MS09-0 0 1 Analysis-vulnerability warning-the black bar safety net

2009-01-14T00:00:00
ID MYHACK58:62200921933
Type myhack58
Reporter 佚名
Modified 2009-01-14T00:00:00

Description

HD Moore moves really fast, the analysis has come out.

<http://www.breakingpointsystems.com/community/blog/2009_microsoft_tuesday_coverage>

The effect is only a DOS, not use.

This update contains three vulnerabilities, the first one in the last 9 months out, only DOS, after two rather special, is not utilized, the reason is more complex, he is so described:

The next two bugs (CVE-2 0 0 8-4 8 3 4 and CVE-2 0 0 8-4 8 3 5) are a little different. These bugs are triggered when the service attempts to zero out a memory buffer that is smaller than a static value. If the attacker sends a request with certain fields set to values smaller than the static buffer size, the resulting operation overwrites the memory after the buffer with NULL bytes. Since we are dealing with driver code and the first buffer is allocated in a kernel pool, the subsequent overwrite usually corrupts the following pool header with a series of NULL bytes.

This is where things start to get interesting. The Microsoft bulletin rates this patch as Critical and these two flaws as Remote Code Execution, but in order to execute code, there needs to be a way to leverage a small NULL byte overwrite of a kernel pool header to somehow gain control of execution. While there has been some work in this area, it has focused on using controllable values to overwrite header entries. As far As I know, there is no easy way to leverage a NULL byte overwrite of a pool header into code execution. For this reason, I would agree that these bugs are Critical in the sense that they should be patched as soon as possible (to prevent an easy DoS if nothing else), but I do not believe they will result in code execution. Of course, I would love to be proven wrong :-)

Note in which he referenced a paper from 80sec to store the syscanhk the General Assembly of the mirror, foreigners are also concerned about 80sec, the top.

Of course, many once thought to be can not take advantage of the vulnerability were later cattle who engage in out using method A, The more famous The like are MS08-0 0 1, and dowd that the Flash vulnerability used. This time also will like that?