Comments on: “Descriptor tables in kernel exploitation” – a new article http://j00ru.vexillium.org/?p=290 Coding, reverse engineering, OS internals covered one more time Mon, 06 Sep 2010 22:12:35 +0000 hourly 1 http://wordpress.org/?v=3.0.1 By: j00ru http://j00ru.vexillium.org/?p=290&cpage=1#comment-755 j00ru Tue, 19 Jan 2010 16:52:55 +0000 http://j00ru.vexillium.org/?p=290#comment-755 Hi Jeff, thanks for your opinion! > Doesn’t seem worth the read. Nothing new here. Of course call-gates allow ring0 access from ring3 if > setup properly, and of course a driver with a bug allows you to muck around in kernel space. To be honest, I think that pretty much every ring-0 exploitation technique is <em>obvious</em> from a specific point of view. However, does it mean that no methods regarding this subject should either be described in papers or generally mentioned anywhere, just because of their "obviousness"? As written in the abstract, there's really no revolutionary information included - the point is to make the coders reconsider their w-w-w exploitation targets or maybe just cause some interesting discussion to arise. Moreover, our paper covers "extreme" situations, where the attacker is able to overwrite only 1 byte of the protected memory; the PoC code aims to prove that it is still possible to perform a stable priv. escal. attack with just this. > I will give credit for putting together those two things with a process only LDT to create call-gates. Nicely > done, but still, all you need to do is read the Intel manuals to know this is possible. Again, you're right up to a point. We can observe the very same situation when it comes to VM detection methods; once more, everything one needs to do is to read the Intel (or any other processor's) manuals and perform his own tests. No secret knowledge here, but still a number of blog entries / articles / other publications are commited, covering this subject. Why? because it is interesting! > The title is very misleading, this has nothing to do with Windows itself being vulnerable. Well, does the title really state that Windows is vulnerable, in any point? As far as I am concerned, the "Windows kernel vulnerability exploitation" phrase makes it clear that the paper is about general ring-0 exploitation techniques... not about any Windows vulnerability. Hi Jeff, thanks for your opinion!

> Doesn’t seem worth the read. Nothing new here. Of course call-gates allow ring0 access from ring3 if
> setup properly, and of course a driver with a bug allows you to muck around in kernel space.

To be honest, I think that pretty much every ring-0 exploitation technique is obvious from a specific point of view. However, does it mean that no methods regarding this subject should either be described in papers or generally mentioned anywhere, just because of their “obviousness”? As written in the abstract, there’s really no revolutionary information included – the point is to make the coders reconsider their w-w-w exploitation targets or maybe just cause some interesting discussion to arise.

Moreover, our paper covers “extreme” situations, where the attacker is able to overwrite only 1 byte of the protected memory; the PoC code aims to prove that it is still possible to perform a stable priv. escal. attack with just this.

> I will give credit for putting together those two things with a process only LDT to create call-gates. Nicely
> done, but still, all you need to do is read the Intel manuals to know this is possible.

Again, you’re right up to a point. We can observe the very same situation when it comes to VM detection methods; once more, everything one needs to do is to read the Intel (or any other processor’s) manuals and perform his own tests. No secret knowledge here, but still a number of blog entries / articles / other publications are commited, covering this subject. Why? because it is interesting!

> The title is very misleading, this has nothing to do with Windows itself being vulnerable.

Well, does the title really state that Windows is vulnerable, in any point? As far as I am concerned, the “Windows kernel vulnerability exploitation” phrase makes it clear that the paper is about general ring-0 exploitation techniques… not about any Windows vulnerability.

]]> By: Jeff http://j00ru.vexillium.org/?p=290&cpage=1#comment-754 Jeff Tue, 19 Jan 2010 02:59:54 +0000 http://j00ru.vexillium.org/?p=290#comment-754 Doesn't seem worth the read. Nothing new here. Of course call-gates allow ring0 access from ring3 if setup properly, and of course a driver with a bug allows you to muck around in kernel space. I will give credit for putting together those two things with a process only LDT to create call-gates. Nicely done, but still, all you need to do is read the Intel manuals to know this is possible. The title is very misleading, this has nothing to do with Windows itself being vulnerable. Doesn’t seem worth the read. Nothing new here. Of course call-gates allow ring0 access from ring3 if setup properly, and of course a driver with a bug allows you to muck around in kernel space.

I will give credit for putting together those two things with a process only LDT to create call-gates. Nicely done, but still, all you need to do is read the Intel manuals to know this is possible.

The title is very misleading, this has nothing to do with Windows itself being vulnerable.

]]> By: Dreg http://j00ru.vexillium.org/?p=290&cpage=1#comment-748 Dreg Sun, 17 Jan 2010 03:33:30 +0000 http://j00ru.vexillium.org/?p=290#comment-748 Nice j00ru! :-) Nice j00ru! :-)

]]>