Re: [Full-disclosure] Microsoft Windows XP/2003/Vista memory corruption 0day
Dear lists,
in another Russian forum, Killer{R} made analysis on this issue using
Windows 2000 sources:
http://bugtraq.ru/cgi-bin/forum.mcgi?type=sb&b=21&m=140672
The problem is in win32k.sys' function GetHardErrorText, which tries to
prepare EXCEPTION data for event log, and seems to be some very old
debugging feature accidently left in production code since Windows 2000.
In Windows 2000 there is a peace of code like:
} else if ((asLocal.Length > 4) && !_strnicmp(asLocal.Buffer, "\\??\\", 4)) {
strcpy( asLocal.Buffer, asLocal.Buffer+4 );
Killer{R} assumes the problem is in strcpy(), because it should not be
used for overlapping buffers, but at least ANSI implementation of strcpy
from Visual C should be safe in this very situation (copying to lower
addresses). May be code is different for Windows XP or vulnerability is
later in code.
--Thursday, December 21, 2006, 2:58:17 PM, you wrote to
full-disclosure@xxxxxxxxxxxxxxxxx:
3> Dear full-disclosure@xxxxxxxxxxxxxxxxx,
3> Since it's already wide spread on the public forums and exploit is
3> published on multiple sites and there is no way to stop it, I think
3> it's time to alert lists about this.
3> On the one of Russian forums:
3> http://www.kuban.ru/forum_new/forum2/files/19124.html
3> message was published by NULL about vulnerability in Windows on
3> processing MessageBox() with MB_SERVICE_NOTIFICATION flag and
3> message/caption beggining with \??\. Vulnerability seems to be memory
3> corruption in kernel and causes system crash or hang after few
3> attempts. It seems to happen because message is logged to event log
3> and may point to some problem with event logs processing.
3> Vulnerability details and code may be found here:
3> http://www.security.nnov.ru/Gnews944.html
3> There is potential remote exploitation vector if some service uses
3> user-supplied input for MessageBox() function. Messenger service is
3> not vulnerable in this way, because it prepends user-supplied input
3> with additional string.
3> I contacted Microsoft on this issue on December, 16.
--
~/ZARAZA
http://www.security.nnov.ru/