Vigil@nce - Windows: denials of service of win32k.sys
April 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
A local attacker can use the PostMessage() function, in order to
generate an error in win32k.sys, which stops the system.
Severity: 1/4
Creation date: 23/04/2010
DESCRIPTION OF THE VULNERABILITY
The PostMessage() function is used to send a message to a window.
It uses win32k.sys. Two vulnerabilities of win32k.sys can be
exploited via PostMessage().
The PostMessage() function does not check the memory address given
as argument, when the message type is 0x4c (SfnLOGONNOTIFY).
[severity:1/4; BID-39630]
The PostMessage() function does not check the memory address given
as argument, when the message type is 0x18d (SfnINSTRING).
[severity:1/4; BID-39631]
A local attacker can therefore use the PostMessage() function, in
order to generate an error in win32k.sys, which stops the system.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Windows-denials-of-service-of-win32k-sys-9607