BugTraq
Re: [Full-disclosure] Microsoft Windows XP/2003/Vista memory corruption 0day Dec 21 2006 01:41PM
3APA3A (3APA3A SECURITY NNOV RU) (1 replies)
Dear lists,

in another Russian forum, Killer{R} made analysis on this issue using
Windows 2000 sources:

http://bugtraq.ru/cgi-bin/forum.mcgi?type=sb&b=21&m=140672

The problem is in win32k.sys' function GetHardErrorText, which tries to
prepare EXCEPTION data for event log, and seems to be some very old
debugging feature accidently left in production code since Windows 2000.

In Windows 2000 there is a peace of code like:

} else if ((asLocal.Length > 4) && !_strnicmp(asLocal.Buffer, "\\??\\", 4)) {
strcpy( asLocal.Buffer, asLocal.Buffer+4 );

Killer{R} assumes the problem is in strcpy(), because it should not be
used for overlapping buffers, but at least ANSI implementation of strcpy
from Visual C should be safe in this very situation (copying to lower
addresses). May be code is different for Windows XP or vulnerability is
later in code.

--Thursday, December 21, 2006, 2:58:17 PM, you wrote to full-disclosure (at) lists.grok.org (dot) uk [email concealed]:

3> Dear full-disclosure (at) lists.grok.org (dot) uk [email concealed],

3> Since it's already wide spread on the public forums and exploit is
3> published on multiple sites and there is no way to stop it, I think
3> it's time to alert lists about this.

3> On the one of Russian forums:
3> http://www.kuban.ru/forum_new/forum2/files/19124.html
3> message was published by NULL about vulnerability in Windows on
3> processing MessageBox() with MB_SERVICE_NOTIFICATION flag and
3> message/caption beggining with \??\. Vulnerability seems to be memory
3> corruption in kernel and causes system crash or hang after few
3> attempts. It seems to happen because message is logged to event log
3> and may point to some problem with event logs processing.

3> Vulnerability details and code may be found here:
3> http://www.security.nnov.ru/Gnews944.html

3> There is potential remote exploitation vector if some service uses
3> user-supplied input for MessageBox() function. Messenger service is
3> not vulnerable in this way, because it prepends user-supplied input
3> with additional string.

3> I contacted Microsoft on this issue on December, 16.

--
~/ZARAZA
http://www.security.nnov.ru/

[ reply ]
Re: [Full-disclosure] Microsoft Windows XP/2003/Vista memorycorruption 0day Dec 21 2006 08:11PM
Alexander Sotirov (asotirov determina com) (1 replies)
Re: [Full-disclosure] Microsoft Windows XP/2003/Vista memory corruption 0day Dec 21 2006 10:17PM
Pukhraj Singh (pukhraj singh gmail com)


 

Privacy Statement
Copyright 2010, SecurityFocus