Vista Exploit Surfaces on Russian Hacker Site

← Back to Stories (view on slashdot.org)

Vista Exploit Surfaces on Russian Hacker Site

Posted by Zonk on Friday December 22, 2006 @07:53AM from the exploits-show-up-in-the-funnest-places dept.

Datamation writes "Exploit code for Windows Vista (though at this point only proof-of-concept code) has been published to a Russian hacker site, Eweek reports. Certain strings sent through the 'MessageBox' API apparently cause memory corruption. Though this is obviously cause for concern, at the moment it would seem access to the system would already be required to make use of the exploit. Determina has an analysis of the bug. Just last week, Trend Micro reported that Vista zero-days are being sold at underground hacker sites for $50,000."

16 of 103 comments (clear)

I don't have to... by DittoBox · 2006-12-22 07:57 · Score: 5, Funny

I don't have to...you know...take pictures of squirrels or pigeons to get a hold of this exploit do I?

--
Good. Cheap. Fast. Pick Two.
1. Re:I don't have to... by Esine · 2006-12-22 09:37 · Score: 3, Informative
  
  For those who didn't understand: http://attrition.org/postal/z/033/0871.html
curious by east+coast · 2006-12-22 08:01 · Score: 3, Insightful

Trend Micro reported that Vista zero-days are being sold at underground hacker sites for $50,000.

I'm just wondering who would buy these at such a price. What is the real value of an exploit?

--
Dedicated Cthulhu Cultist since 4523 BC.
1. Re:curious by minus_273 · 2006-12-22 08:03 · Score: 4, Informative
  
  probably a lot more if you can use it to get a lot of zombies and bots for DDOS attacks and SPAM. I'm thinking the SPAM alone should cover the cost if you can get an installed base quickly.
  
  --
  The war with islam is a war on the beast
  The war on terror is a war for peace
2. Re:curious by Rosco+P.+Coltrane · 2006-12-22 08:21 · Score: 4, Insightful
  
  And when did these "hackers" become such sellouts? Way to ruin an art form...
  
  The only thing they ruin is the term "hacker". But that's okay, this word has been deformed, mis- and overused for so long to mean "pirate" and "cracker" by stupid media people that it just doesn't matter anymore.
  
  In reality, these guys aren't even worthy of the term "crackers" (which itself isn't worth much in the first place): they're just mafia, conmen, blackmail artists, forgers, thieves, robbers... whatever you choose to call it. They just happen to use a computer instead of a tommy gun, but the result is the same.
  
  --
  "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
3. Re:curious by Dirtside · 2006-12-22 11:48 · Score: 3, Funny
  
  They just happen to use a computer instead of a tommy gun, but the result is the same.
  
  You'll be sleep()ing with the fishes?
  
  Somehow, I don't think the idea of the "St. Valentine's Day TCP stack exploit" has quite the same impact. (Perhaps the "St. Valentine's Day Blue Screen of Death"?)
  
  All things considered, I'd rather have my computer violated by the Mafia than my body.
  
  --
  "Destroy science and religion. Science would re-emerge exactly the same; but not religion." - Penn Jillette, paraphrased
Meant to say this last week.. but.. by The+Living+Fractal · 2006-12-22 08:02 · Score: 4, Interesting

Obviously Microsoft is missing these holes in Vista in house.

Maybe the biggest customer for these zero-day exploits should be.. Microsoft?

$50,000 isn't that much compared to the other option IMHO.

Just a thought.

TLF

--
I do not respond to cowards. Especially anonymous ones.
1. Re:Meant to say this last week.. but.. by Rosco+P.+Coltrane · 2006-12-22 08:12 · Score: 5, Insightful
  
  Obviously Microsoft is missing these holes in Vista in house.
  Maybe the biggest customer for these zero-day exploits should be.. Microsoft?
  $50,000 isn't that much compared to the other option IMHO.
  Just a thought.
  
  It's a very valid thought, it's just the form that's bad: what you suggest is Microsoft pays black hats under the table to fix find flaws in their products for them. Quite a PR disaster, surely you'll agree. On the other hand, if they were smart, they would hire talented hackers *upstream*, i.e. during the development process, and offer them the same insane amounts of money on a per-exploit-found basis (at "black market rate" if you will), only these hackers would be working for MS perfectly legally: they would get the same money, trouble-free, and Microsoft could boast they subject their products to the most stringent tests before release.
  
  Heck, MS could even offer these russians H1Bs/green cards, housing in the US, car and whatnot, that would be small change compared to how Microsoft stands to make out like a bandit on the semi-forced sale of their new OS...
  
