| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <458C21E9.3080605@determina.com> Date: Fri, 22 Dec 2006 10:20:25 -0800 From: Alexander Sotirov <asotirov@...ermina.com> To: 3APA3A <3APA3A@...URITY.NNOV.RU> Cc: full-disclosure@...ts.grok.org.uk Subject: Re: Microsoft Windows XP/2003/Vista memory corruption 0day 3APA3A wrote: > AS> The HardError message is handled by the UserHardError function in > AS> WINSRV.DLL. It calls GetHardErrorText to read the message parameters > AS> from the address space of the sender. The GetHardErrorText function > AS> returns pointers to the caption and text of the message box. If the > AS> caption or text parameters start with the \??\ prefix, the function > AS> inexplicably frees the buffer and returns a pointer to freed memory. > AS> After the message box is closed by the user, the same buffer is > AS> freed again in the FreePhi function, resulting in a double free > AS> vulnerability. > > I may be wrong, but probably this fact doesn't explain the garbage on > the screen in MessageBox. Even "use after free()" vulnerability doesn't > explain it, because garbage is permanent. There should be some more bug > before second free(). The buffer that contains the caption and text of the message box is freed before the message box is displayed. The freed memory is allocated again and overwritten with other data. Displaying this other data as a unicode string results in garbage in the message box. Alex _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists