Windows Vista CSRSS Dangling Process Pointer Privilege Escalation

Release Date:
April 10, 2007

Date Reported:
January 19, 2007

Severity:
Medium (Local Privilege Escalation to SYSTEM)

Vendor:
Microsoft

Systems Affected:
Windows Vista

Overview:
eEye Digital Security has discovered a local privilege escalation
vulnerability in Windows Vista that allows a program executing without
privileges to fully compromise an affected system.  A malicious user or
malware program could exploit this vulnerability to execute arbitrary
code with SYSTEM privileges within the CSRSS process, permitting the
bypass of Vista's vaunted user privilege limitations and administrator
approval mode.

By establishing and closing multiple connections to CSRSS's "ApiPort",
an application may cause a private data structure within CSRSS that
describes its process to be used after it has been freed, creating an
exploitable "dangling pointer" condition.  This vulnerability is
entirely separate from the CSRSS NtRaiseHardError message box flaw
publicly disclosed in December 2006, although both affect code within
the CSRSS process.

It is interesting to note that this vulnerability only affects Windows
Vista, due to new, flawed code added to CSRSRV.DLL in support of
functionality introduced in Vista.

Technical Details:
Starting with Windows Vista, an extended form of Local Procedure Call
(LPC) known as Advanced Local Procedure Call (ALPC) is used in place of
legacy LPC for communicating with CSRSS.  Each new process establishes
an ALPC connection to the "ApiPort" of its session's CSRSS
("\Windows\ApiPort" or "\Sessions\<sessionid>\Windows\ApiPort"), which
it uses to communicate various events and requests.

As part of its duties, CSRSS maintains an internal doubly-linked list of
structures corresponding to the processes in the session it serves.
With the introduction of ALPC, CSRSS can associate an ALPC connection
with the process structure corresponding to the calling process, by
using a pointer field within the connection's context attribute.  (Prior
to this capability, CSRSS looked up the process structure according to
the caller's PID.)

Unfortunately, there are multiple places within CSRSS where it is
wrongly assumed that a process will only make one "ApiPort" connection;
perhaps the worst is CSRSRV.DLL!CsrApiRequestThread, which extracts and
uses the process structure pointer from a connection's context
attribute.  Each process structure contains a reference count which is
not incremented when a new ALPC connection is established (the initial
count allows for one connection), but may be decremented when a
connection is closed.  As a result, it is possible to establish multiple
"ApiPort" connections, then destroy the client's process structure by
closing the first connection, and finally, close or otherwise generate
activity on the second connection to cause the defunct process structure
pointer to be improperly reused.

This oversight allows an attacker to act upon memory that either is free
or has since been reallocated for another purpose.  With enough careful
crafting, an attacker may free the process structure by closing the
first connection (NTDLL.DLL!CsrPortHandle is not protected on Vista),
replace the heap memory formerly occupied by the process structure with
arbitrary data, and then cause this arbitrary data to be dereferenced
and destroyed like a process structure, by closing the second
connection.  (This is not to suggest that an exploit will only open two
connections, however, as a close message may not be generated for the
second connection unless a third connection also exists.)

Once this sequence completes, execution within CSRSS may be diverted to
an attacker-supplied function pointer.

Protection:
Retina - Network Security Scanner has been updated to identify this
vulnerability.

Vendor Status:
Microsoft has released a patch for this vulnerability. The patch is
available at:
http://www.microsoft.com/technet/security/bulletin/MS07-021.mspx

Credit:
Derek Soeder

Related Links:
eEye Research - http://research.eeye.com
Retina - Network Security Scanner - Free Trial:
http://www.eeye.com/html/products/retina/download/index.html
Blink - Unified Client Security Personal - Free For Personal Use For One
Year:
http://www.eeye.com/html/products/blink/personal/download/index.html
Blink - Unified Client Security Professional - Free Trial:
http://www.eeye.com/html/products/blink/download/index.html
Blink - Unified Client Security Neighborhood Watch - Free For Personal
Use:
http://www.eeye.com/html/products/blink/neighborhoodwatch/index.html

Greetings:
"At the end of six leagues the darkness was thick and there was no
light, he could see nothing ahead and nothing behind him."

Copyright (c) 1998-2007 eEye Digital Security Permission is hereby
granted for the redistribution of this alert electronically.  It is not
to be edited in any way without express consent of eEye.  If you wish to
reprint the whole or any part of this alert in any other medium
excluding electronic medium, please email alert@eEye.com for permission.

Disclaimer
The information within this paper may change without notice.  Use of
this information constitutes acceptance for use in an AS IS condition.
There are no warranties, implied or express, with regard to this
information.  In no event shall the author be liable for any direct or
indirect damages whatsoever arising out of or in connection with the use
or spread of this information.  Any use of this information is at the
user's own risk.