Kernel exploitation – r0 to r3 transitions via KeUserModeCallback
Hey there!
I have recently came across (well, not entirely by myself... cheers Nahuel!) a fairly (un)common problem related to performing ring0-to-ring3 transitions, after a successful kernel vulnerability exploitation. As I have managed to come up with a bunch of possible solutions, and even write exemplary code for some of these, today I would like to present my thoughts, together with some brief explanation.
Windows CSRSS Write Up: Inter-process Communication (part 2/3)
A quick beginning note: My friend d0c_s4vage has created a technical blog and posted his first text just a few days ago. The post entry covers a recent, critical libpng vulnerability discovered by this guy; the interesting thing is that, among others, the latest Firefox and Chrome versions were vulnerable. Feel free to take a minute and read the article here.
Additionally, the video and mp3 recordings from the presentation performed by me and Gynvael on the CONFidence 2010 conference, are now publicly available on the official website: link (Case study of recent Windows vulnerabilities).
Windows CSRSS Write Up: Inter-process Communication (part 1/3)
In the second post of the Windows CSRSS Write Up series, I would like to explain how the practical communication between the Windows Subsystem and user's process takes place under the hood. Due to the fact that some major improvements have been introduced in Windows Vista and later, the entire article is split into two parts - the first one giving an insight at what the communication channel really is, as well as how is it taken advantage of by both CSRSS and a user processes. The second one, on the other hand, is going to talk through the modifications and new features shipped with the Windows systems starting from Vista, as most of the basic ideas remain the same for decades. As you already know what to expect, proceed to the next section 
Windows CSRSS Write Up: the basics (part 1/1)
NOTE: The following post entry opens a series of CSRSS-oriented articles, aiming at describing the uncovered CSRSS mechanism internals, present in the Windows OS for more than fifteen years now. Although some great research has already been carried out by a few curious guys (check out the references), no thorough case study is available until now. In this series, I am going to cover both the very basic ideas and their implementations, as well as the recent CSRSS changes applied in modern operating systems (i.e. Windows 7). And so, just have a good read! 
CONFidence 2010 is over
One of the biggest (best ) IT security-oriented conferences in Poland finished three days ago, in the wednesday evening. In the very first place, I would like to congratulate all the organisers, for their decision on where the event should be held, as well as how it should look like - during these two days, I had plenty of real fun!
Windows CSRSS cross-version API Table
Hello!
It seems like half a year has passed since I published the Win32k.SYS system call table list on the net. During this time (well, it didn't take so long ) I managed to gather enough information to release yet another API list - this time, concerning an user-mode application - CSRSS (Client/Server Runtime SubSystem). As a relatively common research subject, I think a table of this kind can make things easier for lots of people.
Windows Kernel Vulnerabilities continued – details
And so it happened ;> As I've written in this post, Gynvael Coldwind has just finished speaking about recent Windows Kernel Vulnerabilities on the Hack In The Box Dubai conference, taking place today. Unfortunately, because of the European air communication being disabled these days, the presentation was held remotely - one way or another, it can be considered very successful, imho.
Thanks to the organisers, who publish the materials right after the speeches are over, all of the slides are now available at http://conference.hitb.org/hitbsecconf2010dxb/materials/.
Our presentation, containing the details of how the aforementioned kernel / CSRSS vulns work and can be exploited, can be found here (1.27MB).
I am not going to spoil anything more here - if you were not lucky to attend the Dubai conference, I strongly recommend the polish CONFidence 2010 held in May (which I also mentioned already).
Have fun!
CTcpFwd – cross-platform stdin/out to socket forwarding class
Hello,
A few weeks ago, I had the pleasure to take part in a local 24-hour long, programming marathon (greets to my team: Pawel and Wojtek!). Due to the nature of the competition, I was obliged to create a simple class, making it possible to redirect sockets to standard i/o (stdin / stdout), which would greatly facilitate the communication process with the contest server. Because of the fact that we were going to work on different system platforms - both Microsoft Windows and GNU/Linux, the class had to be as cross-platform compatible as it was only possible. And so the CTcpFwd class, presented today, came into existence.
Windows Kernel Vulnerabilities release (Hispasec research)
Today, during the Patch Tuesday, Microsoft has released bits of information regarding the security vulnerabilities present in the Windows kernel - found and exploited (in the Proof of Concept form) by me and Gynvael Coldwind - which are directly connected with a well-known Windows Registry functionality. Five bugs have been described (there is a total of six in fact - one of them was reduced due to the fact that one patch in the source code fixes two separate vulns at the same time) - two of them allow Local Elevation of Privileges to be achieved, while the other three make it possible to perform a Denial of Service attack.
“Descriptor tables in kernel exploitation” – a new article
Hi there!
Not so long (a few weeks, actually) ago, me together with Gynvael Coldwind had a chance to carry out a research regarding the Global and Local Descriptor Tables being used as a write-what-where target, while exploiting ring-0 vulnerabilities on 32-bit Microsoft Windows NT-family systems. The result of our work is a small article, describing the actual steps taken in order to escalate the privileges through GDT/LDT. As usual, exemplary source code snippets are available (attached to the document), so that the reader can check their effectiveness on his own.
Pages
Projects
Recent Posts
- Kernel exploitation – r0 to r3 transitions via KeUserModeCallback
- Windows CSRSS Write Up: Inter-process Communication (part 2/3)
- Blog customization, old PHP advisories
- Windows CSRSS Write Up: Inter-process Communication (part 1/3)
- Windows CSRSS Write Up: the basics (part 1/1)
Recent Comments
- j00ru: @NCR: Mmm… you should know it, already?;D
- NCR: @j00ru: what could it be?
- j00ru: @frank boldewin: thanks mate @NCR: Ahaha, yeah ;D I’ve got something for ya btw.
- NCR: Hey!, you did it!, you wrote it! thanks!
- frank boldewin: excellent writeup dude!