Pages

Wednesday, March 19, 2014

The Kernel is calling a zero(day) pointer – CVE-2013-5065 – Ring Ring


Here's my analysis of a PDF file which contained two different vulnerabilities, a remote-code-execution vulnerability in Adobe Reader and a new escalation-of-privileges zero-day vulnerability in Windows Kernel.

The full story:
http://blog.spiderlabs.com/2013/12/the-kernel-is-calling-a-zeroday-pointer-cve-2013-5065-ring-ring.html

A flaw in NDProxy driver while processing Telephony Application Programming Interface (TAPI) operations, was used to cause the Kernel to dispatch out-of-boundaries function. Therefore, one could exploit this vulnerability and gain SYSTEM privileges and bypass different sandbox protections.

The vulnerability allows index control of the following static function table, which get executed in the kernel context:


Dispatching the invalid PxTapi function results access to address 0x0 in memory and crash: