ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Main Area and Open Discussion > Living Room

Tech News Weekly: Edition 3-10

<< < (2/4) > >>

Ehtyar:
@4wd R.O.F.L!!! :greenclp:

Ehtyar.

f0dder:
Was the recent NTVDM local privilege escalation exploit used in the google attack?

That's a very interesting exploit, compared to your usual double-free/buffer-overrun/blablabla exploits, for a lot of reasons. Too bad MS didn't fix it long ago, they've been informed about it for a while. Also, while NTVDM is a very old component and you'd thus reason that "it's OK they haven't spent a lot of effort auditing NTVDM since it's a frozen target and unlikely to be exploited", there's been at least two privilege escalation attacks on NTVDM in the past...

Ehtyar:
The Google attack (and the rest of them) was the IE RCE (high reliability for IE6/XP only...makes you wonder).

I don't believe the NTVDM has been exploited in the wild yet (at least not to great effect). I'm not terribly excited about it TBH; if/when someone finds a creative way of *using* it, it might get interesting.

Ehtyar.

f0dder:
The Google attack (and the rest of them) was the IE RCE (high reliability for IE6/XP only...makes you wonder).-Ehtyar (January 24, 2010, 07:56 PM)
--- End quote ---
Yes, that's apparently how they got into the systems - I'm wondering if they used NTVDM to go LUA->Admin.

I don't believe the NTVDM has been exploited in the wild yet (at least not to great effect). I'm not terribly excited about it TBH; if/when someone finds a creative way of *using* it, it might get interesting.-Ehtyar (January 24, 2010, 07:56 PM)
--- End quote ---
Perhaps not used, but it's still one of the more interesting exploits for quite a while, even though it's "just" privilege escalation and not remote. Why? Partly because it in such an unlikely target... and very much so because it affects all 32bit NT versions. Want root? got root! (Oh, and it's not just LUA->Admin... it's full kernel-mode privileges without loading a .sys).

Ehtyar:
AFAIK the NTVDM vuln was not used at all in the China hack.

I know why you found the NTVDM vuln interesting, I just don't particularly agree. I'd fine it more interesting if they found something that impressive in a moving target, or something more readily exploitable. This was like taking candy from a baby.

Ehtyar.

Navigation

[0] Message Index

[#] Next page

[*] Previous page

Go to full version