Threat Level: green Handler on Duty: Pasquale Stirparo

SANS ISC: InfoSec Handlers Diary Blog - Unpatched Microsoft Windows (all versions) Privilege Escalation Vulnerability Released InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Unpatched Microsoft Windows (all versions) Privilege Escalation Vulnerability Released

Published: 2010-01-19
Last Updated: 2010-01-19 21:47:39 UTC
by Johannes Ullrich (Version: 1)
3 comment(s)

In a posting to a public mailing list, Tavis Ormandy disclosed a zero day privilege escalation vulnerability in the Windows kernel. All versions of Windows, starting with Windows NT 3.1 up to including Windows 7, are affected.

The vulnerability affects support for 16 bit applications. In most cases, it is safe to turn off support for 16 bit applications.

Here are the mitigation instructions (copied from the advisory):

Temporarily disabling the MSDOS and WOWEXEC subsystems will prevent the attack  from functioning, as without a process with VdmAllowed, it is not possible to access NtVdmControl() (without SeTcbPrivilege, of course).

The policy template "Windows ComponentsApplication CompatibilityPrevent access to 16-bit applications" may be used within the group policy editor to prevent unprivileged users from executing 16-bit applications. I'm informed this is an officially supported machine configuration.

Administrators unfamiliar with group policy may find the videos below instructive. Further information is available from the Windows Server Group Policy Home

http://technet.microsoft.com/en-us/windowsserver/grouppolicy/default.aspx.

To watch a demonstration of this policy being applied to a Windows Server 2003 domain controller, see the link below.

http://www.youtube.com/watch?v=XRVI4iQ2Nug

To watch a demonstration of this policy being applied to a Windows Server 2008 domain controller, see the link below.

http://www.youtube.com/watch?v=u8pfXW7crEQ

To watch a demonstration of this policy being applied to a shared but unjoined Windows XP Professional machine, see the link below.

http://www.youtube.com/watch?v=u7Y6d-BVwxk

On Windows NT4, the following knowledgebase article explains how to disable the NTVDM and WOWEXEC subsystems.

http://support.microsoft.com/kb/220159

Applying these configuration changes will temporarily prevent users from accessing legacy 16-bit MS-DOS and Windows 3.1 applications, however, few users
require this functionality.

If you do not require this feature and depend on NT security, consider permanently disabling it in order to reduce kernel attack surface.

This is not a good month for Microsoft. Tavis disclosed the vulnerability to Microsoft about 6 months ago. Microsoft's monthly bulletin's credited Tavis numerous times in the past for disclosing vulnerabilities.

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: exploit Microsoft
3 comment(s)
Diary Archives