PDA

View Full Version : Windows Kernel Vulnerabilities release (Hispasec research)


j00ru vx tech blog
April 13th, 2010, 16:21
Today, during the Patch Tuesday, Microsoft has released bits of information regarding the security vulnerabilities present in the Windows kernel – found and exploited (in the Proof of Concept form) by me and Gynvael Coldwind ("http://gynvael.coldwind.pl/") – which are directly connected with a well-known Windows Registry functionality. Five bugs have been described (there is a total of six in fact – one of them was reduced due to the fact that one patch in the source code fixes two separate vulns at the same time) – two of them allow Local Evelation of Privilege to be achieved, while the other three make it possible to perform a Denial of Service attack.

What should be noted is that the entire research was done within the cooperation with Hispasec ("http://hispasec.com/") VirusTotal ("http://virustotal.com/").

Let’s take a look at what the Microsoft report ("http://www.microsoft.com/technet/security/Bulletin/MS10-021.mspx") (MS10-021 to be exact) says about the vulnerabilities in consideration:



Windows Kernel Null Pointer Vulnerability – CVE-2010-0234

A denial of service vulnerability exists in the Windows kernel due to the insufficient validation of registry keys passed to a Windows kernel system call. An attacker could exploit the vulnerability by running a specially crafted application, causing the system to become unresponsive and automatically restart.

Windows Kernel Symbolic Link Value Vulnerability – CVE-2010-0235

A denial of service vulnerability exists in the Windows kernel due to the manner in which the kernel processes the values of symbolic links. An attacker could exploit the vulnerability by running a specially crafted application causing the system to become unresponsive and automatically restart.

Windows Kernel Memory Allocation Vulnerability – CVE-2010-0236

An elevation of privilege vulnerability exists in the Windows kernel due to the manner in which memory is allocated when extracting a symbolic link from a registry key. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Windows Kernel Symbolic Link Creation Vulnerability – CVE-2010-0237

An elevation of privilege vulnerability exists when the Windows kernel does not properly restrict symbolic link creation between untrusted and trusted registry hives. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Windows Kernel Registry Key Vulnerability – CVE-2010-0238

A denial of service vulnerability exists in the way that the Windows kernel validates registry keys. An attacker could exploit the vulnerability by running a specially crafted application causing the system to become unresponsive and automatically restart.

A more detailed description of how the vulnerabilities work, as well as the process of finding and exploiting these (together with the bug presented in MS10-011 ("http://www.microsoft.com/technet/security/Bulletin/MS10-011.mspx") report) is going to be presented during two security conferences. The first of them is Hack In The Box (Dubai edition) ("http://conference.hackinthebox.org/hitbsecconf2010dxb/"), held on 22th of April this year – which I cannot attend because of independent reasons – Gynvael is going to have a speech for both of us. The second one is a polish CONFidence ("http://2010.confidence.org.pl/") event, which takes place on 25-26th of May in Cracow, where the full team (that is me and Gyn) will explain the technical details of this operation http://j00ru.vexillium.org/wp-includes/images/smilies/icon_smile.gif I highly encourage you to take part in the latter one, as it is one of the best polish conferences dedicated to the security subject.

A few lines have been dropped by Nick Finco (MSRC Engineering) on the Microsoft Security & Research ("http://blogs.technet.com/srd/archive/2010/04/12/registry-vulnerabilities-addressed-by-ms10-021.aspx") blog. In case there are some more interesting notes, I will update this post and put more links here

Greets! Leave some comments, please http://j00ru.vexillium.org/wp-includes/images/smilies/icon_wink.gif

Update 1: As it seems to be a very convenient moment to create a Twitter account, I have just done so – HERE ("http://twitter.com/j00ru") you can find my profile.



http://j00ru.vexillium.org/?p=307&lang=en

Silkut
April 14th, 2010, 06:07
Congrats! That's impressive !

j00ru
April 14th, 2010, 23:56
@Silkut: haha, thank you! ;-)

GEEK
April 15th, 2010, 14:04
yes it is