Full Disclosure: Re: Microsoft Windows XP/2003/Vista memory corruption 0day

[Alexander Sotirov <asotirov () determina com>]

3APA3A wrote:
> AS> The  HardError  message  is handled by the UserHardError function in
> AS> WINSRV.DLL. It calls GetHardErrorText to read the message parameters
> AS> from  the address space of the sender. The GetHardErrorText function
> AS> returns  pointers to the caption and text of the message box. If the
> AS> caption  or text parameters start with the \??\ prefix, the function
> AS> inexplicably frees the buffer and returns a pointer to freed memory.
> AS> After  the  message  box  is  closed by the user, the same buffer is
> AS> freed  again  in  the  FreePhi  function, resulting in a double free
> AS> vulnerability.
>
> I  may  be  wrong, but probably this fact doesn't explain the garbage on
> the  screen in MessageBox. Even "use after free()" vulnerability doesn't
> explain  it, because garbage is permanent. There should be some more bug
> before second free().
The buffer that contains the caption and text of the message box is freed before
the message box is displayed. The freed memory is allocated again and
overwritten with other data. Displaying this other data as a unicode string
results in garbage in the message box.

Alex

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/