On October 22, 2004, Argentine hacker Cesar Cerrudo approached Microsoft with the discovery of a Windows Kernel GDI local privilege escalation vulnerability. At the time, Cerrudo said Redmond's security response team deemed it a "design problem" and filed it away as something "to be fixed in a future service pack."
Late last year, during LMH's month of kernel bugs project, details on this bug again surfaced with debugger information a note that it remains unpatched after more than two years.
Now comes word from Immunity Inc.'s Dave Aitel that his research team has written a reliable exploit that gives an attacker local root access on Windows 2000 and Windows XP systems. The exploit has been released to Immunity's partner program, which offers up-to-the minute information on new vulnerabilities and exploits to IDS (intrusion detection companies) and larger penetrating testing firms."Everyone now has local root, which is useful on pen tests," says Aitel.
Interestingly, the U.S. government's NVD (national vulnerability database) gives this flaw a high severity rating -- CVSS 7.0 -- and warns that it could be exploited to gain administrator access and compromise the confidentiality of and integrity of data on Windows 2000 through 2000 SP4 and Windows XP through SP2.
Immunity's new exploit of a moldy old vulnerability underscores just how risky it is for Microsoft to delay pushing out fixes for bugs originally considered low-risk.
Microsoft prioritizes security fixes based on the severity of a vulnerability but, in some cases, this can be quite dangerous if an external researcher (or malicious hacker) discovers an exploitable condition in a "low risk" issue.
However, in December 2005, a security researcher issued an advisory (with exploit) to prove that the IE flaw could in fact be used in remote code execution attacks. This sent Microsoft scrambling to ship a critical IE bulletin with fixes for the same old flaw.
Any bets we'll see this happen again?
[UPDATE: March 12, 2007 at 6:13 PM Eastern] Joel Eriksson, CTO of Bitsec, wrote in to say that he created the exploit and sold it to Immunity. In 60 days, after Immunity's exclusivity expires, Bitsec will release the exploit to the public. He also mentioned an interesting blog post (with screenshots) discussing reliable kernel exploits.