New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Issue 544
Starred by 1 user
Status: Fixed
Owner:
hawkes@google.com
Closed: Dec 2015
Cc:
nils.som...@gmail.com
project-...@google.com



Sign in to add a comment
 Windows kernel null pointer dereference in win32k!OffsetChildren
Project Member Reported by hawkes@google.com, Sep 23 2015 Back to list 
Credit is to "Nils Sommer of bytegeist, working with Google Project Zero".

---
The attached PoC triggers a null pointer vulnerability in OffsetChildren on Windows 7 32-bit. By mapping the null page an attacker can leverage this vulnerability to write to an arbitrary address.
---

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.
debugger_mapped.txt
2.7 KB View Download
debugger_null.txt
640 bytes View Download
poc.cpp
2.7 KB Download
Project Member Comment 1 by hawkes@google.com, Sep 23 2015
Labels: MSRC-31280
Project Member Comment 2 by hawkes@google.com, Dec 5 2015
Labels: CVE-2015-6171
Project Member Comment 3 by scvitti@google.com, Dec 17 2015
Labels: -Restrict-View-Commit
Status: Fixed
Sign in to add a comment