Windows Vista winsat.exe Integer Overflow

[jose () eyeos org]

There is a flaw in windows vista benchmarking tool, called winsat.exe, that runs withs administrative privileges.

The problem, is an integer overflow in -totalobj argument, example:

winsat d3d -texshader -totalobj 2147483648

this result in a overflow of the signed int that stores the totalobj argument, and turns it negative, and then, the 
program crashes.

I'm not sure if you can control some memory using other options in winsat.exe arguments to take advantage of this 
issue, and exploit it.

Even if the bug is exploitable, the User Access control present in vista, shows a message asking for privileges before 
execute it, the only advantage of this issue, I think that is the message asking for privileges, shows information 
about the process, and this is the information that the user have in mind to decide if accept or not, and if you 
execute a windows util, it asks for privileges, the information about WHO is asking for privileges, is a trusted 
windows util (winsat.exe, in system32) and then, if you can control the process, you can use this kind of bugs as way 
to trick the user to bypass the UAC and get admin.