BugTraq
Microsoft Windows XP/2003/Vista memory corruption 0day Dec 21 2006 11:58AM
3APA3A (3APA3A SECURITY NNOV RU)
Dear full-disclosure (at) lists.grok.org (dot) uk [email concealed],

Since it's already wide spread on the public forums and exploit is
published on multiple sites and there is no way to stop it, I think
it's time to alert lists about this.

On the one of Russian forums:
http://www.kuban.ru/forum_new/forum2/files/19124.html
message was published by NULL about vulnerability in Windows on
processing MessageBox() with MB_SERVICE_NOTIFICATION flag and
message/caption beggining with \??\. Vulnerability seems to be memory
corruption in kernel and causes system crash or hang after few
attempts. It seems to happen because message is logged to event log
and may point to some problem with event logs processing.

Vulnerability details and code may be found here:
http://www.security.nnov.ru/Gnews944.html

There is potential remote exploitation vector if some service uses
user-supplied input for MessageBox() function. Messenger service is
not vulnerable in this way, because it prepends user-supplied input
with additional string.

I contacted Microsoft on this issue on December, 16.

--
http://www.security.nnov.ru
/\_/ { , . } |+--oQQo->{ ^ }<-----+ | ZARAZA U 3APA3A } You know my name - look up my number (The Beatles)
+-------------o66o--+ /
|/

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus