Full Disclosure mailing list archives
Re: Microsoft Windows XP/2003/Vista memory corruption 0day
From: 3APA3A <3APA3A () SECURITY NNOV RU>
Date: Fri, 22 Dec 2006 15:31:33 +0300
Dear Alexander Sotirov, AS> The HardError message is handled by the UserHardError function in AS> WINSRV.DLL. It calls GetHardErrorText to read the message parameters AS> from the address space of the sender. The GetHardErrorText function AS> returns pointers to the caption and text of the message box. If the AS> caption or text parameters start with the \??\ prefix, the function AS> inexplicably frees the buffer and returns a pointer to freed memory. AS> After the message box is closed by the user, the same buffer is AS> freed again in the FreePhi function, resulting in a double free AS> vulnerability. I may be wrong, but probably this fact doesn't explain the garbage on the screen in MessageBox. Even "use after free()" vulnerability doesn't explain it, because garbage is permanent. There should be some more bug before second free(). --Thursday, December 21, 2006, 11:11:29 PM, you wrote to 3APA3A () SECURITY NNOV RU: AS> 3APA3A wrote:
Killer{R} assumes the problem is in strcpy(), because it should not be used for overlapping buffers, but at least ANSI implementation of strcpy from Visual C should be safe in this very situation (copying to lower addresses). May be code is different for Windows XP or vulnerability is later in code.
AS> We discovered this bug some time ago and were preparing an advisory when it was AS> publicly disclosed. Since the exploit is already public, here's my analysis of AS> the vulnerability: AS> http://www.determina.com/security.research/vulnerabilities/csrss-harderror.html AS> It's a double free bug that leads to arbitrary code execution in the CSRSS process. AS> Alex -- ~/ZARAZA Ïî÷òåííûå èñêîïàåìûå! Æäó îò âàñ äàëüíåéøèõ ïèñåì. (Òâåí) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Microsoft Windows XP/2003/Vista memory corruption 0day 3APA3A (Dec 21)
- Re: Microsoft Windows XP/2003/Vista memory corruption 0day 3APA3A (Dec 21)
- Re: Microsoft Windows XP/2003/Vista memory corruption 0day Alexander Sotirov (Dec 21)
- Re: Microsoft Windows XP/2003/Vista memory corruption 0day Pukhraj Singh (Dec 21)
- Message not available
- Re: Microsoft Windows XP/2003/Vista memory corruption 0day Michele Cicciotti (Dec 21)
- Re: Microsoft Windows XP/2003/Vista memory corruption 0day 3APA3A (Dec 22)
- Re: Microsoft Windows XP/2003/Vista memory corruption 0day Alexander Sotirov (Dec 22)
- Re: Microsoft Windows XP/2003/Vista memory corruption 0day Alexander Sotirov (Dec 21)
- Re: Microsoft Windows XP/2003/Vista memory corruption 0day 3APA3A (Dec 21)