ring 0
pnp_bios_fault_eip and pnp_bios_fault_esp are both .bss objects, and
will be initialised to NULL. Thus, line 22 will transfer execution to
the first page.
Therefore, incorrectly reporting the supervisor bit can lead to a local
ring3->ring0 privilege escalation in guests.
/* ... */
// Setup registers
vm.regs.eflags = EFLAGS_TF_MASK;
vm.regs.esp = 0xDEADBEEF;
-----------------------
Greetz to Julien, Neel, Redpig, Lcamtuf, Spoonm, Skylined, asiraP, LiquidK,
ScaryBeasts, spender and all my other elite colleagues.
Check out some photography while at ring0 @ http://flickr.com/meder.
-------------------
References
-----------------------
Administrator lives in Ring 3 while this crash happens in Ring 0.
Nobody, not even Admin shouldn't be able to corrupt kernel space. It's
not a security issue per se - it's just a bug.
dale@wisefaq.com wrote:
> So, let me try and understand this.
>
> According to what you have written, and the MSDN documentation on this CreateIpForwardEntry2 call, you need to be (at least) a member of the Administrators group.
>
it can be designed to look like an OS. However comparing the current
existing Browsers to an Operation system is ludicrous at best.
SMC> Since they are very closely attached to their underlying
SMC> operating system,
Since when are browsers running Ring 0 ?
SMC> But if you think of the infinite number of algorithms you could write in
SMC> Javascript, then it becomes a recipe for the death of a thousand cuts.
Infinite amount of possibilities does not necessarily equal infinite amounts of
"defenses". - Browser detects loop or script that doesn't exit, asks user if he
eCryptfs mount. (CVE-2009-2908)
The kvm_emulate_hypercall function in arch/x86/kvm/x86.c in KVM in
the Linux kernel 2.6.25-rc1, and other versions before 2.6.31, when
running on x86 systems, does not prevent access to MMU hypercalls
from ring 0, which allows local guest OS users to cause a denial of
service (guest kernel crash) and read or write guest kernel memory
via unspecified random addresses. (CVE-2009-3290)
Additionaly, it includes the fixes from the stable kernel version
2.6.27.37. It also fixes also fixes IBM x3650 M2 hanging when using
registry value with malicious content (x86 code).
Checks added in new version do not prevent this attack in any way.
PoC for this vulnerability was not created since privilege escalation
(most probable outcome/goal of arbitrary ring0 code execution) can be
achieved much more easily with techniques described below.
--- 6. Issue: Information leakage/privilege escalation by using
registry/file functions ---
privileges to other local users.
CVE-2009-3290
Jan Kiszka noticed that the kvm_emulate_hypercall function in KVM
does not prevent access to MMU hypercalls from ring 0, which
allows local guest OS users to cause a denial of service (guest
kernel crash) and read or write guest kernel memory.
CVE-2009-3613
The specific flaw exists in the handling of the system call
NtQueryAttributesFile by the filter driver savonaccessfilter.sys. Due to
improper handling of parameters to the function pool corruption can
occur in kernel space. A local attacker can leverage this to execute
arbitrary code in ring 0.
-- Vendor Response:
Sophos has issued an update to correct this vulnerability. More
details can be found at:
password, which is limited to seven characters where eight was intended.
CVE-2009-3290
It was discovered that the kvm_emulate_hypercall function in KVM does not
prevent access to MMU hypercalls from ring 0, which allows local guest OS users
to cause a denial of service (guest kernel crash) and read or write guest kernel
memory.
For the stable distribution (lenny), these problems have been fixed in version
even a valid one.
In this scenario, it is possible to feed the IOCTL with kernel addresses
to write the value returned by 'supdrvIOCtlFast()' ANY address in kernel
space memory as many times as necessary to modify kernel code or kernel
pointers to subsequently get code execution in ring 0 context (that
means, with system privileges).
This is the Proof of Concept I have made to trigger and show the
vulnerability. This will generate a Blue Screen of Death (BSOD) trying
to write to an unpaged kernel mode address (0x80808080) but any other
II. DESCRIPTION
Local exploitation of multiple input validation vulnerabilities within
multiple Check Point Zone Alarm products could allow an attacker to
execute arbitrary code in kernel (ring0) context.
The problems specifically exist within the IOCTL handling code in the
vsdatant.sys device driver. The device driver fails to validate
user-land supplied addresses passed to IOCTL 0x8400000F and IOCTL
0x84000013.
Microsoft Windows.
The vulnerability is caused by a memory corruption within the kernel-mode
device driver "Win32k.sys" when handling Device Contexts (DC) via the
"GetDCEx()" function, which could be exploited by local attackers to gain
ring0 privileges via a specially crafted application.
III. AFFECTED PRODUCTS
---------------------------
|
