Microsoft Windows - Cursor Object Memory Leak (MS15-115)

EDB-ID:

38794

Type:

dos

Platform:

Windows

Published:

2015-11-23

Source: https://code.google.com/p/google-security-research/issues/detail?id=510

The attached poc crashes 32-bit Windows 7 with a screen resolution of 1024x768 and 32bit color depth. The crash occurs during a memmove opperation while copying the cursor content from unmapped memory. This could potentially be used by an attacker to leak kernel memory.

When reproducing this issue in VMWare, it is necessary to remove VMWare tools. In QEMU the issue reproduces reliably.
---

Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/38794.zip