Just yesterday I had the pleasure to speak at a highly hacking-oriented Russian conference, ZeroNights, for the second time (see my “ZeroNights slides, Hack In The Box Magazine #9 and other news” post from last year). The conference itself has been great so far – several interesting and inspiring talks, lots of leet Russian hackers and the Moscow atmosphere makes it a truly unique event. The title of my talk was “Windows Kernel Trap Handler and NTVDM Vulnerabilities — Case Study”, and as the name suggests, it included coverage of four vulnerabilities in all 32-bit Windows kernels starting from Windows NT 3.1 through Windows 8/Server 2012, making them 20 year old issues now. Namely, the following problems were discussed:
nt!PushRmInterruptBlue Screen of Death DoS)
All of the above security flaws were local problems (i.e. require the ability to execute arbitrary code on the victim machine); the first three have a maximum impact of elevation of privileges (ring-0 code execution) and thus were fixed by Microsoft in September this year by the MS13-063 security bulletin. While equally interesting, the fourth one only makes it possible to get the kernel to reference memory at addressess 0xfff80008 through 0xffffffff (top 128 pages of the kernel address space) which, given the memory layout used by the operating system, is believed to be non-exploitable at the time of this writing. The bugcheck triggered by the condition is as follows:
TRAP_FRAME: 88c37b90 -- (.trap 0xffffffff88c37b90) ErrCode = 00000000 eax=00000000 ebx=00000002 ecx=7fff0000 edx=fffffeff esi=88c37d34 edi=fff80008 eip=82b31e51 esp=88c37c04 ebp=88c37c50 iopl=0 nv up ei ng nz na pe cy cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010287 nt!PushPmInterrupt+0x20c: 82b31e51 668b07 mov ax,word ptr [edi] ds:0023:fff80008=???? Resetting default scope
The slide deck can be downloaded here (zeronights.pdf, 6.9MB).