Vista Exploit Surfaces on Russian Hacker Site

Proof-of-concept exploit code for a privilege escalation vulnerability affecting all versions of Windows—including Vista—has been posted on a Russian hacker forum, forcing Microsoft to activate its emergency response process. Mike Reavey, operations manager of the Microsoft Security Response Center, confirmed that the company is "closely monitoring" the public posting, which first appeared on a Russian language forum on Dec. 15. It affects "csrss.exe," which is the main executable for the Microsoft Client/Server Runtime Server.

According to an alert cross-posted to security mailing lists, the vulnerability is caused by a memory corruption when certain strings are sent through the MessageBox API. "The PoC reportedly allows for local elevation of privilege on Windows 2000 SP4, Windows Server 2003 SP1, Windows XP SP1, Windows XP SP2 and Windows Vista operating systems," Reavey said in an entry posted late Dec. 21 on the MSRC blog.

"Initial indications are that in order for the attack to be successful, the attacker must already have authenticated access to the target system. Of course these are preliminary findings and we have activated our emergency response process involving a multitude of folks who are investigating the issue in depth to determine the full scope and potential impact to Microsoft's customers," Reavey added.

View: The full story
News source: eWeek News source: eWeek

Report a problem with article
Previous Story

DirectX 10 will not take off until 2H 2007, says AMD

Next Story

Microsoft offers Vista free to CES exhibitors

19 Comments

Commenting is disabled on this article.

It's possible that a remote script may allow executing win32 functions (e.g. php + win32 extensions does), so a remote exploit in this sense is possible.

The point is that a limited vista user won't get a uac prompt.

Quote - Andareed said @ #6.1
It's possible that a remote script may allow executing win32 functions (e.g. php + win32 extensions does), so a remote exploit in this sense is possible

Please don't say stupidities! It's NOT remotely exploitable.
A local user have to execute a malicious exe.

Quote - franzon said @ #6.2

Please don't say stupidities! It's NOT remotely exploitable.
A local user have to execute a malicious exe.

Anything that is able to call MessageBox (directly or indirectly) might be able to trigger this. This includes web-scripts that are able to call MessageBox.

Quote - Andareed said @ #6.3

Anything that is able to call MessageBox (directly or indirectly) might be able to trigger this. This includes web-scripts that are able to call MessageBox.

Please don't say stupidities!
Web scripts use javascript functions and NOT the Win32 API MessageBox which is used only by the exe programs.
Javascript function MessageBox is TOTALLY DIFFERENT than Win32 API MessageBox (and javascript functions also run in a different enviroment)!!!!


http://secunia.com/advisories/23448/
Critical: Less critical
Where: Local system

Quote - franzon said @ #6.4

Please don't say stupidities!
Web scripts use javascript functions and NOT the Win32 API MessageBox which is used only by the exe programs.
Javascript function MessageBox is TOTALLY DIFFERENT than Win32 API MessageBox (and javascript functions also run in a different enviroment)!!!!


http://secunia.com/advisories/23448/
Critical: Less critical
Where: Local system

I was talking about php server "web" scripts. I'm not talking about javascript "MessageBox" (do you mean window.alert?). I've actually confirmed that with the win32api php extension, this exploit is possible.

Stop emphasizing "Local System". Everything I've mentioned targets a local system

can someone tell me what's so special about this string

"??C:"

i'm sure this is the cause of the crash...

EDIT: urgh i can't get the double back slash to display for some reason

Quote - chaosblade said @ #1.1
Does it require administrator access, As pronounced?

Nope - got a BSOD on both an admin and limited user account.

So is it just a crash? Or can you actually create an exploit.
I am still scratching my head after looking at the code how do I create an exploit by knowing that the code deallocated the same memory buffer twice.

Quote - Stunna said @ #1.4
How can I try the exploit on my machine?

go to the russian site, download the source code, which is a few lines, compile, run.

Quote - Andareed said @ #1.2

Nope - got a BSOD on both an admin and limited user account.

It does not say administrator access...its says AUTHENTICATED access [which means you can use a limited account]