Holy mackerel! Instances of this bug date back to 1999! http://groups.google.ca/group/microsoft.public.win32.programmer.kernel/browse_thread/thread/c5946bf40f227058/7bd7b5d66a4e5aff
--Pukhraj On 12/21/06, Alexander Sotirov <[EMAIL PROTECTED]> wrote: > 3APA3A wrote: > > Killer{R} assumes the problem is in strcpy(), because it should not be > > used for overlapping buffers, but at least ANSI implementation of strcpy > > from Visual C should be safe in this very situation (copying to lower > > addresses). May be code is different for Windows XP or vulnerability is > > later in code. > > We discovered this bug some time ago and were preparing an advisory when it > was > publicly disclosed. Since the exploit is already public, here's my analysis of > the vulnerability: > > http://www.determina.com/security.research/vulnerabilities/csrss-harderror.html > > It's a double free bug that leads to arbitrary code execution in the CSRSS > process. > > Alex > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/