ZeroNights 2013 and NTVDM vulnerabilities

Just yesterday I had the pleasure to speak at a highly hacking-oriented Russian conference, ZeroNights, for the second time (see my “ZeroNights slides, Hack In The Box Magazine #9 and other news” post from last year). The conference itself has been great so far – several interesting and inspiring talks, lots of leet Russian hackers and the Moscow atmosphere makes it a truly unique event. The title of my talk was “Windows Kernel Trap Handler and NTVDM Vulnerabilities — Case Study”, and as the name suggests, it included coverage of four vulnerabilities in all 32-bit Windows kernels starting from Windows NT 3.1 through Windows 8/Server 2012, making them 20 year old issues now. Namely, the following problems were discussed:

  • CVE-2013-3196 (nt!PushInt write-what-where condition)
  • CVE-2013-3197 (nt!PushException write-what-where condition)
  • CVE-2013-3198 (nt!VdmCallStringIoHandler write-where condition)
  • 0-day (nt!PushPmInterrupt and nt!PushRmInterrupt Blue Screen of Death DoS)

All of the above security flaws were local problems (i.e. require the ability to execute arbitrary code on the victim machine); the first three have a maximum impact of elevation of privileges (ring-0 code execution) and thus were fixed by Microsoft in September this year by the MS13-063 security bulletin. While equally interesting, the fourth one only makes it possible to get the kernel to reference memory at addressess 0xfff80008 through 0xffffffff (top 128 pages of the kernel address space) which, given the memory layout used by the operating system, is believed to be non-exploitable at the time of this writing. The bugcheck triggered by the condition is as follows:

TRAP_FRAME:  88c37b90 -- (.trap 0xffffffff88c37b90)
ErrCode = 00000000
eax=00000000 ebx=00000002 ecx=7fff0000 edx=fffffeff esi=88c37d34 edi=fff80008
eip=82b31e51 esp=88c37c04 ebp=88c37c50 iopl=0         nv up ei ng nz na pe cy
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010287
nt!PushPmInterrupt+0x20c:
82b31e51 668b07          mov     ax,word ptr [edi]        ds:0023:fff80008=????
Resetting default scope

The slide deck can be downloaded here (zeronights.pdf, 6.9MB).

Enjoy!

10 thoughts on “ZeroNights 2013 and NTVDM vulnerabilities”

  1. Hi!Thanks for you work!I make a PoC of CVE-2013-3196 (nt!PushInt write-what-where condition),
    but met trouble:
    I can’t add to the LDT custom Expand Down SS segment.
    Inside PspIsDescriptorValid function this condition doesn’t pass:
    Base == 0x0 ActualLimit == 0xFFFFFFFF
    if (Base > Base + ActualLimit ||
    ((PVOID)(Base + ActualLimit) > MM_HIGHEST_USER_ADDRESS)) {
    return FALSE;
    }
    If we will use usual expand up data-segment we fail inside PushInt:
    cmp edi,[esi].RiSsLimit ; edi==0xDEADBEEF (esp must be below limit)
    jnb err_

    Can you give me a hint?)
    With regards!

  2. @0x16: which operating system are you targetting? On Windows 7, you can create a custom LDT data segment with Base=0x0 and Limit=0xffffffff without any problems.

  3. Excellent job. Again. Excellent work. Again. ;)
    Thanks. Again. Keep goin’ – again.

    Take a beer from me. Again. ;)

  4. Thanks for answer!Yes it was xp sp3,so now i see that in w7x86 PspIsDescriptorValid totaly different,and not exist all limit-conditions..So it looks like on old windows exploitation not possible…?

Comments are closed.