Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Vigil@nce - Windows XP: denial of service via SrvGetConsoleTitle

August 2011 by Vigil@nce

This bulletin was written by Vigil@nce : http://vigilance.fr/offer

SYNTHESIS OF THE VULNERABILITY

A local attacker can call the SrvGetConsoleTitle() function, in
order to stop the CSRSS service, and possibly to read a portion of
its memory.

Severity: 1/4

Creation date: 05/08/2011

IMPACTED PRODUCTS

 Microsoft Windows XP

DESCRIPTION OF THE VULNERABILITY

The CSRSS (Client/Server Run-time Subsystem) subsystem manages
users’ consoles.

The winsrv!SrvGetConsoleTitle() method is used to obtain the title
of the console:
DWORD GetConsoleTitle(LPTSTR lpConsoleTitle, DWORD nSize);
The nSize parameter indicates the size to copy in the
lpConsoleTitle array.

If the indicated size is superior to the size of the title,
Windows adjusts the size. However, this adjustment is done after a
comparison on 16 bit. So, if the indicated size is 0x10002,
Windows compares 2 to the size of the title, and decides that no
adjustment is needed, but copies 0x10002 bytes of memory.

CSRSS uses a memory section of 0x10000 bytes to store its
informations. It thus has to be recreated with a larger size, in
order to exploit the vulnerability, and to read the content of the
memory without creating an exception.

A local attacker can therefore call the CSRSS SrvGetConsoleTitle()
function, in order to stop the CSRSS service, and possibly to read
a portion of its memory.

ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN

http://vigilance.fr/vulnerability/Windows-XP-denial-of-service-via-SrvGetConsoleTitle-10892


See previous articles

    

See next articles


Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts