In association with heise online

22 December 2006, 14:02

Microsoft investigates CSRSS hole

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

A weak point in the Windows CSRSS service could allow local users to expand their rights. It apparently affects Windows 2000, XP, 2003, and even Vista. The CSRSS service is responsible among other things for the representation of console windows and the launching and termination of processes.

If a (non-interactive) service is to represent a message on your desktop, it can do so with the Win32 function Messagebox() as long as the programmer has set the MB_SERVICE_NOTIFICATION flag. The CSRSS then handles the display of the dialogue box for the other service. Normal Windows applications can also generate a dialogue box by using this flag.

If the string for the title bar or the text of the message dialogue begins with \??\, calling a free function prematurely can lead CSRSS to try to free up already available memory once the user has clicked on "OK" in the message dialogue. Attackers could then use this hole to execute code in the context of CSRSS in order to get system rights or cause the computer to crash.

In a test conducted by heise Security, the proof-of-concept exploit that was available did not, however, lead the CSRSS service or the computer to crash under Windows XP with service pack 2, nor under Windows Vista. Microsoft says that, while it is taking this weak point seriously, up to now it has not heard of any attacks or websites/e-mails that exploit the hole.

Also see:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit