[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-disclosure] Microsoft Windows XP/2003/Vista memory corruption 0day

To: <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: RE: [Full-disclosure] Microsoft Windows XP/2003/Vista memory corruption 0day
From: "Michele Cicciotti" <mc@xxxxxxxxxx>
Date: Fri, 22 Dec 2006 01:58:19 +0100

> Holy mackerel! Instances of this bug date back to 1999!

Different bug. That appears to be a trivial exhaustion of CSRSS worker threads 
through indiscriminate calls to MessageBox+MB_SERVICE_NOTIFICATION, which 
causes a DoS as no threads are available to serve kernel-mode requests from 
win32k, stalling GUI processes. I have done my fair share of CSRSS reversing in 
my better days, and I'm pretty sure that in Windows 2000 and later, a dedicated 
thread is used for such notifications, not just any thread, any time. Easily 
verifiable with local net sends and Spy++. It wasn't a "bug" either, more like 
a serious design flaw that ignored a very basic Win32 mantra ("don't do GUI in 
a worker thread") - not at all like this double-free

References:
- Microsoft Windows XP/2003/Vista memory corruption 0day
  - From: 3APA3A
- Re: [Full-disclosure] Microsoft Windows XP/2003/Vista memory corruption 0day
  - From: 3APA3A
- Re: [Full-disclosure] Microsoft Windows XP/2003/Vista memory corruption 0day
  - From: Alexander Sotirov

Prev by Date: Re: critical Flaw in Firefox 2.0.0.1 allows to steal the user passwords with a videoclip
Next by Date: Xt-News 0.1 : SQL Injection Vulnerability & XSS
Previous by thread: Re: [Full-disclosure] Microsoft Windows XP/2003/Vista memory corruption 0day
Next by thread: [SECURITY] [DSA-1240-1] New links2 packages fix arbitrary shell command execution
Index(es):
- Date
- Thread