2010-04-13:

[HISPASEC Research] Windows Kernel Vulnerabilities... x5 :)

windows:kernel:security:easy
I've already written, in February, about the first vulnerability found by our team (that would be j00ru and me). Today, Microsoft has published reports about 5 more (well, there were 6 actually, but Microsoft decided to merge two into one, because of the way both of them could be fixed by the same change in the code) :)

I would like to start with saying, that we could perform the research thanks to Hispasec VirusTotal (since we both work with them, and our boss agreed to let us do some research we both were interested in doing ;> - THANKS ;>)

The vulnerabilities, also listed in the Microsoft MS010-21 bulletin, are:
* (CVE-2010-0234) Windows Kernel Null Pointer Vulnerability
A denial of service vulnerability exists in the Windows kernel due to the insufficient validation of registry keys passed to a Windows kernel system call. An attacker could exploit the vulnerability by running a specially crafted application, causing the system to become unresponsive and automatically restart.

* (CVE-2010-0235) Windows Kernel Symbolic Link Value Vulnerability
A denial of service vulnerability exists in the Windows kernel due to the manner in which the kernel processes the values of symbolic links. An attacker could exploit the vulnerability by running a specially crafted application causing the system to become unresponsive and automatically restart.

* (CVE-2010-0236) Windows Kernel Memory Allocation Vulnerability
An elevation of privilege vulnerability exists in the Windows kernel due to the manner in which memory is allocated when extracting a symbolic link from a registry key. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

* (CVE-2010-0237) Windows Kernel Symbolic Link Creation Vulnerability
An elevation of privilege vulnerability exists when the Windows kernel does not properly restrict symbolic link creation between untrusted and trusted registry hives. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

* (CVE-2010-0238) Windows Kernel Registry Key Vulnerability
A denial of service vulnerability exists in the way that the Windows kernel validates registry keys. An attacker could exploit the vulnerability by running a specially crafted application causing the system to become unresponsive and automatically restart.

Technical details regarding the above information (and the one from two months ago) will be published on two conferences:

1. 22nd of April 2010 on Hack In The Box in Dubai
2. and 25th or 26th of May 2010 in Poland, on CONFidence w Krakow

In Dubai I'll give the lecture by myself, however on CONFidence the details will be presented by both me and j00ru, whom btw did a great job with most of the bugs, including proof-of-concept exploiting one incredibly nasty bug ;)

The slides (and maybe also a video recording) of one of the above conferences will be published after the second one :)

For now, I'll only write that one bug was a classical buffer overflow, bug found in an interesting place. Another one was related to missing validation of the owner of a key when using symbolic links in the register. We think that these vulnerabilities, even though not critical (Microsoft has rated them as "Important", and we agree with that), are very interesting from a technical point of view, and researchers should enjoy the details :)

That would be it. I'd like to invite you to Hack In The Box Dubai and join me on my lecture, or to Krakow for imho the best Polish security-related conference - CONFidence!

UPDATE: Some more info about one of the bugs can be found on Microsoft Security & Research blog (post by Nick Finco from MSRC Engineering)

UPDATE 2: j00ru has published, a similar to this, post on his blog

Comments:

2010-04-26 11:58:57 = argp
{
Excellent work!
}
2010-04-28 08:58:17 = Gynvael Coldwind
{
@argp
Thanks ;)
}

Add a comment:

Nick:
URL (optional):
Math captcha: 5 ∗ 1 + 3 =