March 25, 2013

Siemens Fixes Vulnerabilities Detected by Positive Technologies

Siemens has issued several patches for a series of critical vulnerabilities in its products. Security problems were detected in ICS components — development tools and HMI. More than ten vulnerabilities were eliminated. Insecure password storage, buffer overflow, and possibility of creating bookmarks in the SCADA project files were among them.

March 6, 2013

Stars aligner’s how-to: kernel pool spraying and VMware CVE-2013-1406

If you deal with Windows kernel vulnerabilities, it is likely that you’ll have to deal with a kernel pool in order to develop an exploit. I guess it is useful to learn how to keep the behavior of this kernel entity under your control.

In this article I will try to give a high level overview of kernel pool internals. This object has already been deeply researched several times, so if you need more technical information, please google it or use the references at the end of this article.

Kernel pool structure overview
Kernel pool is a common place for mining memory in the operating system kernel. Remember that there are very small stacks in the kernel environment. They are suitable only for a small bunch of local non-array variables. Once a driver needs to create a large data structure or a string, it will certainly use the pool memory.

There are different types of pools, but all of them have the same structure (except of the driver verifier’s special pool). Every pool has a special control structure called a pool descriptor. Among the other purposes, it maintains lists of free pool chunks, which represent a free pool space. A pool itself consists of memory pages. They can be standard 4 KB or large 1 MB in size. The number of pages used for the pool is dynamically adjusted.

Kernel pool pages are then split into chunks. These are the exact chunks that drivers are given when requesting memory from the pool.


Pool chunk on x86 systems