|
Another 3rd party flaw to step into Vista Kernel. |
|
Written by Rubén
|
|
Monday, 01 October 2007 |
|
First off, if you haven't read yet the quite brilliant skywing's paper about PatchGuard 3 on the latest uninformed, check it out.Btw, his blog (http://www.nynaeve.net) is another jewel.
So talking about Vista, recently I came across a nice freeware program, called Speedfan, that allows controlling some thermal capabilities of your hardware. It contains a signed driver for Vista x64 so... well, you know ...
There is a big flaw as you can see below( deja vu , see Joanna's IsGameOver() - NVIDIA nTune Driver vulnerability)
IOCTL : 0x9c40243C
cmp dword ptr [rdx+8], 8
jb short loc_11171
cmp dword ptr [rdx+10h], 0Ch
jb short loc_11171
mov r8d, [rsi+4] ; InputBuffer[1]
mov r9d, [rsi+8] ; InputBuffer[2]
mov rax, r8
shl rax, 20h
or rax, r9
mov rdx, rax
shr rdx, 20h
mov ecx, [rsi] ; InputBuffer[0]
wrmsr
You can overwrite (or read) any MSR you want, so hijacking the LSTAR we open the kingdom's door.Therefore, this flaw allows to load unsigned drivers on Vista x64 and do whatever misdeed your broken mind had planned.
Afaik there is no public exploit that uses the method explained on the Joanna's paper (I was unable to to grab purplepill so let me know if I am wrong) so I've prepared a K-plugin for kartoffel (64-bit) that exploits this issue. However, since MSR hooking is a widely known rootkit technique don't expect to find out nothing really exciting.Look out! it's intented for study and/or research purposes only so I'm not responsible in any manner for any illegal use. Download at http://kartoffel.reversemode.com/downloads.php
I guess that sooner than later Microsoft will revoke the certificate for this buggy driver, anyway the driver is going to be fixed quickly, maybe even today according to its author, so it's not a major problem. You can check the status of this bug at any time since it is publicily available through the bugtracker at http://www.bugtrack.almico.com/view.php?id=987.
Btw,once the patch is out,I'll release an advisory for this issue with more technical details so stay tuned.
|
|
Last Updated ( Sunday, 07 October 2007 )
|
|
|
Reversemode Premium Disclosure |
|
Written by Rubén
|
|
Monday, 17 September 2007 |
|
Corporate post this time. Reversemode launches the Premium Disclosure service for legal companies only.
Executive Overview
What does “Premium Disclosure” mean?
Reversemode follows a responsible disclosure whenever a new vulnerability is discovered. It basically means that the vendor is contacted prior to any public disclosure. Once the vendor has addressed the flaw according to its own policy, we release a public advisory with some technical details with the aim of helping researchers understand the real impact of the vulnerability.
On the other hand, those customers who are subscribed to our “Premium Disclosure” service receive full technical details, including comprehensive reports, private exploits and/or tools related, at the same time the vendor is notified.
Vulnerabilities
As a customer of the Premium Disclosure service you receive
vulnerabilities affecting Microsoft Windows Vista/XP/2003/2K and other leading products as well.
The basic pack for a vulnerability comprises of the following items:
+Comprehensive paper explaining the flaw. Available in the following languages: English, Deutsch, Castellano.
+Exploit/PoC and/or tools related.
+Up-to-day information about the status of the vulnerability and how the vendor is planning to address the issue.
Advantages of Premium Disclosure
Your company gets informed months before the vulnerability will be publicily disclosed, therefore you can:
+ Improve your IPS/IDS engine, signatures or security products.
+ Protect your corporate enviroment.
+ Study novel techniques.
+ Boost the success rate of your penetration tests.
Contact
If you are interested in this service and/or need further information, do not hesitate to contact us.
http://corporate.reversemode.com – http://www.reversemode.com
contact (at) reversemode (dot) com [email concealed]
 Download Executive Overview "Reversemode Premium Disclosure"
|
|
Last Updated ( Monday, 01 October 2007 )
|
|
|
Achtung, die warme kartoffel! |
|
|
|
<< Start < Prev 1 2 3 4 5 6 7 8 9 10 Next > End >>
|
| Results 37 - 40 of 64 |
Kartoffel 1.3 is now public. This version, available for 32 and 64 bits, includes a lot of new features. If you were one of those who had enough courage to play with the initial release, you'll notice important changes. I have set up a dedicated site for this application where you can download all the stuff, read the news,documentation...
Btw, this advisory was pending since August:
