eEye Digital Security
  • Login to the eEye Business Client Portal
  • Shop for eEye Products
  • Read the eEye Blog
  • Subscribe to eEye RSS Feeds
  • Follow eEye on Twitter
  • Follow eEye of Facebook
Resources

Research Archives > Security Advisories > AD20070410b

Windows Vista CSRSS Dangling Process Pointer Privilege Escalation

Release Date:
4/10/2007 12:00:00 AM

Date Reported:
1/19/2007 12:00:00 AM

Severity:
Moderate

Vendor:
Microsoft

Affected Software:
Windows Vista

Overview:
eEye Digital Security has discovered a local privilege escalation vulnerability in Windows Vista that allows a program executing without privileges to fully compromise an affected system. A malicious user or malware program could exploit this vulnerability to execute arbitrary code with SYSTEM privileges within the CSRSS process, permitting the bypass of Vista's vaunted user privilege limitations and administrator approval mode.

By establishing and closing multiple connections to CSRSS's "ApiPort", an application may cause a private data structure within CSRSS that describes its process to be used after it has been freed, creating an exploitable "dangling pointer" condition. This vulnerability is entirely separate from the CSRSS NtRaiseHardError message box flaw publicly disclosed in December 2006, although both affect code within the CSRSS process.

It is interesting to note that this vulnerability only affects Windows Vista, due to new, flawed code added to CSRSRV.DLL in support of functionality introduced in Vista.

Technical Details:
Starting with Windows Vista, an extended form of Local Procedure Call (LPC) known as Advanced Local Procedure Call (ALPC) is used in place of legacy LPC for communicating with CSRSS. Each new process establishes an ALPC connection to the "ApiPort" of its session's CSRSS ("\Windows\ApiPort" or "\Sessions\<sessionid>\Windows\ApiPort"), which it uses to communicate various events and requests.

As part of its duties, CSRSS maintains an internal doubly-linked list of structures corresponding to the processes in the session it serves. With the introduction of ALPC, CSRSS can associate an ALPC connection with the process structure corresponding to the calling process, by using a pointer field within the connection's context attribute. (Prior to this capability, CSRSS looked up the process structure according to the caller's PID.)

Unfortunately, there are multiple places within CSRSS where it is wrongly assumed that a process will only make one "ApiPort" connection; perhaps the worst is CSRSRV.DLL!CsrApiRequestThread, which extracts and uses the process structure pointer from a connection's context attribute. Each process structure contains a reference count which is not incremented when a new ALPC connection is established (the initial count allows for one connection), but may be decremented when a connection is closed. As a result, it is possible to establish multiple "ApiPort" connections, then destroy the client's process structure by closing the first connection, and finally, close or otherwise generate activity on the second connection to cause the defunct process structure pointer to be improperly reused.

This oversight allows an attacker to act upon memory that either is free or has since been reallocated for another purpose. With enough careful crafting, an attacker may free the process structure by closing the first connection (NTDLL.DLL!CsrPortHandle is not protected on Vista), replace the heap memory formerly occupied by the process structure with arbitrary data, and then cause this arbitrary data to be dereferenced and destroyed like a process structure, by closing the second connection. (This is not to suggest that an exploit will only open two connections, however, as a close message may not be generated for the second connection unless a third connection also exists.)

Once this sequence completes, execution within CSRSS may be diverted to an attacker-supplied function pointer.

Protection:
Retina - Network Security Scanner has been updated to identify this vulnerability.

Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is available at:
http://www.microsoft.com/technet/security/bulletin/MS07-021.mspx

Credit:
Derek Soeder

Greetings:
"At the end of six leagues the darkness was thick and there was no light, he could see nothing ahead and nothing behind him."

Copyright ©1998-2011 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission.

Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

Next Steps

Free Trial
Test drive an eEye product
On-demand Demo
See an online product tour
One-on-one Demo
Schedule a personalized tour
Compare Products
See side-by-side features
Buy Now
Go to eEye product store
Contact | Site Map | Privacy | Website Feedback | 1.866.339.3732
© 1998 – 2011 eEye Digital Security. All rights reserved.