Attacking the Vista Kernel

Share

CNet reported not long ago about a new vulnerability found in the kernel of Vista[1]. The attack is a buffer overflow which corrupts the memory, and thus could be use for denial of service attacks. The report from Phion, the security company that reported the vulnerability, also states that the attack could be used to inject code[2].

There is a new vulnerability found in the kernel of Vista . The attack is a buffer overflow which corrupts the memory
There is a new vulnerability found in the kernel of Vista. The attack is a buffer overflow which corrupts the memory

The buffer overflow is caused by adding an IP address with an illegal subnet bits value to the IPv4 routing table: For example the following command will make Vista crash with a blue screen of death:

C:>route add 127.0.0.1/250 127.0.0.2

In the command above, we specified 254 as being the number of subnet bits, which is an illegal value. According to the vulnerability report by Thomas Unterleitner, the greater the value is, the quicker the crash is provoked[3].

The overflow is located into the CreateIpForwardEntry2 method which is part of the Iphlpapi library (Iphlpapi.dll). The problem arises because the method doesn’t verify the value of the PrefixLength property of DestinationPrefix specified in the MIB_IPFORWARD_ROW2 structure passed to the method. Therefore, the following code should crash the kernel[4]:

In order for this code to work you must be in the Administrators group or in the Network Operators Group…so it’s of limited use for most people, but you never know…

Microsoft said it had no intention of patching this buffer overflow before the next Vista service pack[5]. This exploit doesn’t apply to Windows XP.


[1] “Kernel vulnerability found in Vista”, David Meyer, CNet Security, November 22, 2008, http://news.cnet.com/8301-1009_3-10106173-83.html?part=rss&subj=news&tag=2547-1_3-0-20 (accessed on November 25, 2008)

[2] “Microsoft VISTA TCP/IP stack buffer overflow”, Thomas Unterleitner, November 19, 2008, http://www.securityfocus.com/archive/1/498471 (accessed on November 25, 2008)

[3] Ibid.

[4] Ibid. Code by Thomas Unterleitner

[5] “Vista kernel is vulnerable”, Egan Orion, The Inquirer, November 24, 2008, http://www.theinquirer.net/gb/inquirer/news/2008/11/24/vista-kernel-vulnerable (accessed on November 25, 2008)

Author: Jonathan Racicot

INTJ, goa trance, RE, python, malware, wine, books, french bulldogs, genetics, biohacking, CtF, night owl, transhumanist, AI, machines, cyber ops.

2 thoughts on “Attacking the Vista Kernel”

Leave a Reply

Your email address will not be published. Required fields are marked *