ðòïåëôù 


  áòèé÷ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  óôáôøé 


  ðåòóïîáìøîïå 


  ðòïçòáííù 



ðéûéôå
ðéóøíá














     áòèé÷ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: [VulnWatch] EEYE: Windows Vista CSRSS Dangling Process Pointer Privilege Escalation



> -----Original Message-----
> From: eEye Advisories [mailto:Advisories@xxxxxxxx] 
> Sent: Tuesday, April 10, 2007 9:58 PM
> To: vulnwatch@xxxxxxxxxxxxx
> Subject: [VulnWatch] EEYE: Windows Vista CSRSS Dangling 
> Process Pointer Privilege Escalation
> 
> Windows Vista CSRSS Dangling Process Pointer Privilege Escalation
> 
> Release Date:
> April 10, 2007
> 
> Date Reported:
> January 19, 2007
> 
> Severity:
> Medium (Local Privilege Escalation to SYSTEM)
> 
> Vendor:
> Microsoft
> 
> Systems Affected:
> Windows Vista
> 
> Overview:
> eEye Digital Security has discovered a local privilege escalation
> vulnerability in Windows Vista that allows a program executing without
> privileges to fully compromise an affected system.  A 
> malicious user or
> malware program could exploit this vulnerability to execute arbitrary
> code with SYSTEM privileges within the CSRSS process, permitting the
> bypass of Vista's vaunted user privilege limitations and administrator
> approval mode.
> 
> By establishing and closing multiple connections to CSRSS's "ApiPort",
> an application may cause a private data structure within CSRSS that
> describes its process to be used after it has been freed, creating an
> exploitable "dangling pointer" condition.  This vulnerability is
> entirely separate from the CSRSS NtRaiseHardError message box flaw
> publicly disclosed in December 2006, although both affect code within
> the CSRSS process.
> 
> It is interesting to note that this vulnerability only affects Windows
> Vista, due to new, flawed code added to CSRSRV.DLL in support of
> functionality introduced in Vista.
> 
> Technical Details:
> Starting with Windows Vista, an extended form of Local Procedure Call
> (LPC) known as Advanced Local Procedure Call (ALPC) is used 
> in place of
> legacy LPC for communicating with CSRSS.  Each new process establishes
> an ALPC connection to the "ApiPort" of its session's CSRSS
> ("\Windows\ApiPort" or "\Sessions\<sessionid>\Windows\ApiPort"), which
> it uses to communicate various events and requests.
> 
> As part of its duties, CSRSS maintains an internal 
> doubly-linked list of
> structures corresponding to the processes in the session it serves.
> With the introduction of ALPC, CSRSS can associate an ALPC connection
> with the process structure corresponding to the calling process, by
> using a pointer field within the connection's context 
> attribute.  (Prior
> to this capability, CSRSS looked up the process structure according to
> the caller's PID.)
> 
> Unfortunately, there are multiple places within CSRSS where it is
> wrongly assumed that a process will only make one "ApiPort" 
> connection;
> perhaps the worst is CSRSRV.DLL!CsrApiRequestThread, which 
> extracts and
> uses the process structure pointer from a connection's context
> attribute.  Each process structure contains a reference count which is
> not incremented when a new ALPC connection is established (the initial
> count allows for one connection), but may be decremented when a
> connection is closed.  As a result, it is possible to 
> establish multiple
> "ApiPort" connections, then destroy the client's process structure by
> closing the first connection, and finally, close or otherwise generate
> activity on the second connection to cause the defunct 
> process structure
> pointer to be improperly reused.
> 
> This oversight allows an attacker to act upon memory that 
> either is free
> or has since been reallocated for another purpose.  With 
> enough careful
> crafting, an attacker may free the process structure by closing the
> first connection (NTDLL.DLL!CsrPortHandle is not protected on Vista),
> replace the heap memory formerly occupied by the process 
> structure with
> arbitrary data, and then cause this arbitrary data to be dereferenced
> and destroyed like a process structure, by closing the second
> connection.  (This is not to suggest that an exploit will 
> only open two
> connections, however, as a close message may not be generated for the
> second connection unless a third connection also exists.)
> 
> Once this sequence completes, execution within CSRSS may be 
> diverted to
> an attacker-supplied function pointer.
> 
> Protection:
> Retina - Network Security Scanner has been updated to identify this
> vulnerability.
> 
> Vendor Status:
> Microsoft has released a patch for this vulnerability. The patch is
> available at:
> http://www.microsoft.com/technet/security/bulletin/MS07-021.mspx
> 
> Credit:
> Derek Soeder
> 
> Related Links:
> eEye Research - http://research.eeye.com
> Retina - Network Security Scanner - Free Trial:
> http://www.eeye.com/html/products/retina/download/index.html
> Blink - Unified Client Security Personal - Free For Personal 
> Use For One
> Year:
> http://www.eeye.com/html/products/blink/personal/download/index.html
> Blink - Unified Client Security Professional - Free Trial:
> http://www.eeye.com/html/products/blink/download/index.html
> Blink - Unified Client Security Neighborhood Watch - Free For Personal
> Use:
> http://www.eeye.com/html/products/blink/neighborhoodwatch/index.html
> 
> Greetings:
> "At the end of six leagues the darkness was thick and there was no
> light, he could see nothing ahead and nothing behind him."
> 
> Copyright (c) 1998-2007 eEye Digital Security Permission is hereby
> granted for the redistribution of this alert electronically.  
> It is not
> to be edited in any way without express consent of eEye.  If 
> you wish to
> reprint the whole or any part of this alert in any other medium
> excluding electronic medium, please email alert@xxxxxxxx for 
> permission.
> 
> Disclaimer
> The information within this paper may change without notice.  Use of
> this information constitutes acceptance for use in an AS IS condition.
> There are no warranties, implied or express, with regard to this
> information.  In no event shall the author be liable for any direct or
> indirect damages whatsoever arising out of or in connection 
> with the use
> or spread of this information.  Any use of this information is at the
> user's own risk.
> 



 




Copyright © Lexa Software, 1996-2009.