kernel mode
VULNERABILITY DETAILS
---------------------
This document describes two x64 instruction emulation flaws,
discovered by the author in the aforementioned versions of VMware
products, which allow user-mode code to cause an illegitimate
kernel-mode exception inside the virtual machine. If the guest
operating system kernel is not written to safely handle such an
exception, it may be possible for user-mode code to interfere with
kernel execution in a way that allows elevation of privileges.
Currently, the only scenario which the author knows to be exploitable
VULNERABILITY DETAILS
---------------------
This document describes the first of two x64 instruction emulation
flaws, discovered by the author in the aforementioned versions of
VMware products, which allow user-mode code to cause an illegitimate
kernel-mode exception inside the virtual machine. If the guest
operating system kernel is not written to safely handle such an
exception, it may be possible for user-mode code to interfere with
kernel execution in a way that allows elevation of privileges.
Currently, the only scenario which the author knows to be exploitable
Vulnerability explained above was fixed by adding
ProbeForRead()/ProbeForWrite() calls in order to catch malformed
requests.
However, every affected driver uses METHOD_BUFFERED for all IOCTL
calls. Buffer passed from user mode is first copied to kernel mode,
and will always have kernel mode address (when accessed by the above
function). Calling ProbeForRead()/ProbeForWrite() on kernel mode
addresses raises exception which is appropriately handled, and the
ZwQueryObject() call is never performed.
Because of the added "fixes", even legitimate request cannot be
could lead to a Denial of Service (DoS) and possibly to code execution
attacks. An attacker, utilizing these flaws, could be able to locally
reboot the whole system shutting down the firewall or anti-virus
protection. However, in some cases it may be possible to extend the
impact of these bugs, and they could lead to the execution of arbitrary
code in the privileged kernel mode.
*Vulnerable Packages*
. BitDefender Antivirus 2008 Build 11.0.11
Qihoo 360 Security Guard is very famous in China.
Some vulnerabilities have been reported in Qihoo 360 Security Guard, which can be exploited by malicious, local users to gain escalated privileges.
An error in the kernel-mode driver (bregdrv.sys) when handling input passed through the user-mode dynamic link library (bregdll.dll) can be exploited to
read/write/modification registry in kernel mode.
An attacker can exploit this issue to read/write/modification registry with kernel-level privileges. Successful exploits will result in the complete
- Exploitation Technology: Getting out of Jail: Escaping Internet
Explorer Protected Mode
Author: Skywing
- Exploitation Technology: OS X Kernel-mode Exploitation in a Weekend
Author: David Maynor
- Rootkits: A Catalog of Local Windows Kernel-mode Backdoor Techniques
Authors: skape & Skywing
- Exploitation Technology: Getting out of Jail: Escaping Internet
Explorer Protected Mode
Author: Skywing
- Exploitation Technology: OS X Kernel-mode Exploitation in a Weekend
Author: David Maynor
- Rootkits: A Catalog of Local Windows Kernel-mode Backdoor Techniques
Authors: skape & Skywing
untrusted user mode code to pass arbitrary kernel addresses as arguments
to the driver.
With specially constructed input, a malicious user can use functionality
within the driver to patch kernel addresses and execute arbitrary code
in kernel mode. When handling IOCTLs a communication method must be
pre-defined between the user-mode application and the driver module. The
selected method will determine how the I/O Manager manipulates memory
buffers used in the communication.
The 'METHOD_NEITHER' is a very dangerous method because the pointer
Kingsoft WebShield KAVSafe.sys <= 2010.4.14.609(2010.5.23) Kernel Mode Local Privilege Escalation Vulnerability
VULNERABLE PRODUCTS
Kingsoft WebShield <= 3.5.1.2 (2010.5.23)
Signature Date: 2010-5-23 2:33:54
And
KAVSafe.sys <= 2010.4.14.609
Kingsoft WebShield KAVSafe.sys <= 2010.4.14.609(2010.5.23) Kernel Mode Local Privilege Escalation Vulnerability
VULNERABLE PRODUCTS
Kingsoft WebShield <= 3.5.1.2 (2010.5.23)
Signature Date: 2010-5-23 2:33:54
And
DETAILS:
mp110013.sys handles DeviceIoControl request which tells driver PspCreateProcessNotifyRoutine/PspCreateProcessNotifyRoutineCount offset ,Attacker can use this interface write kernel memory
EXPOLIT CODE
//write ntdll.dll base + 0x8 with "6543" in kernel mode
#include "stdafx.h"
#include "windows.h"
#include "shlwapi.h"
#pragma comment(lib , "shlwapi.lib")
The crash dump looks like the following.
