Full Disclosure: Re: Microsoft Windows XP/2003/Vista memory corruption 0day

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Full Disclosure mailing list archives

Re: Microsoft Windows XP/2003/Vista memory corruption 0day

From: Alexander Sotirov <asotirov () determina com>
Date: Thu, 21 Dec 2006 12:11:29 -0800

3APA3A wrote:

Killer{R}  assumes  the problem is in strcpy(), because it should not be
used for overlapping buffers, but at least ANSI implementation of strcpy
from  Visual  C  should be safe in this very situation (copying to lower
addresses).  May be code is different for Windows XP or vulnerability is
later in code.


We discovered this bug some time ago and were preparing an advisory when it was
publicly disclosed. Since the exploit is already public, here's my analysis of
the vulnerability:

http://www.determina.com/security.research/vulnerabilities/csrss-harderror.html

It's a double free bug that leads to arbitrary code execution in the CSRSS process.

Alex

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

By Date By Thread

Current thread:

Microsoft Windows XP/2003/Vista memory corruption 0day 3APA3A (Dec 21)
- Re: Microsoft Windows XP/2003/Vista memory corruption 0day 3APA3A (Dec 21)
  - Re: Microsoft Windows XP/2003/Vista memory corruption 0day Alexander Sotirov (Dec 21)
    - Re: Microsoft Windows XP/2003/Vista memory corruption 0day Pukhraj Singh (Dec 21)
    - Message not available
    - Re: Microsoft Windows XP/2003/Vista memory corruption 0day Michele Cicciotti (Dec 21)
    - Re: Microsoft Windows XP/2003/Vista memory corruption 0day 3APA3A (Dec 22)
    - Re: Microsoft Windows XP/2003/Vista memory corruption 0day Alexander Sotirov (Dec 22)