ASafety - AntiSecurity Un projet qui vous tiendra @coeur...

[x[@♥]]

Critical or not: Opinions differ about Windows bug

Un nouvel exploit vient de paraître. Enfin, du moins, pas publiquement. Toutefois je pense que ça ne saurait tarder. Un RCE en mode kernel, la perle de la perle des exploits que les pirates recherchent. Secunia et Vupen ne s'accordent pas pour la classification de l'exploit. Toujours est il que si une version publique apparait, des ravages seront fait.

On the 6th of August, under his pseudonym "Arkon", Gil Dabah released a segment of code which triggers a heap overflow in Windows. The affected function runs in kernel mode and, therefore, at the highest privilege level. Security firms Vupen and Secunia have determined that all versions of Windows from XP to Windows 7 including the server versions are affected, regardless of their update status.

Both advisories say that the hole can potentially be exploited to execute arbitrary code at kernel privilege level. Consequently, first responses to the disclosure were suitably agitated: There was talk about a "critical security hole in Windows" and a "new zero-day hole". However, so far, no exploits have been found. Commenting on his post, Arkon doubted that there will ever be any. The programmer thinks that exploiting the hole is "not trivial" because attackers can't submit arbitrary data to the affected function and have virtually no knowledge of the location and structure of the heap. Secunia also rates the flaw "less critical", and Vupen considers it a "moderate risk".

The issue is triggered in the CreateDIBPalette() function in the win32k.sys Windows file when copying the colour palette of a bitmap if the palette includes more colours than the current colour depth allows.

For instance, the sample code sets the colour depth to 8 bit (up to 256 colours), then enters 512 as the size of the colour palette and initiates copying by accessing the clipboard. Arkon points out that every fourth byte of the data to be copied needs to have the value of 4.

Src here!