Argeniss Security Advisory


Name:  Microsoft Windows Kernel GDI local privilege scalation
Affected Software:  Windows 2000 & XP all service packs
Severity:  Medium
Remote exploitable:  No
Credits: Cesar Cerrudo
Date:  11/06/2006
Advisory Number:  ARG110604


Details: 
Microsoft Windows GDI Kernel data structures are mapped on a global shared 
memory section that is created automatically on any windows process that 
uses GDI objects (process with a GUI, etc.), this section is mapped as 
read-only, but any process can re-map it as read-write (by default this 
kernel shared section has read, write, execute permissions), thus processes 
can write to this section overwriting the GDI kernel data structures, causing 
a denial of service (BSoD)/ crashing Windows. If certain selected data structures 
are overwritten with specific data it is possible to perform arbitrary code excecution. 
 


Vendor Status:
Vendor was contacted on 10/22/2004 


Workaround:
None


Patch Available:
There isn't patch available, Microsoft plans to fix this issue in an upcoming service pack.


Links:
http://projects.info-pull.com/mokb/MOKB-06-11-2006.html


Spam:
Searching for 0days? Argeniss Ultimate 0day Exploits Pack
http://www.argeniss.com/products.html


Argeniss - Information Security
*Application Security Experts*
http://www.argeniss.com