Cisco Vulnerability Spotlight: Windows 10 Remote Denial of Service
Talos is releasing an advisory for a remote denial of service attack vulnerability in Microsoft Windows 10 AHCACHE.SYS (TALOS-2016-0191 / CVE-2016-3369)
An attacker can craft a malicious portable executable file, which if accessed causes AHCACHE.SYS to attempt to access out of scope memory. This triggers a bugcheck in the Windows kernel causing the system to crash, denying service to the user. Although AHCACHE.SYS is the driver that handles local cache compatibility information, if the vulnerability is exploited the attacker is unable to execute code or elevate user privileges.
During a cache lookup, the ‘AslpFileQueryVersionString’ function is called along with other functions. This function reads the value of EDI from the resource variable (Var->wValueLength ) in the PE without performing any bounds checking. Since the attacker controls the PE content, the threat actor can supply a value that is too large which results in the program attempting to access unavailable memory which results in an access violation that causes whole system to crash
Read the entire article here, Vulnerability Spotlight: Windows 10 Remote Denial of Service
via the fine folks at Cisco Systems.