Skip to content

Windows Kernel Vulnerabilities release (Hispasec research)

Today, during the Patch Tuesday, Microsoft has released bits of information regarding the security vulnerabilities present in the Windows kernel – found and exploited (in the Proof of Concept form) by me and Gynvael Coldwind – which are directly connected with a well-known Windows Registry functionality. Five bugs have been described (there is a total of six in fact – one of them was reduced due to the fact that one patch in the source code fixes two separate vulns at the same time) – two of them allow Local Elevation of Privileges to be achieved, while the other three make it possible to perform a Denial of Service attack.

What should be noted is that the entire research was done within the cooperation with Hispasec VirusTotal.

Let’s take a look at what the Microsoft report (MS10-021 to be exact) says about the vulnerabilities in consideration:

Windows Kernel Null Pointer Vulnerability – CVE-2010-0234

A denial of service vulnerability exists in the Windows kernel due to the insufficient validation of registry keys passed to a Windows kernel system call. An attacker could exploit the vulnerability by running a specially crafted application, causing the system to become unresponsive and automatically restart.

Windows Kernel Symbolic Link Value Vulnerability – CVE-2010-0235

A denial of service vulnerability exists in the Windows kernel due to the manner in which the kernel processes the values of symbolic links. An attacker could exploit the vulnerability by running a specially crafted application causing the system to become unresponsive and automatically restart.

Windows Kernel Memory Allocation Vulnerability – CVE-2010-0236

An elevation of privilege vulnerability exists in the Windows kernel due to the manner in which memory is allocated when extracting a symbolic link from a registry key. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Windows Kernel Symbolic Link Creation Vulnerability – CVE-2010-0237

An elevation of privilege vulnerability exists when the Windows kernel does not properly restrict symbolic link creation between untrusted and trusted registry hives. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Windows Kernel Registry Key Vulnerability – CVE-2010-0238

A denial of service vulnerability exists in the way that the Windows kernel validates registry keys. An attacker could exploit the vulnerability by running a specially crafted application causing the system to become unresponsive and automatically restart.

A more detailed description of how the vulnerabilities work, as well as the process of finding and exploiting these (together with the bug presented in MS10-011 report) is going to be presented during two security conferences. The first of them is Hack In The Box (Dubai edition), held on 22th of April this year – which I cannot attend because of independent reasons – Gynvael is going to have a speech for both of us. The second one is a polish CONFidence event, which takes place on 25-26th of May in Cracow, where the full team (that is me and Gyn) will explain the technical details of this operation :-) I highly encourage you to take part in the latter one, as it is one of the best polish conferences dedicated to the security subject.

A few lines have been dropped by Nick Finco (MSRC Engineering) on the Microsoft Security & Research blog. In case there are some more interesting notes, I will update this post and put more links here

Greets! Leave some comments, please ;-)

Update 1: As it seems to be a very convenient moment to create a Twitter account, I have just done so – HERE you can find my profile.

{ 1 } Comments

  1. rage | 14-Apr-10 at 06:56:48 | Permalink

    Nice find!

Post a Comment

Your email is never published nor shared. Required fields are marked *