Hey all
Back in December 2006 Harlan C, Thor HoG and I had an interesting
conversation about the possible use of a buffer overflow attack against the
explorer process that scans a new drive and processes the content of AutoRun
and .ICO files. I said at the time that I don't have the skills necessary to
write the exploit code, but I was pretty sure someone would.
For those interested, the subject line was "RE: U3 TEchnology was RE:
strange new virus"; for reasons that will become apparent to the reader :)
Sure enough, at the end of March 2007, someone thinking along the same lines
worked out "Microsoft Windows Cursor And Icon ANI Format Handling Remote
Code Execution Vulnerability", BuqTraq ID: 23194. I'm hoping that the same
will happen again here...
If a windows service or driver set to start at boot (ie "Automatic") fails
to start for whatever reason, a message is displayed at the console. The
message also appears on top of the logon prompt, and is therefore running in
the system context. The "service or driver failed to start" message is a
generic event sink for a variety of failures (including, oddly enough "file
not found").
It occurs to me that this event sink could probably be compromised, such
that it would drop your exploit code out to executable RAM, and in the
system context. System context under Windows 2003 is even more dangerous
than it was under NT/2000, as under certain circumstances it allows access
to the Active Directory Domain as well.
Thoughts?
Incidentally, Ant F? If you're reading this, stop working and eat more lunch
:)
Cheers
James
James D. Stallard, MIoD
Infrastructure Technical Architect
Web: www.leafgrove.com
LinkedIn: www.linkedin.com/in/jamesdstallard
Mobile: +44 (0) 7979 49 8880
Skype: JamesDStallard
