Vigil@nce: Windows, privilege elevation via NtVdm
January 2010 by Vigil@nce
A local attacker, on a x86 processor, can use the 16 bit
compatibility system, in order to elevate his privileges.
– Severity: 2/4
– Consequences: administrator access/rights
– Provenance: user shell
– Means of attack: 1 attack
– Ability of attacker: technician (2/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 20/01/2010
IMPACTED PRODUCTS
– Microsoft Windows 2000
– Microsoft Windows 2003
– Microsoft Windows 2008
– Microsoft Windows 7
– Microsoft Windows NT
– Microsoft Windows Vista
– Microsoft Windows XP
DESCRIPTION OF THE VULNERABILITY
Windows NT/2000/XP/2003/2008/Vista/7 can run 16 bit programs,
created for MS-DOS and Windows 3.1, with NtVdm.exe (NT Virtual Dos
Machine) and the Virtual-8086 mode of the processor.
When a 16 bit application calls a legacy BIOS service, the GP trap
handler (nt!KiTrap0D) modifies the execution context (installed by
NtVdmControl), and restores it later. However, a local attacker
can modify this context, in order to execute code with kernel
privileges.
A local attacker, on a x86 processor, can therefore use the 16 bit
compatibility system, in order to elevate his privileges.
CHARACTERISTICS
– Identifiers: 979682, BID-37864, CVE-2010-0232, VIGILANCE-VUL-9363
– Url: http://vigilance.fr/vulnerability/Windows-privilege-elevation-via-NtVdm-9363