Back to list
Windows Vista winsat.exe Integer Overflow
Mar 28 2008 08:08PM
jose eyeos org
There is a flaw in windows vista benchmarking tool, called winsat.exe, that runs withs administrative privileges.
The problem, is an integer overflow in -totalobj argument, example:
winsat d3d -texshader -totalobj 2147483648
this result in a overflow of the signed int that stores the totalobj argument, and turns it negative, and then, the program crashes.
I'm not sure if you can control some memory using other options in winsat.exe arguments to take advantage of this issue, and exploit it.
Even if the bug is exploitable, the User Access control present in vista, shows a message asking for privileges before execute it, the only advantage of this issue, I think that is the message asking for privileges, shows information about the process, and this is the information that the user have in mind to decide if accept or not, and if you execute a windows util, it asks for privileges, the information about WHO is asking for privileges, is a trusted windows util (winsat.exe, in system32) and then, if you can control the process, you can use this kind of bugs as way to trick the user to bypass the UAC and get admin.
[ reply ]
Copyright 2010, SecurityFocus