Vuln Dev
Windows Vista winsat.exe Integer Overflow Mar 28 2008 08:08PM
jose eyeos org (1 replies)
There is a flaw in windows vista benchmarking tool, called winsat.exe, that runs withs administrative privileges.

The problem, is an integer overflow in -totalobj argument, example:

winsat d3d -texshader -totalobj 2147483648

this result in a overflow of the signed int that stores the totalobj argument, and turns it negative, and then, the program crashes.

I'm not sure if you can control some memory using other options in winsat.exe arguments to take advantage of this issue, and exploit it.

Even if the bug is exploitable, the User Access control present in vista, shows a message asking for privileges before execute it, the only advantage of this issue, I think that is the message asking for privileges, shows information about the process, and this is the information that the user have in mind to decide if accept or not, and if you execute a windows util, it asks for privileges, the information about WHO is asking for privileges, is a trusted windows util (winsat.exe, in system32) and then, if you can control the process, you can use this kind of bugs as way to trick the user to bypass the UAC and get admin.

[ reply ]
Re: Windows Vista winsat.exe Integer Overflow Mar 29 2008 03:03AM
Steve Shockley (steve shockley shockley net) (1 replies)
Re: Windows Vista winsat.exe Integer Overflow Mar 31 2008 03:52AM
Valdis Kletnieks vt edu (1 replies)
RE: Windows Vista winsat.exe Integer Overflow Apr 02 2008 08:39PM
Thor (Hammer of God) (thor hammerofgod com) (1 replies)
Re: Windows Vista winsat.exe Integer Overflow Apr 03 2008 02:33AM
Valdis Kletnieks vt edu


 

Privacy Statement
Copyright 2010, SecurityFocus