Full Disclosure mailing list archives
Re: Microsoft Windows XP/2003/Vista memory corruption 0day
From: "Michele Cicciotti" <mc () khamsa net>
Date: Fri, 22 Dec 2006 01:58:19 +0100
Holy mackerel! Instances of this bug date back to 1999!
Different bug. That appears to be a trivial exhaustion of CSRSS worker threads through indiscriminate calls to MessageBox+MB_SERVICE_NOTIFICATION, which causes a DoS as no threads are available to serve kernel-mode requests from win32k, stalling GUI processes. I have done my fair share of CSRSS reversing in my better days, and I'm pretty sure that in Windows 2000 and later, a dedicated thread is used for such notifications, not just any thread, any time. Easily verifiable with local net sends and Spy++. It wasn't a "bug" either, more like a serious design flaw that ignored a very basic Win32 mantra ("don't do GUI in a worker thread") - not at all like this double-free _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Microsoft Windows XP/2003/Vista memory corruption 0day 3APA3A (Dec 21)
- Re: Microsoft Windows XP/2003/Vista memory corruption 0day 3APA3A (Dec 21)
- Re: Microsoft Windows XP/2003/Vista memory corruption 0day Alexander Sotirov (Dec 21)
- Re: Microsoft Windows XP/2003/Vista memory corruption 0day Pukhraj Singh (Dec 21)
- Message not available
- Re: Microsoft Windows XP/2003/Vista memory corruption 0day Michele Cicciotti (Dec 21)
- Re: Microsoft Windows XP/2003/Vista memory corruption 0day 3APA3A (Dec 22)
- Re: Microsoft Windows XP/2003/Vista memory corruption 0day Alexander Sotirov (Dec 22)
- Re: Microsoft Windows XP/2003/Vista memory corruption 0day Alexander Sotirov (Dec 21)
- Re: Microsoft Windows XP/2003/Vista memory corruption 0day 3APA3A (Dec 21)