Jan 28 11:33:07 r00tme kernel:
Jan 28 11:33:07 r00tme kernel:
Jan 28 11:33:07 r00tme kernel: Fatal trap 12: page fault while in kernel mode
Jan 28 11:33:07 r00tme kernel: cpuid = 0; apic id = 00
Jan 28 11:33:07 r00tme kernel: fault virtual address = 0xc
Jan 28 11:33:07 r00tme kernel: fault code = supervisor
write, page not present
Jan 28 11:33:07 r00tme kernel: instruction pointer = 0x20:0xc06143ba
Some Ralinktech wireless cards drivers are suffer from integer overflow. by sending
malformed 802.11 Probe Request packet with no care about victim's MAC\BSS\SSID can cause to
remote code execution in kernel mode.
In order to exploit this issue, the attacker should send a Probe
Request packet with SSID length bigger then 128 bytes (but less then 256) when the victim's card is in ADHOC mode.
attacker shouldn't be on the same network nor even know the MAC\BSS\SSID, he can just send it broadcast.
Tested on Ralink USB wireless adapter (RT73) V3.08 on win2k with the latest driver version.
Status: Unpatched ,vulnerability reported to vendor.
Two vulnerabilities were discovered in the client part of OpenAFS, a
distributed file system.
An attacker with control of a file server or the ability to forge RX
packets may be able to execute arbitrary code in kernel mode on an
OpenAFS client, due to a vulnerability in XDR array decoding.
(CVE-2009-1251)
An attacker with control of a file server or the ability to forge RX
packets may crash OpenAFS clients because of wrongly handled error
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
FreeBSD <= 6.1 suffers from classical check/use race condition on SMP
systems in kevent() syscall, leading to kernel mode NULL pointer
dereference. It can be triggered by spawning two threads:
1st thread looping on open() and close() syscalls, and the 2nd thread
looping on kevent(), trying to add possibly invalid filedescriptor.
The bug was fixed in 6.1-STABLE, just before release of 6.2-RELEASE, but
Hello,
We have found number of vulnerabilities in implementations of kernel hooks in many different security products.
The argument-switch attack (or KHOBE attack) affects user mode and kernel mode hooks that are used to implement security features. The hook
may be vulnerable if it performs security checks on pointer or handle arguments that come from user mode. Using multiple threads the
attacker is able to change the meaning of the arguments in the middle of the hooked system call and thus bypass the security checks
implemented by the hook. The common implementations of kernel mode hooks, especially so called SSDT hooks, are vulnerable to argument-switch
attack. No product that we investigated during our research did not implemented the hooks correctly.
These bugs could be locally exploited by a malicious user in order
to gain unlimited access to the system.
Nvcoaft51 driver creates a device named NvcOa without a restrictive
security descriptor, so any user can open it and send control codes
directly to the device driver. Arbitrary code execution at kernel mode
is possible because the code that manages IOCTL's is not bug free.
Detailed information and proof of concept exploit code of a tricky
kernel pool overflow can be downloaded here :
---------------------
VUPEN Vulnerability Research Team discovered a vulnerability affecting
Microsoft Windows.
The vulnerability is caused by a memory corruption within the kernel-mode
device driver "Win32k.sys" when handling Device Contexts (DC) via the
"GetDCEx()" function, which could be exploited by local attackers to gain
ring0 privileges via a specially crafted application.
Description
-----------
A vulnerability has been discovered in one of Data Encryption Systems
DESLock+ kernel drivers, an attacker exploiting this vulnerability may
execute arbitrary code with kernel mode privileges, or cause a Denial
of Service attack via a page fault caused by an invalid pointer
dereference.
Data Encryption Systems Ltd received the best "Encryption Solution of
the Year" at "The Computing Security Awards 2010",
# Kingsoft AntiVirus 2011 SP5.2 KisKrnl.sys <= 2011.1.13.89 Local Kernel Mode D.O.S Exploit
# Date: 2011-1-16
# Author: MJ0011
# Version: KingSoft AntiVirus 2011 SP5.2 with KisKrnl.sys <=2011.1.13.89
# Tested on: Windows XP SP3
DETAILS:
KisKrnl.sys hook the kernel function KiFastCallEntry , but is not correctly handle user stack pointer
|
