DOS ain't dead

no more EMS support in XP (Announce)

posted by Arjay, 10.10.2012, 20:47
(edited by Arjay on 10.10.2012, 21:20)

> > Where they wrote that it has anything to do with EMS?
> They don?t
Have you seen DOS code or EMS mentioned anywhere??? I haven't after lots of digging.

> but I assume it is hidden in this text:
>
> The vulnerability could allow elevation of privilege if an attacker logs on
> to the system and runs a specially crafted application. An attacker must
> have valid logon credentials and be able to log on locally to exploit this
> vulnerability.

Well according to securelist: 50862 and iss.net: 75934 Microsoft's KB2724197 is "related to the handling of String Atom Class Name by the kernel-mode driver (win32k.sys). By persuading a victim to browse a directory containing a specially-crafted application, a local attacker with valid login credentials could exploit this vulnerability to execute arbitrary code on the system with elevated privileges."

win32k.sys is a Kernel mode driver which officially provides GDI (graphics) support. The
long list of win32k.sys exports makes interesting reading though... (love destroyphysicalmonitor!)

The String Atom flaws apparently being further fixed by KB2724197 were reported (publically) back in June, see osvdb.org: Microsoft Windows win32k.sys String Atom Class Name Handling Local Privilege Escalation

This presentation has more info: (open at own risk!)
http://mista.nu/research/smashing_the_atom.pdf
(or http://www.azimuthsecurity.com/resources/recon2012_mandt.pptx )

Long story short yes 16bit stuff but scan reading through it all I can't see anything re EMS methods. Not that I care myself to be honest as I have always hated EMS and long ago (early 90's) learned to mostly live without it.


EDIT: I have seen 1 post in Japanese (which I translated) by Seiji Miyamoto which basically mentions having problems with being "unable to start a DOS EMS program due to lack of memory" after installing KB2724197 . I spotted that via a search "EMS KB2724197" - of the few results, most were to this forum! I have seen nothing official saying that EMS support has been dropped via KB2724197 which you'd expect to see if it actually had.

Complete thread:

• no more EMS support in XP - nidud, 10.10.2012, 14:53 (Announce)
  • no more EMS support in XP - RayeR, 10.10.2012, 19:21
    • no more EMS support in XP - nidud, 10.10.2012, 19:48
      • no more EMS support in XP - Arjay, 10.10.2012, 20:47
        • no more EMS support in XP - nidud, 10.10.2012, 22:35
          • no more EMS support in XP - marcov, 11.10.2012, 13:46
            • no more EMS support in XP - nidud, 11.10.2012, 15:17
        • no more EMS support in XP - RayeR, 11.10.2012, 00:46
          • no more EMS support in XP - nidud, 11.10.2012, 15:29
            • no more EMS support in XP - Arjay, 11.10.2012, 17:36
              • no more EMS support in XP - nidud, 11.10.2012, 19:05
                • no more EMS support in XP - Rugxulo, 11.10.2012, 21:51
                  • no more EMS support in XP - nidud, 11.10.2012, 23:26
                • no more EMS support in XP - RayeR, 12.10.2012, 00:51
  • no more EMS support in XP - nidud, 13.10.2012, 15:03
    • no more EMS support in XP - mvojvodic, 14.10.2012, 12:49
      • no more EMS support in XP - nidud, 14.10.2012, 18:17
    • no more EMS support in XP - RayeR, 16.10.2012, 02:07
      • no more EMS support in XP - nidud, 17.10.2012, 14:25
        • no more EMS support in XP - Tito, 13.12.2012, 20:26
          • no more EMS support in XP - RayeR, 14.12.2012, 01:19
            • no more EMS support in XP - Tito, 14.12.2012, 19:18
              • no more EMS support in XP - RayeR, 15.12.2012, 17:37
              • no more EMS support in XP - nidud, 16.12.2012, 01:04