January 19, 2017

System privilege escalation vulnerability found in XEN on 64-bit Intel hardware

(LiveHacking.Com) – Rafal Wojtczuk of Bromium, Inc. has found a new vulnerability that could possibility be exploited for local privilege escalation. The bug in several different operating systems and Hypevisors, like the XEN virtualization software, affects systems using 64-bit Intel CPU hardware. To exploit the vulnerability an attacker needs to create a special stack frame which will be executed by the kernel of the host operating system after a general protection fault. The problem is that the general protection fault will be handled before the stack switch, which means the exception handler will be run in the kernel of the host operating system using the specially created stack frame, in short – a privilege escalation.

The error only exhibts itself on Intel 64-bit CPUs. AMD CPUs are not affected. Also the vulnerability seems to exist only in the XEN hypervisor (or its variants). VMware is not vulnerable. According to Xen Security Advisory 7, the result of a successful exploitation is that administrators of guest OSes can gain control of the host OS.

Modern operating systems implement a rings model of security, where privileged operations are performed in RING 0 (the kernel). Most applications run in RING 3 and request access to RING 0 by making system calls. The calls put the CPU into the required privilege level and passes control to the kernel. By using the combination of a special stack frame and a general protection fault the attackers force the system to run their code in RING 0 rather than RING 3.

Microsoft released a patch for Windows a few days ago as part of June’s Patch Tuesday. According to Microsoft the fix changes the way that the Windows User Mode Scheduler handles a particular system request and the way that Windows manages BIOS ROM.

Vendor specific information on this vulnerability have been published by XenFreeBSD and Microsoft. Linux vendor Red Hat has also published two security advisories: RHSA-2012:0720-1 and RHSA-2012:0721-1.

On some operating systems, like FreeBSD, running the 32-bit variant of the OS on a 64 bit capable CPUs means the operating systems is not vulnerable.