Microsoft Windows XP/2003/Vista memory corruption 0day
- From: 3APA3A <3APA3A@xxxxxxxxxxxxxxxx>
- Date: Thu, 21 Dec 2006 14:58:17 +0300
Dear full-disclosure@xxxxxxxxxxxxxxxxx,
Since it's already wide spread on the public forums and exploit is
published on multiple sites and there is no way to stop it, I think
it's time to alert lists about this.
On the one of Russian forums:
http://www.kuban.ru/forum_new/forum2/files/19124.html
message was published by NULL about vulnerability in Windows on
processing MessageBox() with MB_SERVICE_NOTIFICATION flag and
message/caption beggining with \??\. Vulnerability seems to be memory
corruption in kernel and causes system crash or hang after few
attempts. It seems to happen because message is logged to event log
and may point to some problem with event logs processing.
Vulnerability details and code may be found here:
http://www.security.nnov.ru/Gnews944.html
There is potential remote exploitation vector if some service uses
user-supplied input for MessageBox() function. Messenger service is
not vulnerable in this way, because it prepends user-supplied input
with additional string.
I contacted Microsoft on this issue on December, 16.
--
http://www.security.nnov.ru
/\_/\
{ , . } |\
+--oQQo->{ ^ }<-----+ \
| ZARAZA U 3APA3A } You know my name - look up my number (The Beatles)
+-------------o66o--+ /
|/
- Follow-Ups:
- Prev by Date: Re: Oracle <= 9i / 10g File System Access via utl_file Exploit
- Next by Date: Re[2]: [Full-disclosure] Fun with event logs (semi-offtopic)
- Previous by thread: Fun with event logs (semi-offtopic)
- Next by thread: Re: [Full-disclosure] Microsoft Windows XP/2003/Vista memory corruption 0day
- Index(es):
Relevant Pages
|
