Celui merite le detour dans la mesure ou il etait connu depuis 2007:
http://social.msdn.microsoft.com/Forums/en-US/windowsgeneraldevelopmentissues/thread/57c3783b-dd38-4a57-9217-61a920541ad0
En retournant un pseudo handle HWND_TOPMOST dans le champ hwndInsertAfter d'un hook WH_CBT, on aboutit a une violation d'acces, exploitable si l'on mappe l'espace a NULL (difficilement, mais Ronald a fait quelque chose de plus ou moins stable).
Les personnes susceptibles de Googler "windows bluescreen" auront eu un local 0day pendant 3 ans 1/2. Malheureusement, Core Security l'a tue(r), et a ete credite a la place de "JonnyDeep" qui a fait l'effort de le reporter mais n'a pas ete ecoute par MS (ils devraient lire leurs propres forums de temps en temps!).
C'est dingue ce que l'on trouve sur le Windows Developer Center :)
Edit: Et aussi, contrairement a la precedente, la vulnerabilite n'est pas specifiee comme ayant ete connue du public. Duree de vie: 1301 jours (pour ceux qui veulent faire des slides sur les 0days).
Leveling Up Fuzzing: Finding more vulnerabilities with AI
-
Posted by Oliver Chang, Dongge Liu and Jonathan Metzman, Google Open Source
Security Team
Recently, OSS-Fuzz reported 26 new vulnerabilities to open source...
1 day ago
3 comments:
Hi Costia, I'm using google translator to understand your language :-)
"Unfortunately, Core Security has killed (r), and was credited in place of "JonnyDeep" who made the effort to see but has not been listened to by MS (they should read their own forums of time time!)."
"Unfortunately" ... why ?
I found this bug when I tried to trigger the previus bug (MS10-032).
If this bug was public and very exploitable, why Immunity didn't decide to prevent to the world about that ?
I don't know who is "JonnyDeep" and the people less ...
You make it sound like Core read that forum post and "stole" the bug, but it's more likely that it was found independently, since it was so close to a recently published vulnerability.
Nonetheless, Core killed that bug. It's sad :(
Post a Comment