>From his advisory ( http://lists.grok.org.uk/pipermail/full-disclosure/2010-January/072549.html )
"In order to support BIOS service routines in legacy 16bit applications, the Windows NT Kernel supports the concept of BIOS calls in the Virtual-8086 mode monitor code. These are implemented in two stages, the kernel transitions to the second stage when the #GP trap handler (nt!KiTrap0D) detects that the faulting cs:eip matches specific magic values. Transitioning to the second stage involves restoring execution context and call stack (which had been previously saved) from the faulting trap frame once authenticity has been verified. This verification relies on the following incorrect assumptions: - Setting up a VDM context requires SeTcbPrivilege. - ring3 code cannot install arbitrary code segment selectors. - ring3 code cannot forge a trap frame. This is believed to affect every release of the Windows NT kernel, from Windows NT 3.1 (1993) up to and including Windows 7 (2009)." Juha-Matti _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
