About 9 lines of code cause the system to crash analysis-vulnerability warning-the black bar safety net

ID MYHACK58:6220068393
Type myhack58
Reporter 佚名
Modified 2006-03-29T00:00:00


At present, many places are reproduced with the use of 9 lines of code history windows crash of the article, but I found no information about why would make windows crash analysis. I'll take the original for everyone to see. Then put the specific details in the way.

Microsoft has claimed that Windows XP how stable and reliable, but recently a gentleman named Masaru Tsuchiyama foreign programming enthusiasts published a small segment of C language code. This one is only 9 lines of small program if on Windows XP/2 0 0 0 under run, it can cause the system to completely crash and restart. But this program on other versions of Windows do not have any impact. This produces an infinite loop to output the applet code is as follows:


int main( void ) { for(;{ printf( "hung up\t\t\b\b\b\b\b\b" ); print("hung up\t\t\b\b\b\b\b\b"; } return 0; }

If you remove the Print statement, the program further causes the NT 4.0 system appear blue screen error.

I hope Microsoft hurry up and patch this vulnerability. At the same time to remind everyone, this code can be used only for research, not for any illegal purposes. If you remove the Print statement, the program further causes the NT 4.0 system appear blue screen error.

Above all over the Internet On have a reprint of the original.

About the Why will cause an error, you see in the following analysis.

\b is Backspace The code is to use the Backspace character the console's cursor back to null, Then display any character(except\t),i.e., crash. But\b is not able to exit the predetermined area, And as\b for the previous character is\t You can exit the predetermined area(bug?). Double-click the runtime,the system will create a new console,so we display in the console The upper-left corner,we only need two\b can exit the screen(first one eaten by\t). The reason is the win32 subsystem terminates unexpectedly cause the system to crash. smss is a windows System to establish the first user process,his work is to establish a csrss and winlogon process,and then waiting the two process handles,if the two processes terminates unexpectedly, smss will cause the system to crash. the csrss process is responsible for all win32 processes and system of communicating processes. All win32 processes the system call by csrss to help you,but doing so because of the need to process switch so the efficiency is too low. So in Windows NT from the 3. 5 1 upgrade to 4. 0 will many parts from user mode into kernel mode,win32-process system call will directly to reduce the process switch time. But there is still a small amount of system calls need the csrss process is complete,as far as I know createprocess Is such a function,all of the console on display is such a function(there are others). When we call printf("\t\b\ba")will eventually call the WriteFile API. WriteFile((HANDLE)7,"\t\b\ba",NULL,NULL)is equivalent to printf("\t\b\ba"),7 is the console standard input handle. WriteFile determine the handle type,if the file handle will call the ntdll. dll NtWriteFile function. In the case of console to handle the call WriteConsoleA function. WriteConsoleA function will call the ntdll. dll in the csrClientCallServer Function to notify csrss process,and then calls the NtRequestWaitReplyPort wait for the results. Estimation is csrss process handling this request the process went wrong.

A few years ago HOU Jie teacher analysis after I sort it out. Because there is no place said, even a simple analysis are not, so I only take him out: the attentive people find csrss error details are not described herein, who have time on the Supplement?..