> From: q7x@xxxxxxxxxxxx [mailto:q7x@xxxxxxxxxxxx] > Sent: Thursday, 01 December, 2005 05:02 > > Description: > when the one process open with OpenProcess function and > use CreateRemoteThread(Process,0,0,x,0,0,0) then the process crash. > an example hackers can use this method for kill firewalls > and antiviruses If an attacker can successfully call OpenProcess() on a process with arbitrary access, then they can just request PROCESS_TERMINATE access and terminate the process with TerminateProcsss(). Other attacks are obviously possible with other forms of access. I don't see how this particular feature is a vulnerability unless an attacker can somehow perform a successful OpenProcess() but only with PROCESS_CREATE_THREAD access. And even then, why couldn't the attacker just do: CreateRemoteThread(Process, NULL, 0, (LPTHREAD_START_ROUTINE)_exit, NULL, 0, NULL); or indeed create a remote thread with any other useful function the process has mapped? This "exploit" boils down to "if I can make a process call address 0, I can cause an exception in it". Well, sure. If you can make a process execute arbitrary code, you can do all sorts of things. An attacker who can successfully open a security-critical process has already won. -- Michael Wojcik Principal Software Systems Developer, Micro Focus
