Windows Vista CSRSS Dangling Process Pointer Privilege Escalation Release Date: April 10, 2007 Date Reported: January 19, 2007 Severity: Medium (Local Privilege Escalation to SYSTEM) Vendor: Microsoft Systems Affected: Windows Vista Overview: eEye Digital Security has discovered a local privilege escalation vulnerability in Windows Vista that allows a program executing without privileges to fully compromise an affected system. A malicious user or malware program could exploit this vulnerability to execute arbitrary code with SYSTEM privileges within the CSRSS process, permitting the bypass of Vista's vaunted user privilege limitations and administrator approval mode. By establishing and closing multiple connections to CSRSS's "ApiPort", an application may cause a private data structure within CSRSS that describes its process to be used after it has been freed, creating an exploitable "dangling pointer" condition. This vulnerability is entirely separate from the CSRSS NtRaiseHardError message box flaw publicly disclosed in December 2006, although both affect code within the CSRSS process. It is interesting to note that this vulnerability only affects Windows Vista, due to new, flawed code added to CSRSRV.DLL in support of functionality introduced in Vista. Technical Details: Starting with Windows Vista, an extended form of Local Procedure Call (LPC) known as Advanced Local Procedure Call (ALPC) is used in place of legacy LPC for communicating with CSRSS. Each new process establishes an ALPC connection to the "ApiPort" of its session's CSRSS ("\Windows\ApiPort" or "\Sessions\\Windows\ApiPort"), which it uses to communicate various events and requests. As part of its duties, CSRSS maintains an internal doubly-linked list of structures corresponding to the processes in the session it serves. With the introduction of ALPC, CSRSS can associate an ALPC connection with the process structure corresponding to the calling process, by using a pointer field within the connection's context attribute. (Prior to this capability, CSRSS looked up the process structure according to the caller's PID.) Unfortunately, there are multiple places within CSRSS where it is wrongly assumed that a process will only make one "ApiPort" connection; perhaps the worst is CSRSRV.DLL!CsrApiRequestThread, which extracts and uses the process structure pointer from a connection's context attribute. Each process structure contains a reference count which is not incremented when a new ALPC connection is established (the initial count allows for one connection), but may be decremented when a connection is closed. As a result, it is possible to establish multiple "ApiPort" connections, then destroy the client's process structure by closing the first connection, and finally, close or otherwise generate activity on the second connection to cause the defunct process structure pointer to be improperly reused. This oversight allows an attacker to act upon memory that either is free or has since been reallocated for another purpose. With enough careful crafting, an attacker may free the process structure by closing the first connection (NTDLL.DLL!CsrPortHandle is not protected on Vista), replace the heap memory formerly occupied by the process structure with arbitrary data, and then cause this arbitrary data to be dereferenced and destroyed like a process structure, by closing the second connection. (This is not to suggest that an exploit will only open two connections, however, as a close message may not be generated for the second connection unless a third connection also exists.) Once this sequence completes, execution within CSRSS may be diverted to an attacker-supplied function pointer. Protection: Retina - Network Security Scanner has been updated to identify this vulnerability. Vendor Status: Microsoft has released a patch for this vulnerability. The patch is available at: http://www.microsoft.com/technet/security/bulletin/MS07-021.mspx Credit: Derek Soeder Related Links: eEye Research - http://research.eeye.com Retina - Network Security Scanner - Free Trial: http://www.eeye.com/html/products/retina/download/index.html Blink - Unified Client Security Personal - Free For Personal Use For One Year: http://www.eeye.com/html/products/blink/personal/download/index.html Blink - Unified Client Security Professional - Free Trial: http://www.eeye.com/html/products/blink/download/index.html Blink - Unified Client Security Neighborhood Watch - Free For Personal Use: http://www.eeye.com/html/products/blink/neighborhoodwatch/index.html Greetings: "At the end of six leagues the darkness was thick and there was no light, he could see nothing ahead and nothing behind him." Copyright (c) 1998-2007 eEye Digital Security Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.