20 Jan
2010
20 Jan
'10
4 a.m.
Cameron Kaiser wrote:
I'm not pointing this out to beat on poor Josh!
I'm not! I just think it's
an interesting angle that support for legacy 16-bit MS-DOS and Win3.1 apps has
apparently lead to the unearthing of a 17-year-old Windows NT security flaw.
The really amusing thing would be if something similar existed in Classic
on OS X, or Rosetta.
http://archives.neohapsis.com/archives/fulldisclosure/2010-01/0346.html
Hey, I can handle it :). Interesting bug. I'm not a kernel hacker and
I don't know the details of how the NTVDM works all that well, but I'm
surprised that the CreateRemoteThread() call on the VDM subsystem
required for the exploit would actually work if you weren't already an
Administrator. (In which case an app running locally can already own
the box in any number of other ways).
NTVDM and 16-bit support in general have been removed from 64-bit SKUs
of Windows, starting with the 64-bit edition of XP. I miss it
sometimes, but there's always VirtualPC/VirtualBox/VMWare or the trusty
PS/2 model 80 I have sitting over here... ;)
(My favorite Windows bug has to be the csrss backspace bug (Fixed in
Vista!) :
http://www.juniper.net/security/auto/vulnerabilities/vuln3478.html)
- Josh