News
Vigil@nce - Windows: bypassing SafeSEH
January 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can bypass the SafeSEH protection, in order to execute code with privileges of a vulnerable application.
Severity: 2/4
Creation date: 11/01/2012
IMPACTED PRODUCTS
Microsoft Visual Studio
Microsoft Windows 2003
Microsoft Windows 2008
Microsoft Windows 7
Microsoft Windows Vista
Microsoft Windows XP
DESCRIPTION OF THE VULNERABILITY
The SEH (Structured Exception Handler) indicates procedures to execute when an hardware or software exception occurs.
A way to exploit memory corruptions is to alter these procedures. Microsoft thus implemented the SafeSEH feature, which checks procedures before running them.
If an application was compiled with Microsoft Visual C++ .NET 2003, its PE "Load Configuration Directory" field has a size of 0x48. However, when Windows loads this executable, it does not recognize this size, and does not enable SafeSEH. An attacker can thus use a vulnerability of this application, to corrupt its SEH, in order to execute code.
A local attacker can therefore bypass the SafeSEH protection, in order to execute code with privileges of a vulnerable application.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
