*/me joining the bandwagon because... well, because it's fun and i'm an a-hole* *clears throat* Dear sapheal, "Unhandled exception at 0x01003468 in MC.EXE: 0xC0000005: shp> Access violation reading location 0x41414141." Unfortunately, every access violation you get does NOT mean it is exploitable and "critical security vulnerability ". This one just says "Access violation reading location...". Now you have to ask yourself: "How do I gain control of this program?" "Can I do it via this Access violation error?" "How can I use this to own my girlfriend's box so I can check her email?" "Do I look uber-cool by having the words "critical", "vulnerability" and "Windows" in one message?" <-- not if you have the words "might", "be" and "possible" with no supporting facts. 3APA3A said it best, "In order to call some bug "critical security vulnerability", you must show critical security impact from this vulnerability." just-joing-in-the-fun-even-though-not-everyone-appreciates-it, "Tao of Noodle Making: sweat means no need for salt" On 1/3/07, 3APA3A <3APA3A@xxxxxxxxxxxxxxxx> wrote:
Dear sapheal@xxxxxxx and all, In order to call some bug "critical security vulnerability", you must show critical security impact from this vulnerability. For local vulnerability security impact is usually privilege escalation. That is, local unprivileged user should be able to obtain privileges of another user or system account by exploiting this bug. Under Unix, local vulnerabilities are usually because of the bugs in some suid application. Under Windows there is no suid applications. To escalate privileges you must exploit vulnerability in some system component or service. mc.exe is not service and is not system component. I can't say there is no security impact from this bug at all. As an example, you can execute malware code in context of signed application and bypass some policy. But it's definitely not "critical security vulnerability". Sorry for this short lecture. --Tuesday, January 2, 2007, 10:06:30 PM, you wrote to bugtraq@xxxxxxxxxxxxxxxxx: shp> Synopsis: Windows NT Message Compiler 1.00.5239 arbitrary code execution shp> Product: Microsoft Windows XP shp> Issue: shp> ====== shp> A critical security vulnerability has been found in Windows NT Message Compiler. shp> Arbitrary code execution might be possible (local exploitation possible only). shp> Details: shp> ======== shp> MC (Windows NT Message Compiler) when provided a MC-filename longer than shp> requested crashed due to memory corruption. Memory corruption conditions shp> might allow the attacker to escalate privilleges. shp> When overwriting the buffer with "A" (0x41): shp> Unhandled exception at 0x01003468 in MC.EXE: 0xC0000005: shp> Access violation reading location 0x41414141. shp> First-chance exception at 0x01003468 in MC.EXE: 0xC0000005: shp> Access violation reading location 0x41414141. shp> Affected Versions shp> ================= shp> Microsoft (R) Message Compiler Version 1.00.5239 shp> Solution shp> ========= shp> Proper bounds-checking. shp> Kind regards, shp> Michal Bucko (sapheal) shp> hack.pl -- ~/ZARAZA http://www.security.nnov.ru/
