During the weekend I found an interestingsample exploiting a possibly new and undocumented vulnerability forWindows XP and 2003. The exploit is a local privilege escalationthat allows users with a restricted account to gain a SYSTEM shell withhigher privileges. In my tests the exploit seems to work successfullyagainst a fully patched Windows XP-SP2 and also Windows 2003-SP1. Atthis time, Vista does not seem to be affected by the problem.
(Click for larger image)
We notified Microsoft and they were already aware of this specificissue. The mitigating factor is that the attacker has to be logged onto or have access to the compromised computer with a valid account,since the exploit only works locally. Home users are probably lessexposed to this threat.
At this time, we will not disclose the details of the vulnerability;however, we'll just say that the affected component is a driver that isshipped in many Windows installations by default. It is also includedin the \i386 folder. Under some circumstances, this driver can writeinto the kernel memory without proper restrictions.
At the moment, it’s still not clear how the driver is used byWindows because this file does not have the typical Microsoft fileproperties present in other Windows system files. Since this exploitwas used in the wild, we are recommending system administrators beextremely careful at this time and restrict or disable access tounnecessary services for all accounts except for administrator-levelusers. While this workaround must be tested carefully, it may be aviable option once administrators have verified that their users do notneed access to a particular service.