tag:blogger.com,1999:blog-8992811497323121233.post5243038755573783381..comments2010-11-18T01:07:27.544-08:00Julien Tinnesnoreply@blogger.comBlogger4125tag:blogger.com,1999:blog-8992811497323121233.post-77381866130829440742010-01-28T15:14:41.805-08:002010-01-28T15:14:41.805-08:00to Anonymous:<br />&gt;Code is never executed with the vdm context<br />&gt;specified, and that never happens with the exploit.<br />Yes, that would be correct. Our misunderstanding applies not to the exploit codepath, but to the nature of the checks performed in the VdmSwapContexts().<br /><br />to Pablo Sole:<br />&gt;test ebx, eax<br />&gt;jnz short loc_6F7936 ;ebx=EFLAGS.VM<br />&gt;or [esi+KTRAP_FRAME.SegCs], 3<br />Yup, for some bizzare reason we&#39;ve missed exactly that point. Thank you for the clarification – now we can appreciate all the awesomeness of this exploitation.MTUhttp://www.wasm.runoreply@blogger.comtag:blogger.com,1999:blog-8992811497323121233.post-4440357390567225392010-01-28T09:00:16.652-08:002010-01-28T09:00:16.652-08:00I think you misunderstand the bug, of course setting up a context is impossible (if that was the case, you could just pass one to NtCreateThread() and get ring0). Code is never executed with the vdm context specified, and that never happens with the exploit.<br /><br />The bug is that the contents of the trap frame is trusted to be accurate. I would suggest you try it before claiming it&#39;s wrong :-(Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8992811497323121233.post-13292838112295194102010-01-28T05:20:33.630-08:002010-01-28T05:20:33.630-08:00to MTU:<br /><br />If you check VdmSwapContexts, which is the function that switchs to monitor context, it has a checking that SS and CS need to be ring 3, unless it&#39;s V86:<br />PAGE:006F7919 mov eax, [edi+CONTEXT.EFlags]<br />PAGE:006F791F test ebx, eax<br />PAGE:006F7921 jnz short loc_6F7936 ;ebx=EFLAGS.VM<br />PAGE:006F7923 or [esi+KTRAP_FRAME.SegCs], 3<br />PAGE:006F7927 mov ecx, [esi+6Ch]<br />PAGE:006F792A or [esi+KTRAP_FRAME.HardwareSegSs], 3<br />PAGE:006F792E cmp ecx, 8<br />PAGE:006F7931 jnb short loc_6F7936<br />PAGE:006F7933 mov [esi+KTRAP_FRAME.SegCs], edx ; Force 0x1BPablo Solehttp://immunityinc.comnoreply@blogger.comtag:blogger.com,1999:blog-8992811497323121233.post-44332503252916403082010-01-28T00:57:27.738-08:002010-01-28T00:57:27.738-08:00Tavis, thank you for the intresting writeup. We were happy to know about this VDM bug. Now, we have some thoughts. Codepath was audited and it seems there&#39;s no real &#39;trap frame forging&#39; there, since involved part of KiTrap0D handler expects actual situation with hardware frame at the time of iret-fault (which happens since rpl &gt; cpl): error code, eip-cs, eflags – and no esp-ss. Moreover, it seems the exploitation can be greatly simplified – we see no reason not to just specify context with user-mode eip and KGDT_R0_CODE cs in the fake VDM context. Given the fact eflags in the fake VDM context is also controllable, it appears the part with &#39;Ki386BiosCallReturnAddress&#39; is not really required for the exploitation and can be skipped altogether – i.e. just set up fake VDM context with cs=8, eip=MyFunction, esi=param1, edi=param2, etc.<br /><br />Now, we didn&#39;t actually try to paste a few lines of code together to implement this because of lazyness, so if there&#39;s something missing in our resoning – please correct us.MTUhttp://www.wasm.runoreply@blogger.com