Two rootkit-like kernel level vulnerabilities discovered in Windows x86 and Itanium

**Vertabreaker** · 10-15-2008, 07:34 AM

Go Windows! lulz

Quote:

San Jose (CA) - A security company called SkyRecon Systems has uncovered two kernel-level vulnerabilities present in multiple versions of the Windows operating system, including server versions. These flaws occur not only on x86-based PCs in both 32-bit and 64-bit mode, but also on 64-bit Itanium machines. As is common with this kind of exploit, the vulnerabilities are the result of a flaw in the Windows design and are not the result of hardware features. SkyRecon is working with Microsoft to release patches for the vulnerabilities later this month.

CVE-2008-2252 and CVE-2008-3464

Affected operating systems include all versions of Windows XP Professional, Windows 2000 Server, Windows 2003 Server. CVE-2008-2252 also affects Vista.

These vulnerabilities leave the system open to a type of attack which allows invading code (a virus or worm) to achieve kernel-level access. This is a common exploit used by something called a root-kit, which is a way to achieve kernel-level access by normal user programs. Basically, the results of this exploit mean nothing inside the core operating system is left secure, and nothing would be potentially out of bounds for access if such an exploit were used.

To explain this further, consider the architecture of the x86 CPU.

RING0 - RING3

In the Windows operating system there are several levels of code execution. On the x86, these logical barriers exist in hardware via someting called RING0, RING1, RING2 and RING3. A newer level called RING-1 (negative one or minus one) was created for the hypervisor layer.

They're called rings because of the way hardware designers visualize security. The most secure portions are on the outside. In this context, being more secure means being able to do less. The further away from the core an application is, the less it can do.

The concentric rings end up at the RING0 layer, which looks like a bull's eye on a target. From inside RING0 nothing is truly secure. The only way security is maintained in RING0 code is by adhering to strict software protocols. That means a program doesn't do what a program's not supposed to do. It is literally the only defense there is against RING0 code.

A RING0 program, for example, can access all of memory - even memory running in other programs. It can also, of course, access all of the hardware on the machine. It is for these reasons that only the most trusted core algorithms operate in this ring. Everything else operates in RING1 or higher, which provides increasing levels of insulation against faulty programs taking the machine down.

Typical user applications run in RING3.

RING3 becomes RING0

These newly discovered vulnerabilities allow a RING3 application to achieve RING0 execution. As such, what begins initially as a normal user application running in Windows ultimately takes complete control over the machine. It is unlikely that such an exploit would be useful for any purpose other than taking the machine down or extracting information from it, both of which would be quite negative to the user.

One possible useful side-effect of this vulnerability would be for debugging code during software development. By introducing a high-level program into Windows, and then safely and without purposeful malice, achieving RING0 access, all of the system would be exposed and could be visualized by a regular user application. If someone were developing an application and needed access to inner-parts of the core OS that aren't normally present, then that information might be extremely useful. It's actually quite ironic because this week I am literally working on a problem that could benefit from using this exploit.

Security bulletins

Microsoft has issued security bulletins for these exploits: MS08-003. They have identified them as "important." Microsoft has four categories used for security issues, with important being a significant designation:

Critical
A vulnerability whose exploitation could allow the propagation of an Internet worm without user action.

Important
A vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of users data, or of the integrity or availability of processing resources.

Moderate
Exploitability is mitigated to a significant degree by factors such as default configuration, auditing, or difficulty of exploitation.

Low
A vulnerability whose exploitation is extremely difficult, or whose impact is minimal.

**Cr@xH3aDMcg33** · 10-15-2008, 08:10 AM

Thanks.

**Jaymzx** · 10-15-2008, 02:42 PM

If you can hit RING0 then I'm thinking you can drop something like Redpill. Interesting to see how this plays out.

So, it's spread by malware, not remote execution. Unpatched systems would be fun since you can execute the exploit through some other hole.

10-15-2008, 08:10 AM	#2 (permalink)
Cr@xH3aDMcg33 SOT Administrator Join Date: Jun 2006 Location: Miami Posts: 25,121 gXboxLive Leaderboard: 38^th	Thanks. __________________ PUT THE FUCKING LOTION IN THE BASKET!!!!!!!!!!!

10-15-2008, 02:42 PM	#3 (permalink)
Jaymzx SOT Member Join Date: Sep 2008 Location: Seattle Posts: 149	If you can hit RING0 then I'm thinking you can drop something like Redpill. Interesting to see how this plays out. So, it's spread by malware, not remote execution. Unpatched systems would be fun since you can execute the exploit through some other hole. __________________ ' DROP TABLE "signatureparsed"

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode