21 December 2006

Microsoft Windows XP/2003/Vista memory corruption0day

3APA3A just posted the following e-mail to the FD list, so if anyone is looking for details on the Vista 0-day mentioned earlier. Here's the mail that was sent: Dear full-disclosure@lists.grok.org.uk, Since it's already wide spread on the public forums and exploit is published on multiple sites and there is no way to stop it, I think it's time to alert lists about this. On the one of Russian forums: http://www.kuban.ru/forum_new/forum2/files/19124.html message was published by NULL about vulnerability in Windows on processing MessageBox() with MB_SERVICE_NOTIFICATION flag and message/caption beggining with \??\. Vulnerability seems to be memory corruption in kernel and causes system crash or hang after few attempts. It seems to happen because message is logged to event log and may point to some problem with event logs processing. Vulnerability details and code may be found here: http://www.security.nnov.ru/Gnews944.html There is potential remote exploitation vector if some service uses user-supplied input for MessageBox() function. Messenger service is not vulnerable in this way, because it prepends user-supplied input with additional string. I contacted Microsoft on this issue on December, 16.

No comments: