Monday, January 29, 2007

Kernel Wars in Amsterdam!

This post is about our talk at BlackHat Europe 2007 in Amsterdam.

Kernel vulnerabilities are often deemed unexploitable or at least unlikely
to be exploited reliably. Although it's true that kernel-mode exploitation often presents some new challenges for exploit developers, it still all boils down to "creative debugging" and knowledge about the target in question.

During our talk we intend to demystify kernel-mode exploitation by demonstrating the analysis and reliable exploitation of three different kernel vulnerabilities without public exploits. From a defenders point of view this could hopefully serve as an eye-opener, as it demonstrates the ineffectiveness of HIDS, NX, ASLR and other protective measures when the kernel itself is being exploited.

The vulnerabilities that will be discussed are:

- FreeBSD 802.11 Management Frame Integer Overflow (Patched)
Found and exploited by Karl Janmar. Advisory

- NetBSD Local Kernel Heap Overflow (Unpatched, 0-day)
Found by Christer Öberg, exploited by Christer and Joel Eriksson.

- Windows (2000 & XP) Local GDI Memory Overwrite (Unpatched)
Found by Cesar Cerrudo, exploited by Joel Eriksson. Advisory

Unlike most of the 802.11-related bugs that have been found lately the FreeBSD 802.11 vulnerability did not only affect a particular driver, but the 802.11 subsystem itself. Besides being discovered quite a while before the other WLAN-related bugs (summer 2005) it uses a pretty interesting payload, which injects a pure kernel-mode backdoor that communicates through spoofed management frames. The full exploit will be released after the talk.

The GDI bug for Windows 2000 and XP that results in a local privilege escalation when successfully exploited was found by Cesar Cerrudo from Argeniss and reported to Microsoft as early as 2004-10-22. It was made public during MoKB (Month of Kernel Bugs) on 2006-11-06, more than two years later.

Amazingly it has still not been patched, perhaps due to Microsoft not taking the threat seriously until they've seen that it can be exploited reliably in practice. Reliable exploitation for Windows 2000 and XP with any and all servicepacks and patches applied will be demonstrated during the talk.

Since we intend to release the NetBSD bug during the talk we will not disclose any details yet, but.. The particularly interesting thing about this bug is that it has been around for almost two decades. It was present in both OpenBSD and FreeBSD until they got rid of the code in question altogether and it most likely still exists in some of the other commercial Unix-systems derived from BSD.

( Joel Eriksson | Karl Janmar | Christer Öberg @ Bitsec )

Picture of the 802.11 exploit GUI:

Picture of the NetBSD exploit:

Picture of the GDI exploit:


«Oldest   ‹Older   201 – 207 of 207
abbottaric said...

I really admire this, I mean it really looks interesting! Very nice write up. Anyways, its a Great post.
thanks for share this wonderful article ....
fashion jewelry

castord hanna said...

Thank you for the fantastic article. The place else
could anyone get that kind of info in such a perfect means
of writing? I have a presentation next week, and I am at
the search for such information.

wholesale leggings

Kristian Peter said...

One stop shop for Commercial Restaurant Equipment. Lowest Prices in the Industry Guaranteed! FREE SHIPPING for all orders over $149. Buy Now!
More info: please visit at our

Calvin Brock said...

hand, while not actually so far away in a literal sense, in another deeper sense she yet feels more remote than ever from that impossible past, and closer than ever before to being able to touch those dreams which have always been running away Buy watches

Calvin Brock said...

Nice... Buy watches

hường lê said...

Such a very useful article. Very interesting to read this article.I would like to thank you for the efforts you had made for writing this awesome article.

Discover our website bounty of free online games now!
Our website has the biggest collection of free online games. Totally new games are added every day!

age of war 2
gold Miner 2
unfair Mario 2
cubefield 2
tanki Online 2

Osman Mohammed said...

Do you need personal loan? Does your firm,company or industry need financial assistance? Do you need finance to start your business? Do you need finance to expand your business? We give out loan to interested individuals who are seeking loan with good faith. Are you seriously in need of an urgent loan contact us at Email:
Your Full Details:
Full Name:
Loan Amount Need:
Loan Duration:
Phone Number:
Applied before?
Monthly Income:
You are to send this to our Company Email;

«Oldest ‹Older   201 – 207 of 207   Newer› Newest»