Locals, axioms, etc.

[Dave Aitel <dave () immunityinc com>]

<http://www.boingboing.net/2011/07/13/scientist-proposes-r.html?dlvrit=36761>Movies
are great. Yesterday we spent a couple hours helping one of our CANVAS
customers with a gig he was on where he needed to get local/SYSTEM. In
his case, he used MS11_032, but for those of you with CANVAS Early
Updates, http://partners.immunityinc.com/movies/canvas-ms11_054.mov may
provide some illustrated amusement. I don't want to make Tarjei's head
big, but what a great find.

That wasn't the only local released http://j00ru.vexillium.org/
demonstrates the one in csrss, and talks through the interesting
exploitation paths (although currently only for XP).

But the story you should see is this: It is an axiom that an attacker
will be running Ring0 code on your computer if they are running userland
code on your computer. Microsoft has added a lot of complexity to their
security model (restricted tokens, UAC, etc) but these are almost
certainly a large waste of time.

If I understand properly Immunity's MS11_054 exploit also turns off Code
Integrity, so you can load 64 bit rootkits, etc. How cool is that?

-dave

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave