CERT-In Vulnerability Note CIVN-2010-04
Microsoft Windows #GP Trap Handler Local Privilege Escalation Vulnerability

Original Issue Date: January 22, 2010
Updated: February 11, 2010

Severity Rating: High

Software Affected

• Microsoft Windows 2000 SP 4
• Windows XP SP 2 and SP 3
• Windows Server 2003 SP 2
• Windows Vista, Windows Vista SP 1, and Windows Vista SP 2
• Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems SP 2
• Windows 7 for 32-bit Systems

Overview

A local privilege escalation vulnerability has been reported in Microsoft Windows Kernel that could allow a local attacker to execute arbitrary code with kernel privileges and can completely compromise a vulnerable system .

Description

The Windows kernel is the core of the operating system. It provides system level services such as device management, memory management, allocates processor time to processes, and manages error handling.

The Windows Virtual DOS Machine (NTVDM) subsystem is a protected-environment subsystem that emulates MS-DOS and 16-bit Windows within Windows NT-based operating systems

This vulnerability is due to the Windows kernel not properly handling certain exceptions when setting up a VDM (Virtual DOS Machine) context, which is used to support BIOS calls that are used by 16-bit application.

This can be exploited by setting up a specially crafted request to the kernel with “VDM_TIB" in their "TEB (Thread Environment Block) and reach the "Ki386BiosCallReturnAddress()" function via the #GP trap handler (nt!KiTrap0D) that leads to kernel stack modification.

Workaround

• Disable NTVDM subsystem
  For detailed steps of the workaround refer to Microsoft Security advisory 979682

Note:

• Attackers with valid local logon credentials can exploit this vulnerability
• Windows operating systems for x64-based and Itanium-based computers are not affected
• A proof of concept code is publically available in the internet.

Solution

Apply appropriate patches as mentioned in Microsoft Security Bulletin MS10-015

Vendor Information

References

Secunia
http://secunia.com/advisories/38265/

ISS XFORCE
http://xforce.iss.net/xforce/xfdb/55742

SecurityFocus
http://www.securityfocus.com/bid/37864

VUPEN
http://www.vupen.com/english/advisories/2010/0179

Security Tracker
http://securitytracker.com/alerts/2010/Jan/1023471.html

CISCO
http://tools.cisco.com/security/center/viewAlert.x?alertId=19754

SANS
http://isc.sans.org/diary.html?storyid=8050

CVE Name
CVE-2010-0232

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003