MS08-025: Microsoft Windows kernel vulnerable to local privilege escalation flaw

MS08-025: Microsoft Windows kernel vulnerable to local privilege escalation flaw

Summary: From Microsoft: A local attacker who successfully exploited this vulnerability could take complete control of an affected system.  An attacker could then install programs; view, change, or delete data; or create new accounts.

SHARE:

From Microsoft: 

A local attacker who successfully exploited this vulnerability could take complete control of an affected system.  An attacker could then install programs; view, change, or delete data; or create new accounts.  This is an important security update for all supported editions of Windows 2000, Windows XP, Windows Server 2003, Windows Vista and Windows Server 2008.  This security update addresses the vulnerability by modifying the way that the Windows kernel validates inputs passed from user mode.  Updates are available for the affected software.

Mmmmm that's tasty.  Don't underestimate this one... getting user-level access to a system is either than one thinks... especially in a corporate environment.  A regular user might be able to gain legitimate access to a more important system as a user, through privileges provided by the domain controller, and then utilize this to gain admin privileges.  Perhaps dump the creds on that system, maybe get a cached domain admin credential, and now you own the entire network.

To make it worse, exploit code is publicly available already from a couple sources (listed on Security Focus):

The following exploit is available to members of the Immunity Partner's Program:

https://www.immunityinc.com/downloads/immpartners/ms08_025.tgz

The following proof-of-concept code and exploit are available:

Good thing Microsoft patched this one awhile back, but I would double check you are up to date now that the exploit code is public.

Topics: Microsoft, Operating Systems, Security, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

48 comments
Log in or register to join the discussion
  • Crumbs

    The 10 year old mouse is out.

    Who'da thought?
    fr0thy2
    • RE: Crumbs

      Not following...

      -Nate
      nmcfeters
  • New news?

    Isn't this just rehashing news from three weeks ago? Not that it isn't a serious flaw, but it's old news. Can't we just wait for the next patch Tuesday, or is that just too long between MS vulnerability articles?
    KTLA
    • RE: New news?

      Sorry, I thought people would be interested in seeing a bug with public proof of concept code. If this isn't the case, it will flesh out and I'll avoid posting on the subject in the future.

      -Nate
      nmcfeters
      • No, this is very interesting, there is now proof of concept code, and we

        needed to know that. It is a lot more than a rehash. Thanks for the coverage.
        DonnieBoy
        • Thanks

          Yeah, that's what I was thinking too. A lot of people ignore local privilege escalation issues, and especially without proof of concept code.

          -Nate
          nmcfeters
      • Point made

        I see your point. I read the headline to read like the bulletin was something new you were reporting, and the proof of concept was another facet of the article.

        "Exploit created for MS..." I guess would have been more clear, but to be fair, the fact that exploit code is out is newsworthy.

        Guess my comment was really for the headline...
        KTLA
        • Upon re-read...

          Actually, I think the issue is that you're implying that a current version is vulnerable. If you include unpatched systems, isn't every system horribly exposed to vast numbers of attacks?

          So yes, there's a story, but the headline hides the fact that you're only referring to a system that has remained unpatched weeks after they were prompted to patch, a problem for any system.
          KTLA
          • Re; Upon re-read

            Well, perhaps the title is mis-leading. I didn't mean for it to be.

            I work with all types of clients... some of those don't just blindly patch critical systems when windows update comes out. In some cases, (these are the extreme) I've seen people who do individual patches based on the criteria they meet. So, a company may not care about local privilege escalation if there's no source code released to exploit it, it just doesn't hit home.

            That's why I re-released this to get all of the details out there.

            Going forward, I'll try to have more tech talk analysis of the vulnerability to make it more interesting to those who have already patched... does that help?

            I want my readers to enjoy reading the blog, not to think I'm just dropping patch Tuesday reports, so I welcome your critique.

            -Nate
            nmcfeters
  • Trustworthy Computing

    Didn't Vista go through the "Trustworthy" computing initiative? How did this flaw escape notice? Parameter validation is one of the first things you check for.
    rpmyers1
    • Trusyworthy computing does not guarantee there will be...

      ...no flaws. It was an effort to reduce them. I am constantly amazed how ABMers expect Windows to be 100% flawless yet excuse their OS of choice for not being so.
      ye
      • re: Trusyworthy computing does not guarantee there will be

        Sorry, it is late here. I meant to add this to message not
        parent.

        Err, because Microsoft have had billions of dollars more than
        the others that they could have spent getting their stuff
        right? Oh, and how long did we wait for Vista?
        Tim99
        • Billions of dollars will not assure error free code.

          The fact you think it does demonstrates your incompetence.
          ye
          • Ye - Incompetence?

            I see you are wrong again. You said "It was an effort to
            reduce them." Proper software can sometimes approach
            error free.

            If MS spent as much care as, say, IBM did on their NASA
            contract http://ieeexplore.ieee.org/xpl/freeabs_all.jsp?
            tp=&arnumber=17928&isnumber=655 you might not have
            to feel so defensive. Although if MS were capable of the .1
            errors per thousand lines of code quoted they would still
            have >5000 errors in Vista. Perhaps you should compare
            that with OpenBSB.

            As an aside, your hostile reply would seem to me to be a
            sign of immaturity, or a joyless life. Please, either be civil
            or, grow up.
            Tim99
          • Yeah, we're all getting fired up and a bit to personal

            Incompetence was not appropriate for Ye to mention.

            In any case, I will agree that all OS's have these types of
            issues, and I struggle Tim, with your analogy to IBM and
            their secure code for the NASA project. That's just one
            specific example of IBM doing well, where as I'm sure there
            are several examples of them doing poorly.

            I actually saw in one of IBM's help manuals on how to
            program for one of their server products, their code
            example was blatantly suggesting that a developer should
            code a cross-site scripting vulnerability.

            The point is, these are real issues for all out there.
            Security is everyone's problem.
            nmcfeters
          • Sorry my IBM analogy was not clear.

            What I was trying to say was that companies can code
            securely if they have the will and spend the time and
            money on it. Another IBM example would be MVS - z/OS
            this was secure because it had to be.

            A personal anecdote - I remember discussions in the
            1980s along the lines of "Why would we leave our secure
            stable VMS environment, and move to UNIX? Everyone
            knows that UNIX is not as secure!". Then this changed. VMS
            was essentially degraded when it was purchased by a PC
            company (Compaq) who did not have the experience of
            large systems. When that company was purchased by HP,
            who did have large (UNIX) system experience, it was too
            late for VMS - UNIX was secure enough.

            I suspect that biggest obstacle to making a secure
            environment is the attitude of management. VMS was
            pretty damn secure; and the stories are that when Dave
            Cutler led the development team for NT, the original
            project was also secure - apparantly 'management'
            persuaded him that this level of security was not necessary.

            Microsoft do not, in my opinion, have the historical mind-
            set of making secure, reliable, scalable software. Their
            attitude has always been "Tell the customer, we will fix all
            of this stuff in the next major release". I believe that this is
            still the way that they think - If their software was reliable,
            would we upgrade? If we don't upgrade, MS quickly
            becomes a backwater - I guess that may be a problem if
            you base your business on software instead of hardware,
            consultancy and support. Although against that idea, I
            decided years ago that MS are, in reality, a service
            company - Their customers don't actually own anything
            much...
            Tim99
      • Yes agreed

        I think we can all agree that the trustworty initiative has made Vista far more secure than its predecessors, even if we cling to a belief that the other OS's are still stronger.

        Nothing will ever be 100% free of flaws, there just like other code defects.

        -Nate
        nmcfeters
      • static code analysis

        Parameter validation can be verified with static code analysis. This implies they haven't run it, or haven't figured out the rules they need to use.
        rpmyers1
        • RE: Static Code Analysis

          Do you know how many lines of code are in the Windows Kernel? It's just not that simple. Plus, you're analyzing static kenrel code, which is not just regular stuff... kernel code is pretty intense.

          I'm glad you are on the side of they should've found it, they should've, but this stuff is going to slip through for sure. Kernel flaws are not unique to Windows and are very difficult to find and exploit.

          -Nate
          nmcfeters
          • Exactly, the OS is so complicated that we can not expect zero flaws. BUT,

            that is one of the security problems with Windows. Many would argue Windows (especially Vista) is way too complex, and thus more vulnerable because of the un-needed complexity.
            DonnieBoy