Windows GP Trap Handler Privilege Escalation – Meet CORE IMPACT Pro

January 22, 2010

It’s amazing to me how the 17-year-old Windows GP Trap Handler Privilege Escalation bug is back in the news making security n00bs across the land shake in their Florsheim zipper boots.

chp_lock_binaryTo me it’s just shocking to think that such an old vulnerability is still making waves, but, truthfully our initial efforts to gather testing trends information from CORE IMPACT Pro customers (voluntarily and anonymously) has shown us that many companies are still running exploits for such longstanding issues and more importantly, still  finding exploitable instances.     

That’s why on Wednesday afternoon IMPACT Pro customers should have noticed a very nice looking update sitting in their queue.  If you didn’t notice it, you’re late and missing out on all of the fun. The Microsoft Windows GP Trap Handler Privilege Escalation Exploit is now available to IMPACT Pro
customers as a pre-released version… w00t!

And before you roll your eyes and say “well then I’m glad that I don’t run any of those OS's anymore,” check again, because the affected list keeps growing. The involved issue is believed to be present in EVERY fully-patched version of Windows going all the way back to version 3.1 and stayed put up until Windows 7.

This vulnerability is specifically caused by an error within the GP Trap Handler, which can and will be exploited to execute arbitrary code with….dun dun dun…..KERNEL PRIVILEGES.

Now, we all know Vista is a much tougher platform to exploit to privilege escalation, however, myself and a few of our customers agree, with this type of flaw it makes getting privilege escalation trivial. You can easily give yourself kernel level privileges without setting off a single flag. I noticed that nothing caught it or its’ calls… and we’re talking about testing a pretty hardened system.

The ability to use the assumption of the operating system on how to interpret 16-bit apps is not only elegant, but also very simple. I find it amazing that Microsoft has known about this vulnerability since June of 2009, and has not released a patch as of yet. 

However, the same day Microsoft released their advisory we released our early release exploit.

Naturally, we think that using it and CORE IMPACT Pro to test the vulnerability is the best way to develop proper offensive, as well as defensive, techniques to protect against any related attacks.

Way to go. Way. To. Go.

Stay safe…stay secure…..PEN TEST!

-Caitlin Johanson, Technical Support Engineer

 

.

  • Penetration testing

Ready for a Demo?

Eliminate identity-related breaches with SecureAuth!