“Descriptor tables in kernel exploitation” – a new article

Not so long (a few weeks, actually) ago, me together with Gynvael Coldwind had a chance to carry out a research regarding the Global and Local Descriptor Tables being used as a write-what-where target, while exploiting ring-0 vulnerabilities on 32-bit Microsoft Windows NT-family systems. The result of our work is a small article, describing the actual steps taken in order to escalate the privileges through GDT/LDT. As usual, example source code snippets are available (attached to the document), so that the reader can check their effectiveness on their own.

I would like to say thank you to Unavowed and Agnieszka Zerka for their comments and help in the process of assembling this publication.

A complete package, including a PDF file “GDT and LDT in Windows kernel vulnerability exploitation” (with the source.zip file enclosed to the paper) can be downloaded from here (682 kB).

Content:
1. Abstract
2. The need of a stable exploit path
3. Windows GDT and LDT
4. Creating a Call-Gate entry in LDT
4.1. 4-byte write-what-where exploitation
4.2. 1-byte write-what-where exploitation
4.3. Custom LDT goes User Mode
5. Summary
+ References
+ Attachments

Have fun && Leave your comments!

10 thoughts on ““Descriptor tables in kernel exploitation” – a new article”

  1. Doesn’t seem worth the read. Nothing new here. Of course call-gates allow ring0 access from ring3 if setup properly, and of course a driver with a bug allows you to muck around in kernel space.

    I will give credit for putting together those two things with a process only LDT to create call-gates. Nicely done, but still, all you need to do is read the Intel manuals to know this is possible.

    The title is very misleading, this has nothing to do with Windows itself being vulnerable.

  2. Hi Jeff, thanks for your opinion!

    > Doesn’t seem worth the read. Nothing new here. Of course call-gates allow ring0 access from ring3 if
    > setup properly, and of course a driver with a bug allows you to muck around in kernel space.

    To be honest, I think that pretty much every ring-0 exploitation technique is obvious from a specific point of view. However, does it mean that no methods regarding this subject should either be described in papers or generally mentioned anywhere, just because of their “obviousness”? As written in the abstract, there’s really no revolutionary information included – the point is to make the coders reconsider their w-w-w exploitation targets or maybe just cause some interesting discussion to arise.

    Moreover, our paper covers “extreme” situations, where the attacker is able to overwrite only 1 byte of the protected memory; the PoC code aims to prove that it is still possible to perform a stable priv. escal. attack with just this.

    > I will give credit for putting together those two things with a process only LDT to create call-gates. Nicely
    > done, but still, all you need to do is read the Intel manuals to know this is possible.

    Again, you’re right up to a point. We can observe the very same situation when it comes to VM detection methods; once more, everything one needs to do is to read the Intel (or any other processor’s) manuals and perform his own tests. No secret knowledge here, but still a number of blog entries / articles / other publications are commited, covering this subject. Why? because it is interesting!

    > The title is very misleading, this has nothing to do with Windows itself being vulnerable.

    Well, does the title really state that Windows is vulnerable, in any point? As far as I am concerned, the “Windows kernel vulnerability exploitation” phrase makes it clear that the paper is about general ring-0 exploitation techniques… not about any Windows vulnerability.

  3. Pingback: IDELIT
  4. Can I get your email id ? I need to discuss something related Windows x86-64 WIN32K.SYS System Call that you have created athttp://j00ru.vexillium.org/win32k_x64/ . Thank You

Comments are closed.