Full Disclosure mailing list archives
Re: EEYE: Windows VDM #UD Local Privilege Escalation
From: Barry Fitzgerald <bkfsec () sdf lonestar org>
Date: Wed, 13 Oct 2004 09:48:11 -0400
Derek Soeder wrote:
Windows VDM #UD Local Privilege Escalation Release Date: October 12, 2004 Date Reported: March 18, 2004 Severity: Medium (Local Privilege Escalation to Kernel) [NOTE: This vulnerability was silently fixed by Microsoft in June, approximately 90 days after it was reported, with the release of Windows XP SP2 Release Candidate 2. All other versions of Windows remained unpatched for over 120 additional days.]
120 days, people...Roll that around for a few. 120 days. Granted, 4 months is better than some other bugs that MS has taken greater than 10 months to fix... But, it's still almost 4 months.
Think about this issue, and then think about the fact that it took them 4 months to fix it. Why are people using Microsoft-based systems, again?
Also, at least in MS Windows, it's my personal feeling that local privilege escalation issues (particularly escalation to kernel or system status) should be critical issues. Whether people can run arbitrary code on MS Windows systems these days isn't an exercise for the mind anymore, it's an exercise of "go look at your neighbors computer and see that it's done regularly".
Adware, spyware, and trojans are bad enough without kernel-level privileges. If properly crafted, an exploit like this could, with the right conditions, take over an entire domain. Local system kernel access is the keys to the city if the processes are structured to take it over, as such. Granted, it's not as bad as a remote execution vuln, but it can still be very useful to attackers.
Since this advisory is really dry and jargony, we have to throw in something a little off-beat. We leave you with this: T: Hey man, what're you reading? N: Listen to this -- it's an advisory written by eEye in the first-person. I am Jack's LDT; without me, Jack could not emulate his legacy DOS applications like Doom on NT. N: There's a whole series of these: I am Jill's null pointer. I am Jack's kernel-- T: Yeah, I get exploited, I completely compromise Jack in such a way that necessitates a total system reinstallation. Hope that clears things up. (With apologies to Chuck Palahniuk.)
That rocks. :) -Barry _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- EEYE: Windows VDM #UD Local Privilege Escalation Derek Soeder (Oct 12)
- Re: EEYE: Windows VDM #UD Local Privilege Escalation Pablo (Oct 13)
- Re: EEYE: Windows VDM #UD Local Privilege Escalation Brent J. Nordquist (Oct 13)
- Re: EEYE: Windows VDM #UD Local Privilege Escalation Barry Fitzgerald (Oct 13)
- Re: EEYE: Windows VDM #UD Local Privilege Escalation KF_lists (Oct 13)
- Re: EEYE: Windows VDM #UD Local Privilege Escalation Barry Fitzgerald (Oct 13)
- Re: EEYE: Windows VDM #UD Local Privilege Escalation David Maynor (Oct 14)
- Re: EEYE: Windows VDM #UD Local Privilege Escalation kf_lists (Oct 14)
- Re: EEYE: Windows VDM #UD Local Privilege Escalation KF_lists (Oct 13)
- Re: EEYE: Windows VDM #UD Local Privilege Escalation Pablo (Oct 13)