October 21, 2007

0+1 Day local privilage escalation exploit on XP/2003

While browsing my bookmarked feeds , I notices this new (actually replaced!) post on Symantec . First I though it`s another post about the case I`ve previously read on their blog but checking my history told me It was same old post, completely changed since my last visit !
I`m really confused about their action . This vulnerability is already well-known and I can say actively being used even BEFORE some companies (Eeye, Symantec , etc. ) report about it . Disclosing yet another toy from black-hats toy-box nor withhelding technical details of an already known (and in the wild )0day flaw is not something new.
What make me confused , is how a big security company like Symantec react . At early discloser time they put a clear screen-shot plus enough technical details on how to trigger/exploit the case like a surprised child getting his new toy , and few hours later (seems dad punished him!) they completely REWRITE (No I don`t mean update) their post , trying to keep safe the new case till Microsoft patch it. Hmm I call it Partial-Full Discloser .
here`s a snip of their silly rewrite :

"At this time, we will not disclose the details of the vulnerability; however, we'll just say that the affected component is a driver that is shipped in many Windows installations by default. It is also included in the \i386 folder. Under some circumstances, this driver can write into the kernel memory without proper restrictions."

Dude , you`ve already published anything a sharp mind needs to exploit the flaw before rewriting your post :>




I was thinking about revealing full technical details about the case , but seems Eeye updated related "Zero-Day Tracker" page and provided enough technical details among PoC and samples.
No need to say that you can reproduce Symantec 0day by help of Kartoffel a usefull tool built to fuzz/test/exploit driver bugs and vulnerabilities . feel free to fill the blanks with your custom shellcode from Metasploit . Checking Ruben`s post will give you cleaned-up technical details.

Hands up for first Milw0rm post !

Have fun.


No comments:

Post a Comment