funsec mailing list archives
Re: From Tavis Ormandy: Windows NT #GP Trap handler allows users to switch kernel stack
From: "Larry Seltzer" <larry () larryseltzer com>
Date: Tue, 19 Jan 2010 19:45:41 -0500
Maybe it doesn't require SeTcbPrivilege, but what privileges does it require? Will this exploit work as a standard user? Larry Seltzer Contributing Editor, PC Magazine larry_seltzer () ziffdavis com http://blogs.pcmag.com/securitywatch/ -----Original Message----- From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Juha-Matti Laurio Sent: Tuesday, January 19, 2010 5:11 PM To: funsec () linuxbox org Subject: [funsec] From Tavis Ormandy: Windows NT #GP Trap handler allows users to switch kernel stack
From his advisory
( http://lists.grok.org.uk/pipermail/full-disclosure/2010-January/072549.h tml ) "In order to support BIOS service routines in legacy 16bit applications, the Windows NT Kernel supports the concept of BIOS calls in the Virtual-8086 mode monitor code. These are implemented in two stages, the kernel transitions to the second stage when the #GP trap handler (nt!KiTrap0D) detects that the faulting cs:eip matches specific magic values. Transitioning to the second stage involves restoring execution context and call stack (which had been previously saved) from the faulting trap frame once authenticity has been verified. This verification relies on the following incorrect assumptions: - Setting up a VDM context requires SeTcbPrivilege. - ring3 code cannot install arbitrary code segment selectors. - ring3 code cannot forge a trap frame. This is believed to affect every release of the Windows NT kernel, from Windows NT 3.1 (1993) up to and including Windows 7 (2009)." Juha-Matti _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- From Tavis Ormandy: Windows NT #GP Trap handler allows users to switch kernel stack Juha-Matti Laurio (Jan 19)
- Re: From Tavis Ormandy: Windows NT #GP Trap handler allows users to switch kernel stack Larry Seltzer (Jan 19)
- <Possible follow-ups>
- Re: From Tavis Ormandy: Windows NT #GP Trap handler allows users to switch kernel stack Juha-Matti Laurio (Jan 20)
- Re: From Tavis Ormandy: Windows NT #GP Trap handler allows users to switch kernel stack Juha-Matti Laurio (Jan 20)