RE: [Full-disclosure] Microsoft Windows XP/2003/Vista memory corruption

To:	<full-disclosure@lists.grok.org.uk>
Subject:	RE: [Full-disclosure] Microsoft Windows XP/2003/Vista memory corruption 0day
From:	"Michele Cicciotti" <mc@khamsa.net>
Date:	Fri, 22 Dec 2006 01:58:19 +0100
Cc:	<bugtraq@securityfocus.com>
Delivered-to:	sp-com-lists@consult.net
Delivered-to:	bugtraq-list@securepoint.com
Delivered-to:	mailing list bugtraq@securityfocus.com
Delivered-to:	moderator for bugtraq@securityfocus.com
In-reply-to:	<20061221232230.AFFD21D8F89@supertolla.itapac.net>
List-help:	<mailto:bugtraq-help@securityfocus.com>
List-id:	<bugtraq.list-id.securityfocus.com>
List-post:	<mailto:bugtraq@securityfocus.com>
List-subscribe:	<mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe:	<mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list:	contact bugtraq-help@securityfocus.com; run by ezmlm
Organization:	Khamsa Italia Srl
References:	<1627317058.20061221145817@SECURITY.NNOV.RU> <978639475.20061221164141@SECURITY.NNOV.RU> <458AEA71.6060207@determina.com> <20061221232230.AFFD21D8F89@supertolla.itapac.net>
Thread-index:	AcclVt7gwCrbbgcmTiG3nKB9Pn4X4QACd0/w

> Holy mackerel! Instances of this bug date back to 1999!

Different bug. That appears to be a trivial exhaustion of CSRSS worker threads 
through indiscriminate calls to MessageBox+MB_SERVICE_NOTIFICATION, which 
causes a DoS as no threads are available to serve kernel-mode requests from 
win32k, stalling GUI processes. I have done my fair share of CSRSS reversing in 
my better days, and I'm pretty sure that in Windows 2000 and later, a dedicated 
thread is used for such notifications, not just any thread, any time. Easily 
verifiable with local net sends and Spy++. It wasn't a "bug" either, more like 
a serious design flaw that ignored a very basic Win32 mantra ("don't do GUI in 
a worker thread") - not at all like this double-free

<Prev in Thread]	Current Thread	[Next in Thread>
Microsoft Windows XP/2003/Vista memory corruption 0day, 3APA3A Re: [Full-disclosure] Microsoft Windows XP/2003/Vista memory corruption 0day, 3APA3A Re: [Full-disclosure] Microsoft Windows XP/2003/Vista memory corruption 0day, Alexander Sotirov Re: [Full-disclosure] Microsoft Windows XP/2003/Vista memory corruption 0day, Pukhraj Singh Message not available RE: [Full-disclosure] Microsoft Windows XP/2003/Vista memory corruption 0day, Michele Cicciotti <=

Previous by Date:	Re: critical Flaw in Firefox 2.0.0.1 allows to steal the user passwords with a videoclip, Juha-Matti Laurio
Next by Date:	Xt-News 0.1 : SQL Injection Vulnerability & XSS, mr_kaliman
Previous by Thread:	Re: [Full-disclosure] Microsoft Windows XP/2003/Vista memory corruption 0day, Pukhraj Singh
Next by Thread:	[SECURITY] [DSA-1240-1] New links2 packages fix arbitrary shell command execution, Steve Kemp
Indexes:	[Date] [Thread] [Top] [All Lists]