  --
  "A door is what a dog is perpetually on the wrong side of" - Ogden Nash
2. Re:Meant to say this last week.. but.. by Chosen+Reject · 2006-12-22 09:16 · Score: 5, Funny
  
  I'm sure this fits into some science fiction plot somewhere. And the truth as it is said is often stranger than fiction.
  
  Yes it is. Would you believe that the reason for all the security holes is for Microsoft. They're the ones who create the holes so that later they can take crontrol of the bot nets and send out spam. On occasion they find a guy who's trying to go it alone and starts intruding on their turf. They send the police at that guy to take everyone's attention at what their other hand is doing. They're pretty sinister in that regard.
  Holy crap, I could almost believe that. Anybody have any extra tin foil they can spare?
  
  --
  Stop Global Warming!
  Just say no to irreversible processes!
Re:Fscking Visual Basic by cnettel · 2006-12-22 08:20 · Score: 3, Insightful

This has nothing to do with Visual Basic. It's the plain and simple Win32 API. The demo just happens to be written in VB.NET using .NET Interop.
Re:Double free vulnerability by cnettel · 2006-12-22 08:28 · Score: 3, Informative

It really depends on the heap (the specific data structures keeping track of the blocks) in use, but it can result in other blocks also beeing freed incorrectly. If you are able to replace the first block at the address with another, during the relevant timespan, you can get THAT one freed, which then can cause some other part of the kernel, relying on that new data, to crash. As the buffers involved here are all allocated in-kernel, I would think you need to do some tricky timing-dependent work to get a real exploit going. If you don't have debugging privileges, you won't know the address used yourself, and you'll need to trick some other API to choose to allocate that very same memory, unless, of course, the data structures are severly damaged by just the double-free event, without any new allocation between the two.
Re:Fscking Visual Basic by Daltorak · 2006-12-22 08:44 · Score: 4, Insightful

Yet again, the need for the CLR to support this moronic language creates a very obvious security flaw. Huh? Where's the logic in that? Blaming VB.NET for a security vulnerability in a Win32 API is like blaming Perl for a security vulnerability in the Linux kernel API. This has absolutely nothing to do with the CLR, Visual Basic (.NET or 6), or any other specific language... the vulnerability exists on the lowest level of the Win32 API (CSRSS, amongst other things, is Win32's interface to the Windows kernel). Any language that can call into Win32 can trigger this vulnerability... including Perl.
List of those strings... by fahrbot-bot · 2006-12-22 08:46 · Score: 3, Funny

Certain strings sent through the 'MessageBox' API apparently cause memory corruption.
A partial list of those strings appears to be: Linux, Open-Source, GNU, Stallman, and (oddly) chair.

--
It must have been something you assimilated. . . .
More details on this by wumpus188 · 2006-12-22 09:11 · Score: 4, Interesting

... from another russian forum (roughly translated from russian...)

Function GetHardErrorText Comment: * This function figures out the message box title, text and flags. * We want to do this up front so we can log this error when the hard error is * raised. Previously we used to log it after the user had dismissed the message * box -- but that was not when the error occurred (DCR Bug 107590) This function finds and extracts strings like "{EXCEPTION}" from MessageBox's text and if found, writes them in the system log. } else if ((asLocal.Length > 4) && !_strnicmp(asLocal.Buffer, "\\??\\", 4)) { strcpy( asLocal.Buffer, asLocal.Buffer+4 ); Local.Length -= 4;
Say, nice use of strcpy...
Re:Fscking Visual Basic by tlhIngan · 2006-12-22 09:16 · Score: 4, Informative

I just read TFA. Let me get this straight. The exploit is in MessageBox()?
Awesome.

All I can say is... OUCH.

MessageBox() is a fairly commonly used API (it's used to display a message box, with optional icon (none, alert, caution, etc.), and buttons (yes/no, yes/no/cancel, ok/cancel, ok, etc). It's the most trivial way to do a quick debug, or pop up an error message. It's probably one of the most commonly used functions, as well.

Wonder what Microsoft did to break MessageBox(). Considering how often it's used...
Re:Why now? by hackstraw · 2006-12-22 09:53 · Score: 4, Interesting

A smart black hat would lay low until SP1 is released, and wait for the real corporate deployment to begin.

A smart black hat has like a job and a life.

The only thing I can say that these script kiddies and whatnot are good for is that they are easily detectable and they alert security people of vulnerabilities so that it makes it difficult for people that are really interested in doing real damage or obtaining data that they shouldn't have.

Its really ironic how valuable these kids are. Without them, real compromises would be more common and much more painful.