Re: [Full-disclosure] Microsoft Windows XP/2003/Vista memory corruption 0day

3APA3A wrote:
AS> The HardError message is handled by the UserHardError function in
AS> WINSRV.DLL. It calls GetHardErrorText to read the message parameters
AS> from the address space of the sender. The GetHardErrorText function
AS> returns pointers to the caption and text of the message box. If the
AS> caption or text parameters start with the \??\ prefix, the function
AS> inexplicably frees the buffer and returns a pointer to freed memory.
AS> After the message box is closed by the user, the same buffer is
AS> freed again in the FreePhi function, resulting in a double free
AS> vulnerability.

I may be wrong, but probably this fact doesn't explain the garbage on
the screen in MessageBox. Even "use after free()" vulnerability doesn't
explain it, because garbage is permanent. There should be some more bug
before second free().

The buffer that contains the caption and text of the message box is freed before
the message box is displayed. The freed memory is allocated again and
overwritten with other data. Displaying this other data as a unicode string
results in garbage in the message box.


Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -