Info
Microsoft Windows NT #GP Trap Handler Allows Users to Switch Kernel Stack
From: Tavis Ormandy <taviso () sdf lonestar org>
Date: Tue, 19 Jan 2010 20:11:17 +0100
Microsoft Windows NT #GP Trap Handler Allows Users to Switch Kernel Stack
-------------------------------------------------------------------------
CVE-2010-0232
In order to support BIOS service routines in legacy 16bit applications, the
Windows NT Kernel supports the concept of BIOS calls in the Virtual-8086 mode
monitor code. These are implemented in two stages, the kernel transitions to
the second stage when the #GP trap handler (nt!KiTrap0D) detects that the
faulting cs:eip matches specific magic values.
Transitioning to the second stage involves restoring execution context and
call stack (which had been previously saved) from the faulting trap frame once
authenticity has been verified.
This verification relies on the following incorrect assumptions:
- Setting up a VDM context requires SeTcbPrivilege.
- ring3 code cannot install arbitrary code segment selectors.
- ring3 code cannot forge a trap frame.
This is believed to affect every release of the Windows NT kernel, from
Windows NT 3.1 (1993) up to and including Windows 7 (2009).
Working out the details of the attack is left as an exercise for the reader.
Just kidding, that was an homage to Derek Soeder 
- Assumption 0: Setting up a VDM context requires SeTcbPrivilege.
Creating a VDM context requires EPROCESS->Flags.VdmAllowed to be set in order
to access the authenticated system service, NtVdmControl(). VdmAllowed can
only be set using NtSetInformationProcess(), which verifies the caller has
SeTcbPrivilege. If this is true, the caller is very privileged and can
certainly be trusted.
This restriction can be subverted by requesting the NTVDM subsystem, and then
using CreateRemoteThread() to execute in the context of the subsystem process,
which will already have this flag set.
- Assumption 1: ring3 code cannot install arbitrary code segment selectors.
Cpl is usually equal to the two least significant bits of cs and ss, and is
a simple way to calculate the privilege of a task. However, there is an
exception, Virtual-8086 mode.
Real mode uses a segmented addressing scheme in order to allow 16-bit
addresses to access the 20-bit address space. This is achieved by forming
physical addresses from a calculation like (cs << 4) + (eip & 0xffff). The
same calculation is used to map the segmented real address space onto the
protected linear address space in Virtual-8086 mode. Therefore, I must be
permitted to set cs to any value, and checks for disallowed or privileged
selectors can be bypassed (PsSetLdtEnties will reject any selector where any
of the three lower bits are unset, as is the case with the required cs pair).
- Assumption 2: ring3 code cannot forge a trap frame.
Returning to usermode with iret is a complicated operation, the pseudocode for
the iret instruction alone spans several pages of Intel's Software Developers
Manual. The operation occurs in two stages, a pre-commit stage and a
post-commit stage. Using the VdmContext installed using NtVdmControl(), an
invalid context can be created that causes iret to fail pre-commit, thus
forging a trap frame.
The final requirement involves predicting the address of the second-stage BIOS
call handler. The address is static in Windows 2003, XP and earlier operating
systems, however, Microsoft introduced kernel base randomisation in Windows
Vista. Unfortunately, this potentially useful exploit mitigation is trivial
to defeat locally as unprivileged users can simply query the loaded module list
via NtQuerySystemInformation().
--------------------
Affected Software
------------------------
All 32bit x86 versions of Windows NT released since 27-Jul-1993 are believed to
be affected, including but not limited to the following actively supported
versions:
- Windows 2000
- Windows XP
- Windows Server 2003
- Windows Vista
- Windows Server 2008
- Windows 7
--------------------
Consequences
-----------------------
Upon successful exploitation, the kernel stack is switched to an attacker
specified address.
An attacker would trigger the vulnerability by setting up a specially
formed VDM_TIB in their TEB, using a code sequence like this:
/* ... */
// Magic CS required for exploitation
Tib.VdmContext.SegCs = 0x0B;
// Pointer to fake kernel stack
Tib.VdmContext.Esi = &KernelStack;
// Magic IP required for exploitation
Tib.VdmContext.Eip = Ki386BiosCallReturnAddress;
NtCurrentTeb()->Reserved4[0] = &Tib;
/* ... */
Followed by
/* ... */
NtVdmControl(VdmStartExecution, NULL);
/* ... */
Which will reach the following code sequence via the #GP trap handler,
nt!KiTrap0D. Please note how the stack pointer is restored from the saved
(untrusted) trap frame at 43C3E6, undoubtedly resulting in the condition
described above.
/* ... */
.text:0043C3CE Ki386BiosCallReturnAddress proc near
.text:0043C3CE mov eax, large fs:KPCR.SelfPcr
.text:0043C3D4 mov edi, [ebp+KTRAP_FRAME.Esi]
.text:0043C3D7 mov edi, [edi]
.text:0043C3D9 mov esi, [eax+KPCR.NtTib.StackBase]
.text:0043C3DC mov ecx, 84h
.text:0043C3E1 mov [eax+KPCR.NtTib.StackBase], edi
.text:0043C3E4 rep movsd
.text:0043C3E6 mov esp, [ebp+KTRAP_FRAME.Esi]
.text:0043C3E9 add esp, 4
.text:0043C3EC mov ecx, [eax+KPCR.PrcbData.CurrentThread]
.text:0043C3F2 mov [ecx+KTHREAD.InitialStack], edi
.text:0043C3F5 mov eax, [eax+KPCR.TSS]
.text:0043C3F8 sub edi, 220h
.text:0043C3FE mov [eax+KTSS.Esp0], edi
.text:0043C401 pop edx
.text:0043C402 mov [ecx+KTHREAD.Teb], edx
.text:0043C405 pop edx
.text:0043C406 mov large fs:KPCR.NtTib.Self, edx
.text:0043C40D mov ebx, large fs:KPCR.GDT
.text:0043C414 mov [ebx+3Ah], dx
.text:0043C418 shr edx, 10h
.text:0043C41B mov byte ptr [ebx+3Ch], dl
.text:0043C41E mov [ebx+3Fh], dh
.text:0043C421 sti
.text:0043C422 pop edi
.text:0043C423 pop esi
.text:0043C424 pop ebx
.text:0043C425 pop ebp
.text:0043C426 retn 4
/* ... */
Possibly naive example code for triggering this condition is availble from the
link below.
http://lock.cmpxchg8b.com/c0af0967d904cef2ad4db766a00bc6af/KiTrap0D.zip
The code has been tested on Windows XP, Windows Server 2003/2008, Windows Vista
and Windows 7. Support for other affected operating systems is left as an
exercise for the interested reader.
-------------------
Mitigation
-----------------------
If you believe you may be affected, you should consider applying the workaround
described below.
Temporarily disabling the MSDOS and WOWEXEC subsystems will prevent the attack
from functioning, as without a process with VdmAllowed, it is not possible to
access NtVdmControl() (without SeTcbPrivilege, of course).
The policy template "Windows Components\Application Compatibility\Prevent
access to 16-bit applications" may be used within the group policy editor to
prevent unprivileged users from executing 16-bit applications. I'm informed
this is an officially supported machine configuration.
Administrators unfamiliar with group policy may find the videos below
instructive. Further information is available from the Windows Server
Group Policy Home
http://technet.microsoft.com/en-us/windowsserver/grouppolicy/default.aspx.
To watch a demonstration of this policy being applied to a Windows Server 2003
domain controller, see the link below.
http://www.youtube.com/watch?v=XRVI4iQ2Nug
To watch a demonstration of this policy being applied to a Windows Server 2008
domain controller, see the link below.
http://www.youtube.com/watch?v=u8pfXW7crEQ
To watch a demonstration of this policy being applied to a shared but
unjoined Windows XP Professional machine, see the link below.
http://www.youtube.com/watch?v=u7Y6d-BVwxk
On Windows NT4, the following knowledgebase article explains how to disable the
NTVDM and WOWEXEC subsystems.
http://support.microsoft.com/kb/220159
Applying these configuration changes will temporarily prevent users from
accessing legacy 16-bit MS-DOS and Windows 3.1 applications, however, few users
require this functionality.
If you do not require this feature and depend on NT security, consider
permanently disabling it in order to reduce kernel attack surface.
-------------------
Solution
-----------------------
Microsoft was informed about this vulnerability on 12-Jun-2009, and they
confirmed receipt of my report on 22-Jun-2009.
Regrettably, no official patch is currently available. As an effective and easy
to deploy workaround is available, I have concluded that it is in the best
interest of users to go ahead with the publication of this document without an
official patch. It should be noted that very few users rely on NT security, the
primary audience of this advisory is expected to be domain administrators and
security professionals.
-------------------
Credit
-----------------------
This bug was discovered by Tavis Ormandy.
-------------------
Greetz
-----------------------
Greetz to Julien, Neel, Redpig, Lcamtuf, Spoonm, Skylined, asiraP, LiquidK,
ScaryBeasts, spender and all my other elite colleagues.
Check out some photography while at ring0 @ http://flickr.com/meder.
-------------------
References
-----------------------
Derek Soeder has previously reported some legendary NT bugs, including multiple
vdm bugs that, while unrelated to this issue, make fascinating reading.
- http://seclists.org/fulldisclosure/2004/Oct/404, Windows VDM #UD LocalPrivilege Escalation
- http://seclists.org/fulldisclosure/2004/Apr/477, Windows VDM TIB Local Privilege Escalation
- http://seclists.org/fulldisclosure/2007/Apr/357, Zero Page Race Condition Privilege Escalation
-------------------
Appendix
-----------------------
SHA-1 checksum of KiTrap0D.zip follows.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
99a047427e9085d52aaddfc9214fd1a621534072 KiTrap0D.zip
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iQEVAwUBS1W6+RvyfE4zaHEXAQK//QgAvo/VhPdeASGe7SSfC3jLwNzsfVfM+FMo
x7JZMMfVUh6b/+FxvokIpsCUf7QQkv+YcyCiatutVjUok5aw5BirFtPLHORIIKPX
B5gN2a4G8RIXh5yKE6FffKGQsPJNW1Ua5Jss8rf59TEj3EDky1vco+WVmmz7TsHn
TQdUreVcL8wFmCAgq5X0AKrdepYDBmYLF0AUFOdG3mKJ43dnP59p9R7+ckv0pfLW
XtvOgzZDNMew4z2Z53YQpE7dO+Y3H3rnhLN7jF7i9We9iiG4ATDke8byFAIDZQZx
ucq5EOcRsfAAWW3O8EbzQa0NiHHScJrKDjvg0gX1Y69MBBwCLNP6yg==
=LHU0
-----END PGP SIGNATURE-----
--
-------------------------------------
taviso () sdf lonestar org | finger me for my gpg key.
-------------------------------------------------------
_______________________________________________
Full-Disclosure - We believe in it.
Courtesy of http://seclists.org/fulldisclosure/2010/Jan/341
Share on Facebook
Posted by
guru Date:
Friday, February 26, 2010
Categories:
Info
Tags:
Do you have what it takes to call yourself a Computer Guru?
Arizona Computer Guru is looking for an experienced technician with comprehensive hardware and software troubleshooting skills. We are seeking talented, motivated self-starters who are able to quickly and accurately diagnose and repair both laptop and desktop computers. In addition to the required technical skills, professionalism in work ethic, attitude, customer interaction and appearance is extremely important. The person we are looking for would be required to interact with customers and help them resolve their technical issues both in person and over the phone. They would need to maintain detailed records of all work performed while maintaining customer contact throughout the entire repair process.
This is a FULL time position and compensation (either hourly or salary based) will depend upon experience.
If you think you have what it takes we’d love to hear from you. You can also check out our website at www.azcomputerguru.com and catch our radio show Saturdays from Noon-2:00pm on Tucson’s #1 News/Talk Station 104.1FM!
http://tucson.craigslist.org/tch/1606018155.html
Share on Facebook
Posted by
guru Date:
Friday, February 19, 2010
Categories:
Info
Tags:
As Mike Swanson stated in his recent radio show updates are very important in defending against malware. Sometimes updates may cause issues and are easily fixed by just uninstalling the update. Other times they require more in depth fixes. This last one from Microsoft, KB977165/MS10-015, seems to be causing BSOD mostly on machines infected by some variant of the elusive TDL rootkit malware. This has been confirmed by Symantec here and here. If this is the case you find yourself in you can either try to manually fix it yourself or bring your computer to Mike’s store to be fixed. Manually fixing this problem requires the knowledge of booting from the Windows CD, locating the infected partition, replacing atapi.sys, iastor.sys, idechndr.sys, ndis.sys, nvata.sys, vmscsi.sys among others in the system32\drivers directory with the clean backup copy from the boot CD, and rebooting. There are some affected machines that are experiencing this problem due to other good or bad kernel mode applications that were relying on the hard coded addresses that MS10-015 fixed thus causing the BSOD.
For detecting and removing TDL rootkits you can try a program named Hitman Pro 3.5 which seems to be the only publically available program that can remove all current TDL3 variants (up to TDL3.241). Although if your computer is already patched with MS10-015 and fails to boot it can only be fixed with a boot CD.
Share on Facebook
Posted by
M1k3G Date:
Sunday, February 14, 2010
Categories:
Info
Tags:
Happy Super Bowl Sunday. The Saints won the game 35-31 in their annual simulation. EA Games has been correct about every game for the last 6 years, except one, at least as far as who will win the game. 
This would have been more timely had I posted this yesterday, but I was busy.
Utilizing each team’s current roster and the latest player statistics, Madden NFL 10 was able to accurately predict the outcome of both the NFC and AFC Championship games within a margin of three points for each game. EA SPORTS utilized this same simulation formula to predict the outcome of Super Bowl XLIII (Pittsburgh Steelers vs. Arizona Cardinals) with unprecedented accuracy – down to the final score and individual player statistics. EA SPORTS has correctly predicted the Super Bowl winner for five out of the last six years, since the official Madden NFL Super Bowl simulation began in 2004.
Madden NFL has been pretty reliable in the past, predicting the winner every year except 2008, when the Giants took down the Patriots, 17 to 14. Still, the series recovered from that fumble the next year, predicting the Steelers over the Cardinals, with the final simulated score only one point away from the actual scores for both teams.
Here’s how EA Sports’ simulation played out:
“The first three quarters display the offensive fireworks that both teams have become known for, with the Colts leading 24-21. A nail biting fourth quarter begins with a big play, courtesy of the Saints’ special teams, when Reggie Bush returns a punt for a 42-yard touchdown. However, with minutes left in the game the duo of Joseph Addai and Peyton Manning put the Colts back on top with a go-ahead touchdown pass. With the game hanging in the balance, Drew Brees hits David Thomas for an 11-yard touchdown and the game winning score.”
Well, we know it didn’t happen quite like that, but the end result is the same. Those guys take their games seriously.
Share on Facebook
Posted by
guru Date:
Monday, February 8, 2010
Categories:
Info
Tags:
Given the number of articles on this site, you would think I didn’t have anything to talk about. I assure you it’s not the case. The truth is, we’ve been terribly busy at the shop, and really have had no time to devote to the blog. I’m going to remedy this problem. I’m enlisting the help of a few techies I know who are willing to contribute to the site. Hopefully you’ll see some posts from them soon.
Now we’re finally getting caught up in the shop. We had been almost a month behind on most of the machines…. needless to say I’ve been under a bit of stress about this. I’ve added a few more techs, and refined the ranks a bit – which seems to make the chemistry in the office much better, and a bit smoother. We’re back to getting systems out in less than a week again. I expect we’ll be back into the 4 days or less range again very soon.
Share on Facebook
Posted by
guru Date:
Saturday, February 6, 2010
Categories:
Info
Tags:
Posted by
guru Date:
Sunday, January 24, 2010
Categories:
Info
Tags:
A customer asked me to look into a product they own, and I had not heard of it. I know, it’s shocking – I don’t know about everything tech out there. The Rovio is a spiffy product. It’s a security camera, a robot and a two-way video intercom all in one. Normally I would look at a product like this and dismiss it as a toy, but this week I’ve been especially open minded about stuff. I’m sure there is some scientific reason that I’m feeling this way, but I don’t have the time or energy to figure that out, so we’ll just leave it at that.
Back to this Rovio thing. You can program waypoints in your home and it will patrol the house. You can tell it to email you snapshots or you can remotely view/control/program the unit from just about anything that gets online. There are accessories for this thing too. You can get range extenders which they call “beacons” that allow you to extend the range of your primary wireless network, and a headlight for really scaring the life out of your spouse.
Destroyer of Worlds
You know how it goes, you’re out of town, or working late. You think it would be nice to tell your significant other that you have fond feelings for them. You pull out your laptop and activate your dog sized robot, the robot creeps down the hall in the middle of the night, turns on some headlights and your voice comes through the speakers. Something sweet and tender, like “I’M ON A BOAT!” You’ll probably have to buy another $300 robot, but the HD video of the awakening makes it all worth it. And millions watched your shenanigans on youtube.Did I mention it records in HD? Yeah, it does that too.
Have a suggestion for a topic on the show? Drop us a line!
Share on Facebook
Posted by
guru Date:
Thursday, January 21, 2010
Categories:
Info
Tags:
Posted by
guru Date:
Tuesday, January 12, 2010
Categories:
Info
Tags:
There were two people that I was supposed to call on Saturday. I’ve seriously got to find a better method for tracking callers. The current method is the producer will write down the numbers on little pieces of paper, and give them to me after the show. More often than not, the little papers don’t actually get to me. It’s pretty busy in there just after the show, and either I forget to ask for them, or the producer or phone screener doesn’t remember to hand them to me.
Last Saturday was a little different. I had the little pieces of paper and placed them on the living room table when I got home. When I came back to them I found a shredded pile of call-back confetti. My new dog has developed an obsession with paper products. So, for the first time ever, I can say my dog ate my homework. If I was supposed to call you, please send me an email, or call me at the shop. I’m sorry.
Share on Facebook
Posted by
guru Date:
Wednesday, January 6, 2010
Categories:
Info
Tags:
A caller asked how to print a favorites list from IE and Firefox. Here are the details :
IE6+ :
Open Internet Explorer, click File on the menu bar and then click ‘Import and Export’.
The Import/Export wizard opens, click Next which brings up a list of things you can do.
Select ‘Export Favorites, and click Next which shows you a list of all the folders contained in Favorites.
To export every folder and web link contained in Favorites, select the folder labeled ‘Favorites’. To export just the contents of a single folder select it.
Click Next and select the ‘Export to a File or Address’ option and give the file a name, ending in the .htm extension. Save it to a folder of your choice. Click Next, Finish and then OK.
Open Windows Explorer and locate the file you just created. Double-click it to open it. You will see all the favorite’s folders you selected. Each folder will be expanded to show all the web pages it contains.
Click File on the menu bar and then click Print from the menu that appears. The Print page opens.
Click the Print button and your Favorites are on their way to your printer!
FireFox :
Check this article that talks about managing the bookmarks file. : http://kb.mozillazine.org/Backing_up_and_restoring_bookmarks_-_Firefox
Once you find the file on your machine, you can print the bookmarks.htm
Share on Facebook
Posted by
guru Date:
Saturday, December 12, 2009
Categories:
Info
Tags:
This would have been more timely had I posted this yesterday, but I was busy.