There's really simple and useless bug in win32k!IsHandleEntrySecure(), which, nevertheless, allows unprivileged local user to cause bsod. I believe entire NT line is affected. What's intresting, is Microsoft reaction to it, because, apparently, nowadays local denial of service from unprivileged users is not considered vulnerability.
QUOTE START I looked through your report, and it appears to be a local DOS. Although this is an unfortunate bug, we don't consider it a security vulnerability according to our 10 immutable laws of security (http://technet.microsoft.com/library/cc722487.aspx). If you know how to exploit this bug without violating one of those laws, we would consider it a remote DOS which is considered a vulnerability. If you'd like to see this bug fixed, please contact Microsoft Product Support Services at http://support.microsoft.com/common/international.aspx. You may also want to try posting a message to our free support newsgroups. See Microsoft Product Support Newsgroups at http://support.microsoft.com/newsgroups/ for more information. QUOTE END Instead of spending time trying to contact other MS instances, it was decided to go full disclosure :) So, the bug core is in win32k!IsHandleEntrySecure() function which doesn't properly check if 'pW32Job' field of 'tagPROCESSINFO' for current process contains non-zero value. Client can reach that function through call to NtUserValidateHandleSecure(). // IsHandleEntrySecure: // ... // .text:00149042 eax: current process processInfo // .text:00149042 edx: handleEntry process processInfo // .text:00149042 // .text:00149042 checkHandleInJob: ; CODE XREF: IsHandleEntrySecure(x,x)+48j // .text:00149042 mov ecx, [eax+tagPROCESSINFO.pW32Job] ; ecx: pW32Job of current process processInfo // .text:00149048 cmp [edx+tagPROCESSINFO.pW32Job], ecx // .text:0014904E jz short ret_1 // .text:0014904E // .text:00149050 mov edx, [ecx+tagW32JOB.pgh] ; <<<<<<< let's bsod here // .text:00149053 xor eax, eax // .text:00149055 test edx, edx // .text:00149057 jz short ret_eax // Links to PoC source and binaries will be posted shortly here and on my twitter @sixtyvividtails. -- sixtyvividta...@yandex.com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/