Re: [Full-disclosure] Microsoft Windows XP/2003/Vista memory corruption

To:	3APA3A <3APA3A@SECURITY.NNOV.RU>
Subject:	Re: [Full-disclosure] Microsoft Windows XP/2003/Vista memory corruption 0day
From:	Alexander Sotirov <asotirov@determina.com>
Date:	Thu, 21 Dec 2006 12:11:29 -0800
Cc:	full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	bugtraq-list@securepoint.com
Delivered-to:	mailing list bugtraq@securityfocus.com
Delivered-to:	moderator for bugtraq@securityfocus.com
In-reply-to:	<978639475.20061221164141@SECURITY.NNOV.RU>
List-help:	<mailto:bugtraq-help@securityfocus.com>
List-id:	<bugtraq.list-id.securityfocus.com>
List-post:	<mailto:bugtraq@securityfocus.com>
List-subscribe:	<mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe:	<mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list:	contact bugtraq-help@securityfocus.com; run by ezmlm
References:	<1627317058.20061221145817@SECURITY.NNOV.RU> <978639475.20061221164141@SECURITY.NNOV.RU>
User-agent:	Thunderbird 1.5.0.9 (Windows/20061207)

3APA3A wrote:
> Killer{R}  assumes  the problem is in strcpy(), because it should not be
> used for overlapping buffers, but at least ANSI implementation of strcpy
> from  Visual  C  should be safe in this very situation (copying to lower
> addresses).  May be code is different for Windows XP or vulnerability is
> later in code.

We discovered this bug some time ago and were preparing an advisory when it was
publicly disclosed. Since the exploit is already public, here's my analysis of
the vulnerability:

http://www.determina.com/security.research/vulnerabilities/csrss-harderror.html

It's a double free bug that leads to arbitrary code execution in the CSRSS 
process.

Alex

<Prev in Thread]	Current Thread	[Next in Thread>
Microsoft Windows XP/2003/Vista memory corruption 0day, 3APA3A Re: [Full-disclosure] Microsoft Windows XP/2003/Vista memory corruption 0day, 3APA3A Re: [Full-disclosure] Microsoft Windows XP/2003/Vista memory corruption 0day, Alexander Sotirov <= Re: [Full-disclosure] Microsoft Windows XP/2003/Vista memory corruption 0day, Pukhraj Singh Message not available RE: [Full-disclosure] Microsoft Windows XP/2003/Vista memory corruption 0day, Michele Cicciotti

Previous by Date:	RE: Re[2]: [Full-disclosure] Fun with event logs (semi-offtopic), Michele Cicciotti
Next by Date:	Re: critical Flaw in Firefox 2.0.0.1 allows to steal the user passwords with a videoclip, 3APA3A
Previous by Thread:	Re: [Full-disclosure] Microsoft Windows XP/2003/Vista memory corruption 0day, 3APA3A
Next by Thread:	Re: [Full-disclosure] Microsoft Windows XP/2003/Vista memory corruption 0day, Pukhraj Singh
Indexes:	[Date] [Thread] [Top] [All Lists]