Next Page >>
user/mode
IMPACT
------
By exploiting either of the VMware flaws described in this document,
user-mode code executing in a virtual machine may gain kernel
privileges within the virtual machine, dependent upon the guest
operating system. The flaws have been proven exploitable on x64
versions of Windows, and they have produced potentially exploitable
crashes on x64 versions of *BSD. The Linux kernel does not allow
exploitation of these flaws on x64 versions of Linux.
VMware Workstation 6.5
IMPACT
------
By exploiting the VMware flaw described in this document, user-mode
code executing in a virtual machine may gain kernel privileges within
the virtual machine, dependent upon the guest operating system. The
flaw has been proven exploitable on x64 versions of Windows, and it
has produced potentially exploitable crashes on x64 versions of *BSD.
The Linux kernel does not allow exploitation of the flaws on x64
---------------
SUPERAntiSpyware and Super Ad Blocker have almost identical device
drivers in order to set up hooks and perform other duties from kernel
space. These device drivers suffer from lack of validation of
parameters passed from user mode. Additionally, some of the functions
accessible from user mode are inherently insecure and lead to easy
privilege escalation. All vulnerabilities are applicable to both
applications.
Analysis and code was developed for SUPERAntiSpyware v4.33.1000, but
flat 32-bit virtual address space that describes 4 gigabytes of virtual
memory to 32-bit processes. This address space is used by the process to
map its executable code and the data that it uses during its runtime.
For performance and efficiency reasons the process address space is
usually split so that 2 GB of address space are directly accessible by
the user-mode application process and the other 2 GB are used to map the
code and data of the operating system and only accessible to kernel code
[4]. Any attempts from a user-space process to dereference and use
memory contents mapped at addresses above the 2GB boundary will trigger
an exception and terminate the offending process.
When the VirtualBox package is installed on a host the 'VBoxDrv.sys'
driver is loaded on the machine. This driver allows any unprivileged
user to open the device '\\.\VBoxDrv' and issue IOCTLs with a buffering
mode of METHOD_NEITHER without any kind of validation. This allows
untrusted user mode code to pass arbitrary kernel addresses as arguments
to the driver.
With specially constructed input, a malicious user can use functionality
within the driver to patch kernel addresses and execute arbitrary code
in kernel mode. When handling IOCTLs a communication method must be
00127f6c 6be37f7b MSPTLS!FsDestroyMemory+0x4080
00128078 6be4e8ca MSPTLS!FsDestroyMemory+0x52ae
!exploitable output:
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at wwlib!DllGetClassObject+0x000000000007fead (Hash=0x43317a27.0x44020844)
User mode write access violations that are not near NULL are exploitable.
This vulnerability can be remotely triggered if an user choose to open a .doc while using IE or any other browser (in
IE it will spawn a winword.exe process inside the browser, but the process remains as a new one).
this DSA.
CVE-2007-5093
Alex Smith discovered an issue with the pwc driver for certain webcam
devices. If the device is removed while a userspace application has it
open, the driver will wait for userspace to close the device, resulting
in a blocked USB subsystem. This issue is of low security impact as
it requires the attacker to either have physical access to the system
or to convince a user with local access to remove the device on their
behalf.
When the processor raises a #PF (page fault) exception, an exception code is
pushed onto the stack containing flags used by the operating system to
determine the correct course of action. One of those flags is called U/S
(user/supervisor), which is set if the fault was caused while the processor
was in user mode.
In Virtual-8086 mode, when VMware emulates a far call or far jmp instruction,
it incorrectly pushes the return cs and ip on the stack using supervisory
access, causing an incorrect exception code to be delivered to the guest
kernel.
compatability with or to take advantage of this update:
Debian 4.0 (etch)
fai-kernels 1.17+etch.13etch4
kernel-patch-openvz 028.18.1etch5
user-mode-linux 2.6.18-1um-2etch.13etch4
We recommend that you upgrade your kernel package immediately and reboot
the machine. If you have built a custom kernel from the kernel source
package, you will need to rebuild to take advantage of these fixes.
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
IML32!Ordinal2064+0x7254:
69081264 894c31fc mov dword ptr [ecx+esi-4],ecx ds:0023:3aaee3dc=????????
0:008> !exploitable
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at IML32!Ordinal2064+0x0000000000007254 (Hash=0x3e3c3a38.0x484c154e)
User mode write access violations that are not near NULL are exploitable.
Disassembly:
reseeding code leads to a reduction in entropy.
CVE-2007-5093
Alex Smith discovered an issue with the pwc driver for certain webcam
devices. If the device is removed while a userspace application has it
open, the driver will wait for userspace to close the device, resulting
in a blocked USB subsystem. This issue is of low security impact as
it requires the attacker to either have physical access to the system
or to convince a user with local access to remove the device on their
behalf.
Qihoo 360 Security Guard is very famous in China.
Some vulnerabilities have been reported in Qihoo 360 Security Guard, which can be exploited by malicious, local users to gain escalated privileges.
An error in the kernel-mode driver (bregdrv.sys) when handling input passed through the user-mode dynamic link library (bregdll.dll) can be exploited to
read/write/modification registry in kernel mode.
An attacker can exploit this issue to read/write/modification registry with kernel-level privileges. Successful exploits will result in the complete
be available to a user-space process, which allows local users to
obtain sensitive information by reading these pages. (CVE-2009-1192)
The ABI in the Linux kernel 2.6.28 and earlier on s390, powerpc,
sparc64, and mips 64-bit platforms requires that a 32-bit argument in a
64-bit register was properly sign extended when sent from a user-mode
application, but cannot verify this, which allows local users to
cause a denial of service (crash) or possibly gain privileges via a
crafted system call. (CVE-2009-0029)
The __inet6_check_established function in net/ipv6/inet6_hashtables.c
Venus. The arguments to a Coda ioctl are encapsulated in a PioctlData struct,
which in turn contains a ViceIoctl struct. The ViceIoctl struct contains
"in_size" and "out_size" fields, dictating the expected size of the input and
output data corresponding to a particular ioctl request. The "in_size" field
is validated to prevent memory corruption via copying an unexpected amount of
data from userspace into a kernel buffer.
However, the "out_size" field was missing this validation. When copying the
output data of an ioctl request back to userspace, the "out_size" field was
used to determine the amount of data to copy, without restricting it to a
maximum possible size. By specifying a large value for this field, the
> * -------------
> * This is the interesting one, and the reason I wrote this exploit. If a
> * thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a NULL
> * word will be written to a user-specified pointer when that thread exits.
> * This write is done using put_user(), which ensures the provided destination
> * resides in valid userspace by invoking access_ok(). However, Nelson
> * discovered that when the kernel performs an address limit override via
> * set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page fault,
> * etc.), this override is not reverted before calling put_user() in the exit
> * path, allowing a user to write a NULL word to an arbitrary kernel address.
> * Note that this issue requires an additional vulnerability to trigger.
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010292
DIRAPI!Ordinal21+0x6f8:
044b2498 6681600c1f7f and word ptr [eax+0Ch],offset <Unloaded_dui.DLL>+0x7f0e (00007f1f) ds:0023:05215684=????
0:008> !exploitable
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at DIRAPI!Ordinal21+0x00000000000006f8 (Hash=0x53080807.0x53080814)
User mode write access violations that are not near NULL are exploitable.
Disassembly:
0:008> !exploitable
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\VideoLAN\VLC\libvlccore.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\msvcrt.dll -
Exploitability Classification: EXPLOITABLE Recommended Bug Title: Exploitable - User Mode Write AV starting at
libavcodec_plugin!vlc_entry__1_1_0g+0x33cef2 (Hash=0x64744c60.0x724a4f4e)
User mode write access violations that are not near NULL are exploitable.
diff --git a/libavcodec/sp5xdec.c b/libavcodec/sp5xdec.c index 8bcdbe4..dd31eda 100644 (file)
* -------------
* This is the interesting one, and the reason I wrote this exploit. If a
* thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a NULL
* word will be written to a user-specified pointer when that thread exits.
* This write is done using put_user(), which ensures the provided destination
* resides in valid userspace by invoking access_ok(). However, Nelson
* discovered that when the kernel performs an address limit override via
* set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page fault,
* etc.), this override is not reverted before calling put_user() in the exit
* path, allowing a user to write a NULL word to an arbitrary kernel address.
* Note that this issue requires an additional vulnerability to trigger.
. 2010-06-23:
Update from the vendor (email sent previously bounced). The issue has
been determined to be a variant of CVE-2010-0485. It will be addressed
as a new bug and assigned a different CVE ID. Although the crash comes
from the same vector (a window handle returned by a user mode windows
hook callback) the bug is in a different function than the original
issue and occurs due to a different, previously unknown, issue with
the window handle that the original fix does not address. A solid
timeline for general availability of patches is not yet available. The
July 2010 Patch Tuesday day is mentioned as tentative but the patch
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010283
ntdll!RtlAbsoluteToSelfRelativeSD+0x5cd:
7c83e790 8901 mov dword ptr [ecx],eax ds:0023:41414141=????????
