lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 22 Dec 2006 15:31:33 +0300
From: 3APA3A <3APA3A@...URITY.NNOV.RU>
To: Alexander Sotirov <asotirov@...ermina.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Microsoft Windows XP/2003/Vista memory
	corruption 0day

Dear Alexander Sotirov,


AS> The  HardError  message  is handled by the UserHardError function in
AS> WINSRV.DLL. It calls GetHardErrorText to read the message parameters
AS> from  the address space of the sender. The GetHardErrorText function
AS> returns  pointers to the caption and text of the message box. If the
AS> caption  or text parameters start with the \??\ prefix, the function
AS> inexplicably frees the buffer and returns a pointer to freed memory.
AS> After  the  message  box  is  closed by the user, the same buffer is
AS> freed  again  in  the  FreePhi  function, resulting in a double free
AS> vulnerability.

I  may  be  wrong, but probably this fact doesn't explain the garbage on
the  screen in MessageBox. Even "use after free()" vulnerability doesn't
explain  it, because garbage is permanent. There should be some more bug
before second free().


--Thursday, December 21, 2006, 11:11:29 PM, you wrote to 3APA3A@...URITY.NNOV.RU:

AS> 3APA3A wrote:
>> Killer{R}  assumes  the problem is in strcpy(), because it should not be
>> used for overlapping buffers, but at least ANSI implementation of strcpy
>> from  Visual  C  should be safe in this very situation (copying to lower
>> addresses).  May be code is different for Windows XP or vulnerability is
>> later in code.

AS> We discovered this bug some time ago and were preparing an advisory when it was
AS> publicly disclosed. Since the exploit is already public, here's my analysis of
AS> the vulnerability:

AS> http://www.determina.com/security.research/vulnerabilities/csrss-harderror.html

AS> It's a double free bug that leads to arbitrary code execution in the CSRSS process.

AS> Alex


-- 
~/ZARAZA
Ïî÷òåííûå èñêîïàåìûå! Æäó îò âàñ äàëüíåéøèõ ïèñåì.  (Òâåí)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists