Lexa Software: Security-Alerts@yandex-team.ru archive

		Apache-Talk @lexa.ru
		Inet-Admins @info.east.ru
		Filmscanners @halftone.co.uk
		Security-alerts @yandex-team.ru
		nginx-ru @sysoev.ru

СТАТЬИ

ПЕРСОНАЛЬНОЕ

ПРОГРАММЫ

ПИШИТЕ
ПИСЬМА

АРХИВ :: Security-alerts

Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] Windows CSRSS HardError Message Box Vulnerability

To: <security-alerts@xxxxxxxxxxxxxx>
Subject: [security-alerts] Windows CSRSS HardError Message Box Vulnerability
From: "Kazennov, Vladimir" <Vladimir.Kazennov@xxxxxxxxxx>
Date: Fri, 22 Dec 2006 10:41:00 +0300
Content-class: urn:content-classes:message
List-archive: <http://www.lexa.ru/security-alerts/> (Web Archive)
List-id: <security-alerts.yandex-team.ru>
List-subscribe: <mailto:majordomo@yandex-team.ru?body=subscribe%20security-alerts>
List-unsubscribe: <mailto:majordomo@yandex-team.ru?body=unsubscribe%20security-alerts>
Thread-index: AcclnIY+lLuAqVUsTkmqDjQi7kmuHg==
Thread-topic: Windows CSRSS HardError Message Box Vulnerability

Посылаю наиболее внятное объяснение уязвимости.
Еще полезные ссылки по теме
 http://www.kuban.ru/forum_new/forum2/files/19124.html
 http://bugtraq.ru/cgi-bin/forum.mcgi?type=sb&b=21&m=140672


------------------

http://www.determina.com/security.research/vulnerabilities/csrss-harderror.html

Windows CSRSS HardError Message Box Vulnerability

Public disclosure: Dec 15, 2006
Determina advisory: Dec 20, 2006
Systems Affected:

    * Windows 2000
    * Windows XP
    * Windows 2003
    * Windows Vista

Not affected:

    * Windows NT

Overview:

Determina Security Research has discovered a vulnerability in the way the 
Windows Client/Server Runtime Server Subsystem (CSRSS) processes HardError 
messages. This vulnerability allows a logged on user to execute arbitrary code 
in the CSRSS.EXE process and elevate their privileges to SYSTEM level. The 
vulnerable code is present in Windows 2000, XP, 2003 and Vista.

This vulnerability was independently disclosed on Dec 15, prompting the release 
of this advisory. Microsoft has been notified and is working on a patch. 
Exploitation details have been omitted from the advisory until a vendor patch 
is available.
Technical Details:

If the MB_SERVICE_NOTIFICATION flag is specified when calling the MessageBox 
function from the Windows API, it will use the NtRaiseHardError syscall to send 
a HardError message to CSRSS. This message contains the caption and text of a 
message box to be displayed by CSRSS on behalf of the caller. This 
functionality is designed to allow non-interactive services to notify the user 
of critical errors.

The HardError message is handled by the UserHardError function in WINSRV.DLL. 
It calls GetHardErrorText to read the message parameters from the address space 
of the sender. The GetHardErrorText function returns pointers to the caption 
and text of the message box. If the caption or text parameters start with the 
\??\ prefix, the function inexplicably frees the buffer and returns a pointer 
to freed memory. After the message box is closed by the user, the same buffer 
is freed again in the FreePhi function, resulting in a double free 
vulnerability.
Solution:

The GetHardErrorText function in WINSRV.DLL should not free the buffers with 
the text and caption parameters when they start with the \??\ prefix.
Credit:

Discovery: Tim Garnett
Research: Alexander Sotirov, Determina Security Research

Prev by Date: [security-alerts] FYI: еще раз об уязвимостях в поисковых системах
Next by Date: [security-alerts] Принята 4 часть ГК - новое в авторских правах
Previous by thread: [security-alerts] FYI: еще раз об уязвимостях в поисковых системах
Next by thread: [security-alerts] Принята 4 часть ГК - новое в авторских правах
Index(es):
- Date
- Thread