707 - Windows kernel: DrawMenuBarTemp wild-write on 64-bit - project-zero

Starred by 2 users

Status:	Fixed
Owner:	hawkes@google.com
Closed:	Apr 2016
Cc:	█ nils.som...@gmail.com project-...@google.com
Finder-nils Deadline-90 Product-Windows Reported-2016-Jan-29 CCProjectZeroMembers Severity-High Vendor-Microsoft CVE-2016-0143

Windows kernel: DrawMenuBarTemp wild-write on 64-bit

Project Member Reported by hawkes@google.com, Jan 29 2016

Back to list

Credit is to "Nils Sommer of bytegeist, working with Google Project Zero".

---
The attached testcases crashes Windows 7 64-bit while attempting to write to an unmapped memory region. On 32-bit Windows 7 it triggers a null pointer read.
---

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

poc_p3_03.c
2.0 KB Download

crash_x64.txt
10.0 KB View Download

crash_x86.txt
1.0 KB View Download

Project Member Comment 1 by hawkes@google.com, Mar 15 2016

Cc: nils.som...@gmail.com

Project Member Comment 2 by hawkes@google.com, Apr 14 2016

Status: Fixed

Project Member Comment 3 by hawkes@google.com, Apr 19 2016

Labels: -Restrict-View-Commit CVE-2016-0143

Fixed in MS16-039

► Sign in to add a comment