|The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.|
Windows: privilege elevation via NtVdm
Synthesis of the vulnerability
A local attacker, on a x86 processor, can use the 16 bit compatibility system, in order to elevate his privileges.
Impacted products: Windows 2000, Windows 2003, Windows 2008 R0, Windows 7, Windows NT, Windows Vista, Windows XP.
Severity of this bulletin: 2/4.
Consequences of an intrusion: administrator access/rights.
Hacker's origin: user shell.
Creation date: 20/01/2010.
Références of this threat: 977165, 979682, BID-37864, CERTA-2010-AVI-073, CVE-2010-0232, MS10-015, VIGILANCE-VUL-9363.
Description of the vulnerability
Windows NT/2000/XP/2003/2008/Vista/7 can run 16 bit programs, created for MS-DOS and Windows 3.1, with NtVdm.exe (NT Virtual Dos Machine) and the Virtual-8086 mode of the processor.
When a 16 bit application calls a legacy BIOS service, the GP trap handler (nt!KiTrap0D) modifies the execution context (installed by NtVdmControl), and restores it later. However, a local attacker can modify this context, in order to execute code with kernel privileges.
A local attacker, on a x86 processor, can therefore use the 16 bit compatibility system, in order to elevate his privileges.
Full Vigil@nce bulletin... (Free trial)
Computer vulnerabilities tracking service
Vigil@nce provides applications vulnerabilities announces. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system. The technology watch team tracks security threats targeting the computer system.