0:000> !exploitable
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at ntdll!RtlAbsoluteToSelfRelativeSD+0x00000000000005cd (Hash=0x7d7e510d.0x116d301c)
User mode write access violations that are not near NULL are exploitable.
code:
...
third-party application is, so far, the unique possible attack vector
to exploit this issue.
This advisory covers the attack vector found in a widely extended
licensed application, GearSoftware Recording SDK, which was exposing the
kernel flaw to user-mode attackers through one of its filter drivers:
GEARAspiWDM.sys
Since this driver is a licensed solution, it is bundled with several
well-known products. To clarify as much as possible this vulnerability,
privileges from Guest account to SYSTEM.
3. Technical Description.
This driver is in charge of intercepting when a packet arrives or is
sent. (Un)fortunately a simple user-mode program can modify some
callbacks in klim5.sys to point to a user-mode controlled address, just
by sending a specially crafted IOCTL request.So... we face a local
privilege escalation.Again.
.text:00011774 cmp ecx, 80052110h ; IOCTL
QuickTime!DllMain+0x2d068:
6682ead8 668907 mov word ptr [edi],ax
ds:0023:088a5000=????
0:000> !exploitable
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at
QuickTime!DllMain+0x000000000002d068 (Hash=0x0e483076.0x0e507376)
User mode write access violations that are not near NULL are exploitable.
> * -------------
> * This is the interesting one, and the reason I wrote this exploit. If a
> * thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a NULL
> * word will be written to a user-specified pointer when that thread exits.
> * This write is done using put_user(), which ensures the provided destination
> * resides in valid userspace by invoking access_ok(). However, Nelson
> * discovered that when the kernel performs an address limit override via
> * set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page fault,
> * etc.), this override is not reverted before calling put_user() in the exit
> * path, allowing a user to write a NULL word to an arbitrary kernel address.
> * Note that this issue requires an additional vulnerability to trigger.
* trivially allows you to get root. However, I found another way to get root
* from CAP_SYS_ADMIN...the hard way.
*
* This exploit leverages a signedness error in the Phonet protocol. By
* specifying a negative protocol index, I can craft a series of fake
* structures in userspace and cause the incrementing of an arbitrary kernel
* address, which I then leverage to execute arbitrary kernel code.
*
* Greets to spender, cloud, jono, kees, pipacs, redpig, taviso, twiz, stealth,
* and bla.
*
the \\.\I2OExc device interface. The permissions on this device allow
"Everyone" write access. This could allow a locally logged-in user to
access functionality designed for privileged use only.
Additionally, the IOCTL handlers for this device interface do not
properly validate user-mode buffer passed to them, so an attacker can
supply a fake DeviceObject pointer to a user-mode address. As such, it
is possible to overwrite arbitrary memory or execute attacker-supplied
code in the context of the kernel.
III. ANALYSIS
Mandriva Linux Security Advisory MDVA-2009:057
http://www.mandriva.com/security/
_______________________________________________________________________
Package : usermode
Date : April 28, 2009
Affected: 2009.0
_______________________________________________________________________
Problem Description:
reseeding code leads to a reduction in entropy.
CVE-2007-5093
Alex Smith discovered an issue with the pwc driver for certain webcam
devices. If the device is removed while a userspace application has it
open, the driver will wait for userspace to close the device, resulting
in a blocked USB subsystem. This issue is of low security impact as
it requires the attacker to either have physical access to the system
or to convince a user with local access to remove the device on their
behalf.
the amd64 linux-image flavour.
CVE-2007-5093
Alex Smith discovered an issue with the pwc driver for certain webcam
devices. If the device is removed while a userspace application has it
open, the driver will wait for userspace to close the device, resulting
in a blocked USB subsystem. This issue is of low security impact as
it requires the attacker to either have physical access to the system
or to convince a user with local access to remove the device on their
behalf.
> * -------------
> * This is the interesting one, and the reason I wrote this exploit. If a
> * thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a NULL
> * word will be written to a user-specified pointer when that thread exits.
> * This write is done using put_user(), which ensures the provided destination
> * resides in valid userspace by invoking access_ok(). However, Nelson
> * discovered that when the kernel performs an address limit override via
> * set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page fault,
> * etc.), this override is not reverted before calling put_user() in the exit
> * path, allowing a user to write a NULL word to an arbitrary kernel address.
> * Note that this issue requires an additional vulnerability to trigger.
Next Page>>
|
