Coffeehouse Thread

8 posts

Forum Read Only

This forum has been made read only by the site admins. No new threads or comments can be added.

Most serious Windows Exploit in recent memory...

Back to Forum: Coffeehouse
  • User profile image
    ManipUni

    Microsoft released a patch for perhaps the most serious exploit in recent memory, remote code execution at kernel level, no mitigating factors, no workable defence except hardware firewalls.

    Worms incoming in 3, 2, ...   

    https://technet.microsoft.com/en-us/security/bulletin/ms11-083

     

  • User profile image
    davewill

    And against "closed" UDP ports of all things.

  • User profile image
    fanbaby

    HAHAHAHA, M$ again!

     

    Just kidding. human designed software has vulnerabilities, news at 10.

    As an open-source advocate i'll be the first to admit Linux has vulnerabilities. Unix had them. I'm sure given time, any piece of non trivial software would succumb to hacking.

     

    My theory is that any self respecting intelligence agency has a few of them in the drawer.

  • User profile image
    evildictait​or

    , ManipUni wrote

    Microsoft released a patch for perhaps the most serious exploit in recent memory, remote code execution at kernel level, no mitigating factors, no workable defence except hardware firewalls.

    Well apart from the word "exploitable" in Microsoft security advisories covers a whole bunch of not practically exploitable bugs in real life. For this particular bug the attacker would need to:

    a) Have access to the UDP port in question, which is not a normally allowed UDP port
    b) Have a different ASLR bypass bug in order to use the bug for anything other than a denial of service
    c) Is also subject to a race-condition with anything else happening on that UDP port.

    This bug would take a pretty good exploit writer a small while to turn around, but if all three of those things did manage to happen, then perhaps an attacker would be able to run shellcode in kernel space (which is bad), but again if you have anti-virus software installed it'll pick up anything but the most bespoke rootkits.

    Also, kernel bugs aren't all that uncommon (in Microsoft or indeed any other OS - every IPhone jailbreak is a linux kernel exploit for example), so I think you're overblowing this one a little bit.

  • User profile image
    Royal​Schrubber

    @evildictaitor:

    IPhone runs iOS which is derived from OS X which runs Darwin kernel which is derived from BSD. No Linux involved. 

  • User profile image
    evildictait​or

    , Royal​Schrubber wrote

    @evildictaitor:

    IPhone runs iOS which is derived from OS X which runs Darwin kernel which is derived from BSD. No Linux involved. 

    Fine. IPhone jail breaks are (usually) an example of kernel bugs in BSD or IPhone drivers. Same difference. My point is that no practical real-world OS is entirely devoid of kernel bugs.

  • User profile image
    davewill

    , evildictait​or wrote

    *snip*

    Well apart from the word "exploitable" in Microsoft security advisories covers a whole bunch of not practically exploitable bugs in real life. For this particular bug the attacker would need to:

    a) Have access to the UDP port in question, which is not a normally allowed UDP port
    b) Have a different ASLR bypass bug in order to use the bug for anything other than a denial of service
    c) Is also subject to a race-condition with anything else happening on that UDP port.

    This bug would take a pretty good exploit writer a small while to turn around, but if all three of those things did manage to happen, then perhaps an attacker would be able to run shellcode in kernel space (which is bad), but again if you have anti-virus software installed it'll pick up anything but the most bespoke rootkits.

    Also, kernel bugs aren't all that uncommon (in Microsoft or indeed any other OS - every IPhone jailbreak is a linux kernel exploit for example), so I think you're overblowing this one a little bit.

    Where did you find that level of detail (a, b, and c)?

  • User profile image
    evildictait​or

    , davewill wrote

    Where did you find that level of detail (a, b, and c)?

    Angel and (c) are obvious from the internal write-ups. Sadly Microsoft doesn't publish them externally because the write-up is the exploit, and putting that on the interwebs before the patch is available is putting customers at risk.

    (b) is because the bug is an attacker controlled modification to a DWORD in memory, which is a dangerous bug on pre-Vista SP1. After this ASLR is applied to almost everything in kernel space meaning getting execution is distinctly non-trivial with this bug.

     

    For more stuff like this, a good blog to read is the Microsoft Security Research Team blog:

    http://blogs.technet.com/b/mmpc/archive/2011/10/13/sirv11-putting-vulnerability-exploitation-into-context.aspx

Conversation locked

This conversation has been locked by the site admins. No new comments can be made.