking of where to begin to debug that mess seemed too insane, I guess Travis has a few good analysis tricks, from his post on full-disc and code regarding the forged trap frame is very interesting. I also was reminded of a post I had read, http://x86asm.net/articles/calling-bios-from-driver-in-windows-xp-x64/index.html, I wonder if their are any exposed VDM facilities under 64 bit versions which would allow you to exploit this hole on those platforms.
No. That's an emulator, on the lines of what x86emu does for X or uvesafb on Linux (similar things on other UNIXes). Basically, the main use (as in the example there) is to call Video BIOS routines even in protected mode: you map the VBIOS, which a diligent OS has left at his place (C0000-C7FFFh), and emulate what the code does. All you really need (besides full memory access) is enough IO privileges (IOPL) to touch the right ports. I'm not saying that these emulators are immune to vulnerabilities, but just that one that relies on a hw feature (the v86 mode) can't really apply there that much.
Also makes me think when (maybe has happened already) somebody will exploit those CPU errata flaws Theo was talking about.
If you trust what Kaspersky said in 2008 (and why you shouldn't)... - twiz
-- Shane On 1/19/2010 12:51 PM, dave wrote:Code running in userspace can always run as Ring0. This is an axiom of information security that is often forgotten, but Tavis Ormandy has chosen to remind us of. http://lists.grok.org.uk/pipermail/full-disclosure/2010-January/072549.html Immunity's version of this exploit is available here: http://www.immunityinc.com/ceu-index.shtml We haven't tested it on Windows 3.1, but we have tested it on all the others. :> Thanks, Dave Aitel Immunity, Inc._______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
-----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.11 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktXLIsACgkQWLb7DjnXQ4i3/QCghGBdVXYlWVTrwM/OekSKtOeg 8xAAmwWfrj/zkDjp4FPxAuwzVTV0TQDg =Thls -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- We hold these axioms to be self evident dave (Jan 19)
- Re: We hold these axioms to be self evident Shane Macaulay (Jan 20)
- Re: We hold these axioms to be self evident twiz (Jan 20)
- Message not available
- Re: We hold these axioms to be self evident Shane Macaulay (Jan 24)
- Re: We hold these axioms to be self evident twiz (Jan 20)
- Re: We hold these axioms to be self evident Shane Macaulay (Jan 20)