Dear Alexander Sotirov,
AS> The HardError message is handled by the UserHardError function in
AS> WINSRV.DLL. It calls GetHardErrorText to read the message parameters
AS> from the address space of the sender. The GetHardErrorText function
AS> returns pointers to the caption and text of the message box. If the
AS> caption or text parameters start with the \??\ prefix, the function
AS> inexplicably frees the buffer and returns a pointer to freed memory.
AS> After the message box is closed by the user, the same buffer is
AS> freed again in the FreePhi function, resulting in a double free
AS> vulnerability.
I may be wrong, but probably this fact doesn't explain the garbage on
the screen in MessageBox. Even "use after free()" vulnerability doesn't
explain it, because garbage is permanent. There should be some more bug
before second free().
--Thursday, December 21, 2006, 11:11:29 PM, you wrote to
3APA3A@SECURITY.NNOV.RU:
AS> 3APA3A wrote:
Killer{R} assumes the problem is in strcpy(), because it should not be
used for overlapping buffers, but at least ANSI implementation of strcpy
from Visual C should be safe in this very situation (copying to lower
addresses). May be code is different for Windows XP or vulnerability is
later in code.
AS> We discovered this bug some time ago and were preparing an advisory when it
was
AS> publicly disclosed. Since the exploit is already public, here's my analysis
of
AS> the vulnerability:
AS>
http://www.determina.com/security.research/vulnerabilities/csrss-harderror.html
AS> It's a double free bug that leads to arbitrary code execution in the CSRSS
process.
AS> Alex
--
~/ZARAZA
Ïî÷òåííûå èñêîïàåìûå! Æäó îò âàñ äàëüíåéøèõ ïèñåì. (Òâåí)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
