funsec mailing list archives

Re: From Tavis Ormandy: Windows NT #GP Trap handler allows users to switch kernel stack

From: "Larry Seltzer" <larry () larryseltzer com>
Date: Tue, 19 Jan 2010 19:45:41 -0500

Maybe it doesn't require SeTcbPrivilege, but what privileges does it
require?

Will this exploit work as a standard user?

Larry Seltzer
Contributing Editor, PC Magazine
larry_seltzer () ziffdavis com 
http://blogs.pcmag.com/securitywatch/

-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org]
On Behalf Of Juha-Matti Laurio
Sent: Tuesday, January 19, 2010 5:11 PM
To: funsec () linuxbox org
Subject: [funsec] From Tavis Ormandy: Windows NT #GP Trap handler allows
users to switch kernel stack

From his advisory

(
http://lists.grok.org.uk/pipermail/full-disclosure/2010-January/072549.h
tml   )

"In order to support BIOS service routines in legacy 16bit applications,
the Windows NT Kernel supports the concept of BIOS calls
in the Virtual-8086 mode
monitor code.
These are implemented in two stages, the kernel transitions to the
second stage when the #GP trap handler (nt!KiTrap0D)
detects that the faulting cs:eip matches specific magic values.

Transitioning to the second stage involves restoring execution context
and call stack (which had been previously saved)
from the faulting trap frame once authenticity has been verified.

This verification relies on the following incorrect assumptions:

 - Setting up a VDM context requires SeTcbPrivilege.
 - ring3 code cannot install arbitrary code segment selectors.
 - ring3 code cannot forge a trap frame.

This is believed to affect every release of the Windows NT kernel, from
Windows NT 3.1 (1993) up to and including Windows 7 (2009)."

Juha-Matti
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

From Tavis Ormandy: Windows NT #GP Trap handler allows users to switch kernel stack Juha-Matti Laurio (Jan 19)
- Re: From Tavis Ormandy: Windows NT #GP Trap handler allows users to switch kernel stack Larry Seltzer (Jan 19)
- <Possible follow-ups>
- Re: From Tavis Ormandy: Windows NT #GP Trap handler allows users to switch kernel stack Juha-Matti Laurio (Jan 20)
- Re: From Tavis Ormandy: Windows NT #GP Trap handler allows users to switch kernel stack Juha-Matti Laurio (Jan 20)