Full Disclosure mailing list archives

Re: EEYE: Windows VDM #UD Local Privilege Escalation

From: Barry Fitzgerald <bkfsec () sdf lonestar org>
Date: Wed, 13 Oct 2004 09:48:11 -0400

Derek Soeder wrote:

Windows VDM #UD Local Privilege Escalation

Release Date:
October 12, 2004

Date Reported:
March 18, 2004

Severity:
Medium (Local Privilege Escalation to Kernel)


[NOTE: This vulnerability was silently fixed by Microsoft in June,
approximately 90 days after it was reported, with the release of Windows
XP SP2 Release Candidate 2.  All other versions of Windows remained
unpatched for over 120 additional days.]


120 days, people...

Roll that around for a few. 120 days. Granted, 4 months is betterthan some other bugs that MS has taken greater than 10 months to fix...But, it's still almost 4 months.

Think about this issue, and then think about the fact that it took them4 months to fix it. Why are people using Microsoft-based systems, again?

Also, at least in MS Windows, it's my personal feeling that localprivilege escalation issues (particularly escalation to kernel or systemstatus) should be critical issues. Whether people can run arbitrarycode on MS Windows systems these days isn't an exercise for the mindanymore, it's an exercise of "go look at your neighbors computer and seethat it's done regularly".

Adware, spyware, and trojans are bad enough without kernel-levelprivileges. If properly crafted, an exploit like this could, with theright conditions, take over an entire domain. Local system kernelaccess is the keys to the city if the processes are structured to takeit over, as such. Granted, it's not as bad as a remote execution vuln,but it can still be very useful to attackers.

Since this advisory is really dry and jargony, we have to throw in
something a little off-beat.  We leave you with this:

T: Hey man, what're you reading?

N: Listen to this -- it's an advisory written by eEye in the
first-person.  I am Jack's LDT; without me, Jack could not emulate his
legacy DOS applications like Doom on NT.

N: There's a whole series of these:  I am Jill's null pointer.  I am
Jack's kernel--

T: Yeah, I get exploited, I completely compromise Jack in such a way
that necessitates a total system reinstallation.

Hope that clears things up.  (With apologies to Chuck Palahniuk.)

That rocks.  :)

      -Barry

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

EEYE: Windows VDM #UD Local Privilege Escalation Derek Soeder (Oct 12)
- Re: EEYE: Windows VDM #UD Local Privilege Escalation Pablo (Oct 13)
  - Re: EEYE: Windows VDM #UD Local Privilege Escalation Brent J. Nordquist (Oct 13)
- Re: EEYE: Windows VDM #UD Local Privilege Escalation Barry Fitzgerald (Oct 13)
  - Re: EEYE: Windows VDM #UD Local Privilege Escalation KF_lists (Oct 13)
    - Re: EEYE: Windows VDM #UD Local Privilege Escalation Barry Fitzgerald (Oct 13)
    - Re: EEYE: Windows VDM #UD Local Privilege Escalation David Maynor (Oct 14)
    - Re: EEYE: Windows VDM #UD Local Privilege Escalation kf_lists (Oct 14)