Proof-of-concept exploit code for a privilege escalation vulnerability affecting all versions of Windows—including Vista—has been posted on a Russian hacker forum, forcing Microsoft to activate its emergency response process. Mike Reavey, operations manager of the Microsoft Security Response Center, confirmed that the company is "closely monitoring" the public posting, which first appeared on a Russian language forum on Dec. 15. It affects "csrss.exe," which is the main executable for the Microsoft Client/Server Runtime Server.
According to an alert cross-posted to security mailing lists, the vulnerability is caused by a memory corruption when certain strings are sent through the MessageBox API. "The PoC reportedly allows for local elevation of privilege on Windows 2000 SP4, Windows Server 2003 SP1, Windows XP SP1, Windows XP SP2 and Windows Vista operating systems," Reavey said in an entry posted late Dec. 21 on the MSRC blog.
"Initial indications are that in order for the attack to be successful, the attacker must already have authenticated access to the target system. Of course these are preliminary findings and we have activated our emergency response process involving a multitude of folks who are investigating the issue in depth to determine the full scope and potential impact to Microsoft's customers," Reavey added.
View: The full story
News source: eWeek News source: eWeek
According to an alert cross-posted to security mailing lists, the vulnerability is caused by a memory corruption when certain strings are sent through the MessageBox API. "The PoC reportedly allows for local elevation of privilege on Windows 2000 SP4, Windows Server 2003 SP1, Windows XP SP1, Windows XP SP2 and Windows Vista operating systems," Reavey said in an entry posted late Dec. 21 on the MSRC blog.
"Initial indications are that in order for the attack to be successful, the attacker must already have authenticated access to the target system. Of course these are preliminary findings and we have activated our emergency response process involving a multitude of folks who are investigating the issue in depth to determine the full scope and potential impact to Microsoft's customers," Reavey added.
View: The full story News source: eWeek News source: eWeek
Nope - got a BSOD on both an admin and limited user account.
I am still scratching my head after looking at the code how do I create an exploit by knowing that the code deallocated the same memory buffer twice.
go to the russian site, download the source code, which is a few lines, compile, run.
Nope - got a BSOD on both an admin and limited user account.
It does not say administrator access...its says AUTHENTICATED access [which means you can use a limited account]
please read
i'm sure this is the cause of the crash...
EDIT: urgh i can't get the double back slash to display for some reason
Last edited by franzon on 23 Dec 2006 - 10:47
The point is that a limited vista user won't get a uac prompt.
Please don't say stupidities! It's NOT remotely exploitable.
A local user have to execute a malicious exe.
Please don't say stupidities! It's NOT remotely exploitable.
A local user have to execute a malicious exe.
Anything that is able to call MessageBox (directly or indirectly) might be able to trigger this. This includes web-scripts that are able to call MessageBox.
Anything that is able to call MessageBox (directly or indirectly) might be able to trigger this. This includes web-scripts that are able to call MessageBox.
Please don't say stupidities!
Web scripts use javascript functions and NOT the Win32 API MessageBox which is used only by the exe programs.
Javascript function MessageBox is TOTALLY DIFFERENT than Win32 API MessageBox (and javascript functions also run in a different enviroment)!!!!
http://secunia.com/advisories/23448/
Critical: Less critical
Where: Local system
Last edited by franzon on 24 Dec 2006 - 11:12
Anything that is able to call MessageBox (directly or indirectly) might be able to trigger this. This includes web-scripts that are able to call MessageBox.
Please don't say stupidities!
Web scripts use javascript functions and NOT the Win32 API MessageBox which is used only by the exe programs.
Javascript function MessageBox is TOTALLY DIFFERENT than Win32 API MessageBox (and javascript functions also run in a different enviroment)!!!!
http://secunia.com/advisories/23448/
Critical: Less critical
Where: Local system
I was talking about php server "web" scripts. I'm not talking about javascript "MessageBox" (do you mean window.alert?). I've actually confirmed that with the win32api php extension, this exploit is possible.
Stop emphasizing "Local System". Everything I've mentioned targets a local system
FAIL!
Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!
Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.