Thread-topic: [VulnWatch] EEYE: Windows Vista CSRSS Dangling Process Pointer Privilege Escalation
> -----Original Message-----
> From: eEye Advisories [mailto:Advisories@xxxxxxxx]
> Sent: Tuesday, April 10, 2007 9:58 PM
> To: vulnwatch@xxxxxxxxxxxxx
> Subject: [VulnWatch] EEYE: Windows Vista CSRSS Dangling
> Process Pointer Privilege Escalation
>
> Windows Vista CSRSS Dangling Process Pointer Privilege Escalation
>
> Release Date:
> April 10, 2007
>
> Date Reported:
> January 19, 2007
>
> Severity:
> Medium (Local Privilege Escalation to SYSTEM)
>
> Vendor:
> Microsoft
>
> Systems Affected:
> Windows Vista
>
> Overview:
> eEye Digital Security has discovered a local privilege escalation
> vulnerability in Windows Vista that allows a program executing without
> privileges to fully compromise an affected system. A
> malicious user or
> malware program could exploit this vulnerability to execute arbitrary
> code with SYSTEM privileges within the CSRSS process, permitting the
> bypass of Vista's vaunted user privilege limitations and administrator
> approval mode.
>
> By establishing and closing multiple connections to CSRSS's "ApiPort",
> an application may cause a private data structure within CSRSS that
> describes its process to be used after it has been freed, creating an
> exploitable "dangling pointer" condition. This vulnerability is
> entirely separate from the CSRSS NtRaiseHardError message box flaw
> publicly disclosed in December 2006, although both affect code within
> the CSRSS process.
>
> It is interesting to note that this vulnerability only affects Windows
> Vista, due to new, flawed code added to CSRSRV.DLL in support of
> functionality introduced in Vista.
>
> Technical Details:
> Starting with Windows Vista, an extended form of Local Procedure Call
> (LPC) known as Advanced Local Procedure Call (ALPC) is used
> in place of
> legacy LPC for communicating with CSRSS. Each new process establishes
> an ALPC connection to the "ApiPort" of its session's CSRSS
> ("\Windows\ApiPort" or "\Sessions\<sessionid>\Windows\ApiPort"), which
> it uses to communicate various events and requests.
>
> As part of its duties, CSRSS maintains an internal
> doubly-linked list of
> structures corresponding to the processes in the session it serves.
> With the introduction of ALPC, CSRSS can associate an ALPC connection
> with the process structure corresponding to the calling process, by
> using a pointer field within the connection's context
> attribute. (Prior
> to this capability, CSRSS looked up the process structure according to
> the caller's PID.)
>
> Unfortunately, there are multiple places within CSRSS where it is
> wrongly assumed that a process will only make one "ApiPort"
> connection;
> perhaps the worst is CSRSRV.DLL!CsrApiRequestThread, which
> extracts and
> uses the process structure pointer from a connection's context
> attribute. Each process structure contains a reference count which is
> not incremented when a new ALPC connection is established (the initial
> count allows for one connection), but may be decremented when a
> connection is closed. As a result, it is possible to
> establish multiple
> "ApiPort" connections, then destroy the client's process structure by
> closing the first connection, and finally, close or otherwise generate
> activity on the second connection to cause the defunct
> process structure
> pointer to be improperly reused.
>
> This oversight allows an attacker to act upon memory that
> either is free
> or has since been reallocated for another purpose. With
> enough careful
> crafting, an attacker may free the process structure by closing the
> first connection (NTDLL.DLL!CsrPortHandle is not protected on Vista),
> replace the heap memory formerly occupied by the process
> structure with
> arbitrary data, and then cause this arbitrary data to be dereferenced
> and destroyed like a process structure, by closing the second
> connection. (This is not to suggest that an exploit will
> only open two
> connections, however, as a close message may not be generated for the
> second connection unless a third connection also exists.)
>
> Once this sequence completes, execution within CSRSS may be
> diverted to
> an attacker-supplied function pointer.
>
> Protection:
> Retina - Network Security Scanner has been updated to identify this
> vulnerability.
>
> Vendor Status:
> Microsoft has released a patch for this vulnerability. The patch is
> available at:
>
>
> Credit:
> Derek Soeder
>
> Related Links:
> eEye Research -
> Retina - Network Security Scanner - Free Trial:
>
> Blink - Unified Client Security Personal - Free For Personal
> Use For One
> Year:
>
> Blink - Unified Client Security Professional - Free Trial:
>
> Blink - Unified Client Security Neighborhood Watch - Free For Personal
> Use:
>
>
> Greetings:
> "At the end of six leagues the darkness was thick and there was no
> light, he could see nothing ahead and nothing behind him."
>
> Copyright (c) 1998-2007 eEye Digital Security Permission is hereby
> granted for the redistribution of this alert electronically.
> It is not
> to be edited in any way without express consent of eEye. If
> you wish to
> reprint the whole or any part of this alert in any other medium
> excluding electronic medium, please email alert@xxxxxxxx for
> permission.
>
> Disclaimer
> The information within this paper may change without notice. Use of
> this information constitutes acceptance for use in an AS IS condition.
> There are no warranties, implied or express, with regard to this
> information. In no event shall the author be liable for any direct or
> indirect damages whatsoever arising out of or in connection
> with the use
> or spread of this information. Any use of this information is at the
> user's own risk.
>
