Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Microsoft Windows Kernel - Bitmap Handling Use-After-Free (MS15-061) (1)

🗓️ 22 Sep 2015 00:00:00Reported by Nils SommerType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 43 Views

Windows Kernel Bitmap Use-After-Free vulnerability in Win7 32-bi

Code
Source: https://code.google.com/p/google-security-research/issues/detail?id=293

Platform: Win7 32-bit.
trigger.cpp should fire the issue, with two caveats:
- PoC will NOT work if compiled as a debug build.
- PoC will trigger the condition every time but the subsequent corruption might not cause a crash every time. It may be necessary to run the PoC multiple times.

debug.txt is a sample crash log.

Analysis from Nils:

---
Using the series of calls we are able to free the bitmap object, a reference to this object still exists in the trigger process after killing the first notepad process.

At this time we are able to replace the freed object in memory. We are not able to reuse this object through the original handle, however another free is triggered when quitting the trigger process, which will decrement the reference counter on the freed or replaced object, either modifying heap metadata or freeing the object which was allocated in the place of the original bitmap object.
---

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38275.zip

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
22 Sep 2015 00:00Current
7.4High risk
Vulners AI Score7.4
microsoft windows kernelbitmap handlinguse-after-freevulnerabilitywin7 32-bitdebug buildpoccrash lognils analysismemory corruptionproof of concept
43