It doesn’t matter whether you’re on an XP box, Vista or Windows 7, since you’re able to retrieve the information you want from the kernel, this makes it really easy to exploit vulnerabilities despite being on newer systems.
Tarjei Mandt, security researcher, Norman ASA
Tarjei Mandt, a security researcher at Norwegian antivirus vendor, Norman ASA, will demonstrate a way to attack Windows kernel errors through user-mode callbacks next week at Black Hat 2011 in Las Vegas. User-mode callbacks are an essential system process that enables Windows to tap into its graphical device interface to change windowing structures and move objects. User-mode callbacks were built into Windows more than a decade ago and coding errors prompt the Windows graphics subsystem and other components to fail to sufficiently validate some changes.
Microsoft patched 30 privilege escalation vulnerabilities in April. Fifteen other kernel-level flaws were addressed in its July Patch Tuesday security updates. But Mandt said issues remain because many of the Windows components that use user-mode callbacks, especially the graphics subsystem, are very complex.
“There are a lot of things that could go wrong because of this design,” Mandt said in an interview with SearchSecurity.com. “Even though the number of flaws may seem high, the actual number is probably higher.”
In fact, the amount of coding errors could number in the hundreds, Mandt said. The flaws are in all supported versions of Windows. In a real world scenario, an attacker would target a browser vulnerability or other application flaw and then attempt to exploit the kernel through the user-mode callback process. The flaws are easy to exploit, Mandt said, because an application has great flexibility in manipulating graphics APIs. Once successfully exploited, it’s easy for an attacker to control the memory that the kernel has referenced, he said.
Operating systems use call-backs, but they are typically asynchronous and don’t interrupt the execution in the kernel, Mandt said. In Windows, a weaker design in its Win32K.sys driver uses a global locking mechanism so instead call-backs are used to release the lock. This method creates exploitable situations, Mandt said.
“Since it’s a global locking mechanism, call-backs really break the design as I see it,” he said.
The bulk of Mandt’s research has been on the Windows Manager and Win32k.sys driver, which together manage and manipulate the windowing system in Windows. Not much effort has been made into securing kernel components, possibly because the majority of the attacks have been at the application layer, Mandt said. There’s no address space layout randomization (ASLR) in the kernel.
“It doesn’t matter whether you’re on an XP box, Vista or Windows 7,” he said. “Since you’re able to retrieve the information you want from the kernel, this makes it really easy to exploit vulnerabilities despite being on newer systems.”
Other researchers have discovered kernel-level vulnerabilities in other subsystem components, such as font parsing. In 2009, Microsoft quickly addressed several serious kernel vulnerabilities, once proof-of-concept code surfaced. The security update addressed an error in the way Windows handles OpenType (EOT) font. An attacker could set up a malicious website to exploit the flaw targeting users of Internet Explorer using embedded OpenType font.