[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Positive Research] Intel SMEP overview and partial bypass on Windows 8 (whitepaper)

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: [Positive Research] Intel SMEP overview and partial bypass on Windows 8 (whitepaper)
From: noreply@xxxxxxxxxxxxx
Date: Mon, 17 Sep 2012 16:00:30 GMT

Intel SMEP overview and partial bypass on Windows 8 (whitepaper).

"
<...>
It is natural to conclude that if you can?t store your shellcode in the 
user-mode, you have to find a way to store it somewhere in the kernel space. 
The most obvious solution is using windows objects such as WinAPI (Events, 
Timers, Sections etc) or GDI (Brushes, DCs etc). They are accessed indirectly 
from the user-mode via WinAPI that uses system calls. The point is that the 
object body is kept in the kernel and somehow some object fields can be 
modified from the user-mode, so an attacker can transfer the needed shellcode 
bytes from the user-mode memory to the kernel-mode.
<...>
"

-----[ Full details ]
---[ Blog

http://blog.ptsecurity.com/2012/09/intel-smep-overview-and-partial-bypass.html

---[ Whitepapers

English version (PDF):
http://www.ptsecurity.com/download/SMEP_overview_and_partial_bypass_on_Windows_8.pdf

Russian version (PDF):
http://www.ptsecurity.ru/download/Technology_Overview_Intel_SMEP_and_partial_bypass_on_Windows_8.pdf

Thx!

---------------------------------
AShishkin[at]ptsecurity[dot]ru

http://www.ptsecurity.com
http://blog.ptsecurity.com
http://www.phdays.com

Prev by Date: [waraxe-2012-SA#089] - Multiple Vulnerabilities in TorrentTrader 2.08
Next by Date: Axis VoIP Manager v2.1.5.7 - Multiple Web Vulnerabilities
Previous by thread: [waraxe-2012-SA#089] - Multiple Vulnerabilities in TorrentTrader 2.08
Next by thread: Axis VoIP Manager v2.1.5.7 - Multiple Web Vulnerabilities
Index(es):
- Date
- Thread