[Code-Crunchers] [Full-disclosure] windows vulnerability? [was:Re: 137 bytes]
Carlos Pizano
carlos.pizano at greenborder.com
Thu Nov 9 12:16:20 CST 2006
It is true that the most phases of the loader are executed in usermode;
in fact in the context of the just-born process. However csrss.exe reads
parts of the PE (for example the manifest) and at that point a weird PE
can cause the crash of csrss and that will eventually crash the machine.
See for example:
http://support.microsoft.com/kb/921337
CPU
Ps <!first post!>
-----Original Message-----
From: Peter Ferrie [mailto:pferrie at symantec.com]
Sent: Wednesday, November 08, 2006 10:16 AM
To: full-disclosure at lists.grok.org.uk
Cc: code-crunchers at whitestar.linuxbox.org
Subject: Re: [Code-Crunchers] [Full-disclosure] windows vulnerability?
[was:Re: 137 bytes]
> Using the PE as a vector to attack the PE loader with
> (potential!) code execution for privilage esclation.
> Using the PE itself as a vector of attack.
I made a malformed PE file that caused a BSOD in all Windows
versions, including XP SP1. 99 bytes. :-)
I don't know if it was exploitable, and Microsoft said "it's
not a vulnerability", but then they silently fixed it.
_______________________________________________
Code-Crunchers mailing list
Code-Crunchers at whitestar.linuxbox.org
http://whitestar.linuxbox.org/mailman/listinfo/code-crunchers
More information about the Code-Crunchers
mailing list