I was just joyfully scrolling through event viewer as one does for no reason and I happened upon an Application Error that caught my interest. It was a Windows Service that ran into an Exception with the code of 0xc0000409 which corresponds to the status code “STATUS_STACK_BUFFER_OVERRUN”. I only saw it once so I thought maybe it was just a fluke or something so I left it alone.
I ventured over to my other computer just out of curiosity and looked at Event Viewer and surprisingly enough, there were two Application Errors with the same exception code from the same exact Windows Service. There was one exception from a buffer overflow and then another one 8 days later. So now we have the same exception being raised on two different systems. Strange? Sure, a little bit. I know for sure it’s not malware attempting to exploit a vulnerability because the first system that I found it on, it’s essentially a fresh install of Windows 11 with all the needed updates installed.
I began digging into event viewer a little more to see if there were any events being recorded at the date and time the exceptions were raised. I noticed a common theme between the two systems. Just prior to the exception being raised, there were Informational events in the logs that indicated they were from the source of “WindowsUpdateClient”. That happened sometimes milliseconds prior to the exception being raised by that service. Some updates failed and some succeeded. After the service would crash, another Informational event would be generated indicating the problem event “BEX64” and the information in that event would say that specific service stopped working.
I’ve gone through all the logs that I can find but I can’t pinpoint the exact conditions that caused the buffer overflow so I haven’t been able to replicate it yet. I’ve also tried running updates and that didn’t cause any problems. The logs that I’m finding are giving me the fault module (a widely used system DLL) and the fault offset. What I plan on doing is throwing both the fault module and the associated service DLL into Ghidra and see what I can get from static analysis. That’s my thought process right now.
What do you guys think? Are there certain things that I may be missing or should check? Anything you recommend I also do? I’m open to all suggestions, recommendations, or tips as I’ll take any help offered.
[link] [comments]
from hacking: security in practice https://ift.tt/Vtes7UE
Comments
Post a Comment