Vulnerability Development mailing list archives
Windows Vista winsat.exe Integer Overflow
From: jose () eyeos org
Date: 28 Mar 2008 20:08:37 -0000
There is a flaw in windows vista benchmarking tool, called winsat.exe, that runs withs administrative privileges. The problem, is an integer overflow in -totalobj argument, example: winsat d3d -texshader -totalobj 2147483648 this result in a overflow of the signed int that stores the totalobj argument, and turns it negative, and then, the program crashes. I'm not sure if you can control some memory using other options in winsat.exe arguments to take advantage of this issue, and exploit it. Even if the bug is exploitable, the User Access control present in vista, shows a message asking for privileges before execute it, the only advantage of this issue, I think that is the message asking for privileges, shows information about the process, and this is the information that the user have in mind to decide if accept or not, and if you execute a windows util, it asks for privileges, the information about WHO is asking for privileges, is a trusted windows util (winsat.exe, in system32) and then, if you can control the process, you can use this kind of bugs as way to trick the user to bypass the UAC and get admin.
Current thread:
- Windows Vista winsat.exe Integer Overflow jose (Mar 28)
- Re: Windows Vista winsat.exe Integer Overflow Steve Shockley (Mar 29)