diff --git a/README.md b/README.md index c2178e3..dc26996 100644 --- a/README.md +++ b/README.md @@ -4,7 +4,7 @@ This is a proof of concept for [CVE-2021-31166](https://msrc.microsoft.com/updat ![trigger](pics/trigger.gif) -The bug itself happens in `http!UlpParseContentCoding` where the function has a local `LIST_ENTRY` and appends item to it. When it's done, it moves it into the `Request` structure; but it doesn't NULL out the local list. The issue with that is that an attacker can trigger a code-path that frees every entries of the local list leaving them dangling in the `Request` object. +The bug itself happens in `http!UlpParseContentCoding` where the function has a local `LIST_ENTRY` and appends item to it. When it's done, it moves it into the `Request` structure; but it doesn't `NULL` out the local list. The issue with that is that an attacker can trigger a code-path that frees every entries of the local list leaving them dangling in the `Request` object. ![rel04vsrel05](pics/rel04vsrel05.png) @@ -68,7 +68,7 @@ Arg4: 0000000000000000, Reserved **Q: Is [Windows Remote Management (WinRM)](https://docs.microsoft.com/en-us/windows/win32/winrm/portal) affected?** -Yes (thanks to [@JimDinMN](https://twitter.com/JimDinMN) for sharing [his experiments](https://twitter.com/JimDinMN/status/1395071966487269376)) +Yes (thanks to [@JimDinMN](https://twitter.com/JimDinMN) for sharing [his experiments](https://twitter.com/JimDinMN/status/1395071966487269376)). **Q: Is [Web Services on Devices (WSDAPI)](https://docs.microsoft.com/en-us/windows/win32/wsdapi/wsd-portal) affected?**