Microsoft investigates CSRSS hole
A weak point in the Windows CSRSS service could allow local users to expand their rights. It apparently affects Windows 2000, XP, 2003, and even Vista. The CSRSS service is responsible among other things for the representation of console windows and the launching and termination of processes.
If a (non-interactive) service is to represent a message on your desktop, it can do so with the Win32 function Messagebox() as long as the programmer has set the MB_SERVICE_NOTIFICATION flag. The CSRSS then handles the display of the dialogue box for the other service. Normal Windows applications can also generate a dialogue box by using this flag.
If the string for the title bar or the text of the message dialogue begins with \??\, calling a free function prematurely can lead CSRSS to try to free up already available memory once the user has clicked on "OK" in the message dialogue. Attackers could then use this hole to execute code in the context of CSRSS in order to get system rights or cause the computer to crash.
In a test conducted by heise Security, the proof-of-concept exploit that was available did not, however, lead the CSRSS service or the computer to crash under Windows XP with service pack 2, nor under Windows Vista. Microsoft says that, while it is taking this weak point seriously, up to now it has not heard of any attacks or websites/e-mails that exploit the hole.
- New report of a Windows vulnerability, entry in Microsoft's security blog
- Windows CSRSS HardError Message Box Vulnerability, security advisory from Determina Security Research
- Proof-of-Concept Code
- Microsoft Windows XP/2003/Vista memory corruption 0day, security advisory by ZARAZA at Bugtraq