A couple of questions... One, there is no "TaskManager" key under HKCU\Software\Microsoft\Windows NT\CurrentVersion in either XP or Vista. And making one, and then adding a null-value "Preferences" REG_BINARY value didn't affect taskmanager at all... Is this specific to the German version of XP or something? And you have to be an administrator to write to the HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DoReport value you reference in the "exploit" code... So, are you saying that if you get the administrator of a box to run your arbitrary code "virus," that you could then write a registry value that makes TaskManager crash, and thus, (since TaskManager won't run) you've "hidden" your process from the user? Why not just load a kernel mode rootkit that hides itself? Or why not do a million other things since you've gotten them to first run code as admin? I mean, it's really kind of silly to make TaskManager crash and tip your hand like that, don't you think? You see, (and this must be 1 million and 12 times said here) if you get someone to run arbitrary code as administration, then, well, it doesn't matter at all what comes after "then." Then, ANYTHING. If the admin runs arbitrary code, nothing matters at all, period. If that's the response you got from MSFT that makes you think they are "totally ignorant," then I guess you can count me among them. t > -----Original Message----- > From: SkyOut [mailto:skyout@xxxxxxx] > Sent: Friday, March 14, 2008 12:48 PM > To: bugtraq@xxxxxxxxxxxxxxxxx > Subject: Local persistent DoS in Windows XP SP2 Taskmgr > > Dear list, > > after weeks of total ignorance by Microsoft I decided to finally > release all information > related to a bug, that has to do with the Windows XP SP2 Taskmanager. > Manipulating > a Registry key makes it possible to disable the Taskmgr. On the next > startup it will crash with > an error message. It is possible to backup the key and repair the > Registry doing so, but > the attack scenario is clear: A virus uses this code, the user can't > open the Taskmgr anymore > and your process is somehow "hidden". > > The full information about this bug, can be found here: > http://core-security.net/archive/2008/march/index.php#14032008 > > And the exploit is available here: > http://core-security.net/releases/exploits/taskmgr_dos.c.txt > > Greets, > SkyOut > > --- > core-security.net > ---
