Following the recent 0-day in Internet Explorer (Réf Lexsi 12808) and the Operation Aurora, the 16-bit subsystem of Windows is vulnerable to a privilege escalation vulnerability. All Windows versions are vulnerable, from NT 3.1 (!) to Windows 7.

Vulnerability (Réf Lexsi 12828) impacts the VDM (Virtual DOS Machine) component of Windows, whose role is to allow 16-bit real mode applications to run in a 32-bit environment system in protected mode, via the virtual 8086 mode provided by the processor. When the General Protection Fault (0x0d interruption) handler restores the context and stack, it verifies that the context and stack are valid, but bases its verification on 3 assumptions which can be bypassed, allowing an attacker to provides his own context and stack. Tavis Ormandy (Google) has published the details on Full-Disclosure, with an exploitation code.

Here is the scenario:

  1. a process in launched (for example cmd.exe)
  2. the base address of Ntoskrnl is determined
  3. a memory scan is performed to find the offset of Ki386BiosCallReturnAddress() from Ntoskrnl
  4. a 16-bit application is run (for example debug.exe) to initialize the NTVDM context
  5. a DLL is injected into the ntvdm.exe process

The DLL performs the following operations:

  1. the address of Ki386BiosCallReturnAddress() is retrieved via a n environment variable passed by the previous binary
  2. a fake kernel stack frame is set with a return address pointing to any function (payload)
  3. in the current TEB, VDM_TIB.VdmContext.Esi is set to point to our fake stack and VDM_TIB.VdmContext.Eip to Ki386BiosCallReturnAddress()
  4. NtVdmControl() is called to trigger the vulnerability and execute our function in the context of the kernel

Once the vulnerability has been successfully exploited, the payload grabs the security token of the SYSTEM process and overwrites the token of the target process (cmd.exe). On the capture below displaying a Windows 7 system, the token of the initial process on the left maps the Lexsi user, whereas the token of the newly created cmd.exe on the right has become SYSTEM:

Tavis Ormandy did contacted Microsoft in last June, but decided to publish his vulnerability in a non-responsible way. However, a GPO can be deployed to disable the 16-bit subsystem and block the exploitation.