Rights elevation through error in Windows kernel
Following on their attention-grabbing announcement of holes in Apple drivers to launch the Month of the Kernel Bugs (MoKB), the project's initiators have now reported a security hole in the kernel of Windows 2000 and XP through which local users could execute programs with system rights. The flaw is related to the way in which Windows administers graphic resources for applications.
For each application that requests resources from the Graphic Device Interface (GDI), the kernel creates space in a portion of global shared memory with read-only rights. Cesar Cerrudo, the discoverer of the hole, claims that each process can re-map that storage space with read and write rights and then manipulate it, since within that kernel storage space read, write and execute permission are assigned by default.
Hence any process can overwrite GDI kernel structures and thereby provoke at least a Blue Screen of Death (BSoD). Given a little flair, attackers could also overwrite the structure such that the kernel executes code planted in this way with system rights, Cerrudo reports. The announcement includes links to a proof of concept that is intended to demonstrate the BSoD.
According to MoKB reports, Cerrudo informed Microsoft on 22 October 2004 about this vulnerability; it nevertheless has not been closed to this point in either Windows 2000 through Service Pack 4 or Windows XP through Service Pack 2.
- Microsoft Windows kernel GDI local privilege escalation, security advisory from MoKB