Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
SecuriTeam™  Beyond Security®  SecuriTeam™ Home  Ask the Team  Mailing Lists  Advertising Info  Blogs SecuriTeam™ in Your Inbox   E-mail this CVE-2010-1897 to a friend New vulnerability? New tool? Tell us	CVE-2010-1897 Microsoft Windows CreateWindow function callback vulnerability     Credit: The information has been provided by Nicolas Economou. The original article can be found at: http://www.coresecurity.com/content/microsoft-windows-createwindow-function-callback-bug Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    CVE-2010-1897 Details Check for CVE-2010-1897 Vulnerability Assessment and Management. Automated Pen Testing for 50 to 50,000 nodes beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  * Windows 7  * Windows Vista  * Windows Server 2008 R2  * Windows Server 2008  * Microsoft Windows XP  * Microsoft Windows Server 2003 Immune Systems:  * Windows 7 with MS10-048  * Windows Vista with MS10-048  * Windows Server 2008 R2 with MS10-048  * Windows Server 2008 with MS10-048  * Microsoft Windows XP with MS10-048  * Microsoft Windows Server 2003 with MS10-048 There is a bug in the xxxCreateWindowEx Windows kernel function, located in win32k.sys. This function addresses memory with a user-supplied (via a callback) window pseudo-handle (the hParent parameter). This bug can be exploited by surreptitiously registering a callback or "hook" that will cleverly modify parameters passed by the kernel into userland that are then reused when returning to kernel from the callback. In normal execution when the CreateWindow is called from userspace, the NtUserCreateWindowEx kernel function is executed, the xxxCreateWindowEx is next in the kernel-side call stack. The later function then checks that the callback functions (or "hooks") where properly set and calls xxxCallHook which then starts the dispatch into userland of the registered callback functions. The problem resides in the mechanism used to pass parameters back to the process creating the window, like for example the aforementioned hParent parameter. These parameters are passed via the stack into userspace, and reused by the kernel after the callback function is executed. If the callback function resets the hParent parameter to pseudo-handle values like 0xffffffff or 0xfffffffe the kernel crashes (likely because validation of handle values was already done and was not being re-verified after executing untrusted userland code). Patch Availability: See Microsoft security bulletin at http://go.microsoft.com/fwlink/?LinkId=194552 CVE Information: CVE-2010-1897 Disclosure Timeline: Date published: 2010-08-10 Date of last update: 2010-08-09  Comments on CVE-2010-1897:  Add new comment:  Subject:  Name/Nick/Email:          Chars Left:	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Copyright © 1998-2010 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®