20 Jan
2010
20 Jan
'10
2:56 a.m.
I'm not pointing this out to beat on poor Josh! I'm not! I just think it's
an interesting angle that support for legacy 16-bit MS-DOS and Win3.1 apps has
apparently lead to the unearthing of a 17-year-old Windows NT security flaw.
The really amusing thing would be if something similar existed in Classic
on OS X, or Rosetta.
http://archives.neohapsis.com/archives/fulldisclosure/2010-01/0346.html
--
------------------------------------ personal: http://www.cameronkaiser.com/ --
Cameron Kaiser * Floodgap Systems * www.floodgap.com * ckaiser at floodgap.com
-- This message will self-destruct in five seconds. Good luck, Jim. -- M:I ----
20 Jan
20 Jan
3:39 a.m.
On Tue, Jan 19, 2010 at 9:56 PM, Cameron Kaiser <spectre at floodgap.com>wrote:
I'm not pointing this out to beat on poor Josh!
I'm not! I just think it's
an interesting angle that support for legacy 16-bit MS-DOS and Win3.1 apps
has
apparently lead to the unearthing of a 17-year-old Windows NT security flaw
I thought Microsoft nixed the old DOS routines, along with the OS/2
compatibility layer, in Windows XP? It's near-insanity to keep those low
level routines around this long - they should have been virtualized a long
time ago. Heck, DOSBox runs DOS software better than the console nowadays.
3:59 a.m.
Jason McBrien wrote:
On Tue, Jan 19, 2010 at 9:56 PM, Cameron Kaiser
<spectre at floodgap.com>wrote:
They are, and have been, virtualized since NT 3.1. (It's not called the
NT Virtual DOS Machine for nothing.) The bug here is in the thunking
layer for BIOS calls (translating a DOS disk read into an NT version,
etc...)
Josh
I'm not pointing this out to beat on poor
Josh! I'm not! I just think it's
an interesting angle that support for legacy 16-bit MS-DOS and Win3.1 apps
has
apparently lead to the unearthing of a 17-year-old Windows NT security flaw
I thought Microsoft nixed the old DOS routines, along with the OS/2
compatibility layer, in Windows XP? It's near-insanity to keep those low
level routines around this long - they should have been virtualized a long
time ago. Heck, DOSBox runs DOS software better than the console nowadays.
4 a.m.
Cameron Kaiser wrote:
I'm not pointing this out to beat on poor Josh!
I'm not! I just think it's
an interesting angle that support for legacy 16-bit MS-DOS and Win3.1 apps has
apparently lead to the unearthing of a 17-year-old Windows NT security flaw.
The really amusing thing would be if something similar existed in Classic
on OS X, or Rosetta.
http://archives.neohapsis.com/archives/fulldisclosure/2010-01/0346.html
Hey, I can handle it :). Interesting bug. I'm not a kernel hacker and
I don't know the details of how the NTVDM works all that well, but I'm
surprised that the CreateRemoteThread() call on the VDM subsystem
required for the exploit would actually work if you weren't already an
Administrator. (In which case an app running locally can already own
the box in any number of other ways).
NTVDM and 16-bit support in general have been removed from 64-bit SKUs
of Windows, starting with the 64-bit edition of XP. I miss it
sometimes, but there's always VirtualPC/VirtualBox/VMWare or the trusty
PS/2 model 80 I have sitting over here... ;)
(My favorite Windows bug has to be the csrss backspace bug (Fixed in
Vista!) :
http://www.juniper.net/security/auto/vulnerabilities/vuln3478.html)
- Josh
5466
days inactive
5466
days old
3 comments
3 participants
participants (3)
-
derschjo@mail.msu.edu -
jbmcb1@gmail.com -
spectre@floodgap.com