Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-disclosure] Microsoft Windows XP/2003/Vista memory corruption

from [Alexander Sotirov] Network Security [Permanent Link]
Subject: Re: [Full-disclosure] Microsoft Windows XP/2003/Vista memory corruption 0day
Date: Fri, 22 Dec 2006 10:20:25 -0800 
3APA3A wrote:

AS> The  HardError  message  is handled by the UserHardError function in
AS> WINSRV.DLL. It calls GetHardErrorText to read the message parameters
AS> from  the address space of the sender. The GetHardErrorText function
AS> returns  pointers to the caption and text of the message box. If the
AS> caption  or text parameters start with the \??\ prefix, the function
AS> inexplicably frees the buffer and returns a pointer to freed memory.
AS> After  the  message  box  is  closed by the user, the same buffer is
AS> freed  again  in  the  FreePhi  function, resulting in a double free
AS> vulnerability.

I  may  be  wrong, but probably this fact doesn't explain the garbage on
the  screen in MessageBox. Even "use after free()" vulnerability doesn't
explain  it, because garbage is permanent. There should be some more bug
before second free().


The buffer that contains the caption and text of the message box is freed before
the message box is displayed. The freed memory is allocated again and
overwritten with other data. Displaying this other data as a unicode string
results in garbage in the message box.

Alex

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [Full-disclosure] Test Posting, Aaron Gray
Next by Date:  Re: [Full-disclosure] [WEB SECURITY] Re: comparing information security to other industries, Dinis Cruz
Previous by Thread:  Re: [Full-disclosure] Microsoft Windows XP/2003/Vista memory corruption 0day, 3APA3A
Next by Thread:  [Full-disclosure] SinFP 2.06, now works under big-endian architectures, GomoR
Indexes:  [Date] [Thread] [Top] [All Lists]