Microsoft Windows NT #GP Trap Handler Allows Users to Switch Kernel Stack (affects Windows NT through 7)


In order to support BIOS service routines in legacy 16bit applications,
the Windows NT Kernel supports the concept of BIOS calls in the
Virtual-8086 mode monitor code."

"Upon successful exploitation, the kernel stack is switched to an attacker
specified address." This would allow arbitrary code execution with
escalated privileges.

"Temporarily disabling the MSDOS and WOWEXEC subsystems will prevent the
attack from functioning". Instructions on this is available at the link
provided above. This essentially disables 16bit applications from
running. At this time, there are few 16 bit applications still being
run. It may prove to be an effective mitigation for this issue.

Microsoft was notified of this issue in June, but have not yet patched
the issue.

It is recommended to investigate server by server to see if this
workaround is needed. This is a potentially dangerous vulnerability,
but cannot be mitigated in this form if 16bit applications are still needed.