510 - Windows Cursor object potential memory leak - project-zero

Starred by 1 user

Status:	Fixed
Owner:	hawkes@google.com
Closed:	Nov 2015
Cc:	█ nils.som...@gmail.com project-...@google.com
Finder-nils Deadline-90 Product-Windows MSRC-31008 CVE-2015-6102 CCProjectZeroMembers Severity-High Reported-2015-Aug-27 Vendor-Microsoft

Windows Cursor object potential memory leak

Project Member Reported by hawkes@google.com, Aug 27 2015

Back to list

Credit is to "Nils Sommer of bytegeist, working with Google Project Zero".

---
The attached poc crashes 32-bit Windows 7 with a screen resolution of 1024x768 and 32bit color depth. The crash occurs during a memmove opperation while copying the cursor content from unmapped memory. This could potentially be used by an attacker to leak kernel memory.

When reproducing this issue in VMWare, it is necessary to remove VMWare tools. In QEMU the issue reproduces reliably.
---

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

poc.cpp
1.1 KB Download

debugger.txt
79.5 KB View Download

Project Member Comment 1 by hawkes@google.com, Nov 20 2015

Labels: -Restrict-View-Commit MSRC-31008 CVE-2015-6102
Status: Fixed

Fixed in MS15-115

► Sign in to add a comment