#msrc
3 pages tagged with "msrc"
infosec
- glaurung windows driver findings โ a running catalog of windows kernel-driver bugs found with glaurung, the binary-analysis toolkit โ what each bug is, how the tool surfaced it, and an honest read on why microsoft did or did not act on it.
- ndfltr.sys: a 32-bit offset+length wrap into a kernel OOB read โ glaurung found an integer-overflow-before-bounds-check in the windows NetworkDirect filter driver: a 32-bit (offset+length) validation that wraps while the use site applies the offset as a 64-bit addend, sending the source pointer ~4 GiB out of bounds. unprivileged on RDMA hosts, but a denial-of-service floor โ and one of three candidate sites was a false positive we caught before disclosing.
- NDKPing.sys: a NULL SystemBuffer deref you can blue-screen on demand โ glaurung flagged an ioctl dispatcher in the windows NDK diagnostic driver that loads Irp->AssociatedIrp.SystemBuffer and dereferences it without a null check. a METHOD_BUFFERED ioctl with zero-length input and output leaves SystemBuffer NULL, and every case body reads [NULL+0x28]. reproduced live as bugcheck 0x3B โ but it is admin-only, which is exactly why microsoft will not fix it.