Windows Kernel Vulnerabilities continued – details

And so it happened ;> As I’ve written in this post, Gynvael Coldwind has just finished speaking about recent Windows Kernel Vulnerabilities on the Hack In The Box Dubai conference, taking place today. Unfortunately, because of the European air communication being disabled these days, the presentation was held remotely – one way or another, it can be considered very successful, imho.

Thanks to the organisers, who publish the materials right after the speeches are over, all of the slides are now available at http://conference.hitb.org/hitbsecconf2010dxb/materials/.

Our presentation, containing the details of how the aforementioned kernel / CSRSS vulns work and can be exploited, can be found here (1.27MB).

I am not going to spoil anything more here – if you were not lucky to attend the Dubai conference, I strongly recommend the polish CONFidence 2010 held in May (which I also mentioned already).

Have fun! ;-)

CTcpFwd – cross-platform stdin/out to socket forwarding class

A few weeks ago, I had the pleasure to take part in a local 24-hour long, programming marathon (greets to my team: Pawel and Wojtek!). Due to the nature of the competition, I was obliged to create a simple class, making it possible to redirect sockets to standard i/o (stdin / stdout), which would greatly facilitate the communication process with the contest server. Because of the fact that we were going to work on different system platforms – both Microsoft Windows and GNU/Linux, the class had to be as cross-platform compatible as it was only possible. And so the CTcpFwd class, presented today, came into existence.

After the event was over, I decided to standardize the code and apply some minor fixes – currently, it is supposed to be a fully functional module. What should be kept in mind, though, is the fact that the code is released as a Proof of Concept project – its main purpose is to present the exact way of how the stdin / stdout file descriptors can be tampered with, on Windows – as it turns out, it is not as simple as one might assume.

This tiny class lets the programmer create and close multiple named, remote connections (Connect and Disconnect methods), as well as switch the current stream associated with stdin/stdout (SwitchStdin and SwitchStdout routines), using the names declared previously. By default, the class turns off both the Nagle’s buffering algorithm for the sockets (TCP_NODELAY flag) and the standard i/o buffering. Some example usage of CTcpFwd follows:

Read more

Windows Kernel Vulnerabilities release (Hispasec research)

Today, during the Patch Tuesday, Microsoft has released bits of information regarding the security vulnerabilities present in the Windows kernel – found and exploited (in the Proof of Concept form) by me and Gynvael Coldwind – which are directly connected with a well-known Windows Registry functionality. Five bugs have been described (there is a total of six in fact – one of them was reduced due to the fact that one patch in the source code fixes two separate vulns at the same time) – two of them allow Local Elevation of Privileges to be achieved, while the other three make it possible to perform a Denial of Service attack.

What should be noted is that the entire research was done within the cooperation with Hispasec VirusTotal.

Let’s take a look at what the Microsoft report (MS10-021 to be exact) says about the vulnerabilities in consideration:

Read more