lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <D52FCFAE57472647956CBAEDC08DA553015F0494@av-mail01.corp.int-eeye.com>
Date: Tue, 10 Apr 2007 10:57:58 -0700
From: "eEye Advisories" <Advisories@...e.com>
To: <Full-Disclosure@...ts.grok.org.uk>
Subject: EEYE: Windows Vista CSRSS Dangling Process
	Pointer Privilege Escalation

Windows Vista CSRSS Dangling Process Pointer Privilege Escalation

Release Date:
April 10, 2007

Date Reported:
January 19, 2007

Severity:
Medium (Local Privilege Escalation to SYSTEM)

Vendor:
Microsoft

Systems Affected:
Windows Vista

Overview:
eEye Digital Security has discovered a local privilege escalation
vulnerability in Windows Vista that allows a program executing without
privileges to fully compromise an affected system.  A malicious user or
malware program could exploit this vulnerability to execute arbitrary
code with SYSTEM privileges within the CSRSS process, permitting the
bypass of Vista's vaunted user privilege limitations and administrator
approval mode.

By establishing and closing multiple connections to CSRSS's "ApiPort",
an application may cause a private data structure within CSRSS that
describes its process to be used after it has been freed, creating an
exploitable "dangling pointer" condition.  This vulnerability is
entirely separate from the CSRSS NtRaiseHardError message box flaw
publicly disclosed in December 2006, although both affect code within
the CSRSS process.

It is interesting to note that this vulnerability only affects Windows
Vista, due to new, flawed code added to CSRSRV.DLL in support of
functionality introduced in Vista.

Technical Details:
Starting with Windows Vista, an extended form of Local Procedure Call
(LPC) known as Advanced Local Procedure Call (ALPC) is used in place of
legacy LPC for communicating with CSRSS.  Each new process establishes
an ALPC connection to the "ApiPort" of its session's CSRSS
("\Windows\ApiPort" or "\Sessions\<sessionid>\Windows\ApiPort"), which
it uses to communicate various events and requests.

As part of its duties, CSRSS maintains an internal doubly-linked list of
structures corresponding to the processes in the session it serves.
With the introduction of ALPC, CSRSS can associate an ALPC connection
with the process structure corresponding to the calling process, by
using a pointer field within the connection's context attribute.  (Prior
to this capability, CSRSS looked up the process structure according to
the caller's PID.)

Unfortunately, there are multiple places within CSRSS where it is
wrongly assumed that a process will only make one "ApiPort" connection;
perhaps the worst is CSRSRV.DLL!CsrApiRequestThread, which extracts and
uses the process structure pointer from a connection's context
attribute.  Each process structure contains a reference count which is
not incremented when a new ALPC connection is established (the initial
count allows for one connection), but may be decremented when a
connection is closed.  As a result, it is possible to establish multiple
"ApiPort" connections, then destroy the client's process structure by
closing the first connection, and finally, close or otherwise generate
activity on the second connection to cause the defunct process structure
pointer to be improperly reused.

This oversight allows an attacker to act upon memory that either is free
or has since been reallocated for another purpose.  With enough careful
crafting, an attacker may free the process structure by closing the
first connection (NTDLL.DLL!CsrPortHandle is not protected on Vista),
replace the heap memory formerly occupied by the process structure with
arbitrary data, and then cause this arbitrary data to be dereferenced
and destroyed like a process structure, by closing the second
connection.  (This is not to suggest that an exploit will only open two
connections, however, as a close message may not be generated for the
second connection unless a third connection also exists.)

Once this sequence completes, execution within CSRSS may be diverted to
an attacker-supplied function pointer.

Protection:
Retina - Network Security Scanner has been updated to identify this
vulnerability.

Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is
available at:
http://www.microsoft.com/technet/security/bulletin/MS07-021.mspx

Credit:
Derek Soeder

Related Links:
eEye Research - http://research.eeye.com
Retina - Network Security Scanner - Free Trial:
http://www.eeye.com/html/products/retina/download/index.html
Blink - Unified Client Security Personal - Free For Personal Use For One
Year:
http://www.eeye.com/html/products/blink/personal/download/index.html
Blink - Unified Client Security Professional - Free Trial:
http://www.eeye.com/html/products/blink/download/index.html
Blink - Unified Client Security Neighborhood Watch - Free For Personal
Use:
http://www.eeye.com/html/products/blink/neighborhoodwatch/index.html

Greetings:
"At the end of six leagues the darkness was thick and there was no
light, he could see nothing ahead and nothing behind him."

Copyright (c) 1998-2007 eEye Digital Security Permission is hereby
granted for the redistribution of this alert electronically.  It is not
to be edited in any way without express consent of eEye.  If you wish to
reprint the whole or any part of this alert in any other medium
excluding electronic medium, please email alert@...e.com for permission.

Disclaimer
The information within this paper may change without notice.  Use of
this information constitutes acceptance for use in an AS IS condition.
There are no warranties, implied or express, with regard to this
information.  In no event shall the author be liable for any direct or
indirect damages whatsoever arising out of or in connection with the use
or spread of this information.  Any use of this information is at the
user's own risk.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