[ros-dev] [ros-diffs] [hbelusca] 66192: [WINLOGON][WIN32K] Move the shutdown privilege check from winlogon to win32k (function "UserInitiateShutdown") as it should be done. [WIN32K] - Introduce the pair of UserInitiateS...

[Thomas Faber]

Well, we don't need to be jailbroken, so we can be secure. ;)

Let's fix it, blog about it, and get someone to publish something along
the lines of "Open Source Windows clone more secure than Windows --
ReactOS developers fixed vulnerability, but Microsoft's response to the
same issue still outstanding"
Everyone wins :D


On 2015-02-09 19:37, Alex Ionescu wrote:
> This would be the win32k 0 day that's been blogged and unfixed in Windows
> for over 4 years now, and which allows the Surface RT to be jailbroken. You
> really want to fix this? :( What about hackcompat?!
> 
> Best regards,
> Alex Ionescu
> 
> On Sun, Feb 8, 2015 at 12:37 AM, Thomas Faber <thomas.faber at reactos.org>
> wrote:
> 
>> On 2015-02-07 16:26, hbelusca at svn.reactos.org wrote:
>>> @@ -792,24 +791,54 @@
>>>          case UserThreadInitiateShutdown:
>>>          {
>>>              ERR("Shutdown initiated\n");
>>> -            STUB;
>>> -            Status = STATUS_NOT_IMPLEMENTED;
>>> +
>>> +            if (ThreadInformationLength != sizeof(ULONG))
>>> +            {
>>> +                Status = STATUS_INFO_LENGTH_MISMATCH;
>>> +                break;
>>> +            }
>>> +
>>> +            Status = UserInitiateShutdown(Thread,
>> (PULONG)ThreadInformation);
>>>              break;
>>>          }
>>
>> This looks like contrary to the other cases, ThreadInformation is
>> neither probed, nor accessed inside SEH here?