HOME > VULNERABILITY NOTES


   VULNERABILITY NOTES

CERT-In Vulnerability Note CIVN-2006-137
Windows CSRSS HardError Message Box Vulnerability

Original Issue Date: December 28, 2006

Severity Rating: Medium

System Affected

  • Windows 2000
  • Windows XP
  • Windows 2003
  • Windows Vista

Overview

A vulnerability has been reported in Microsoft Windows Client/Server Runtime Server Subsystem (CSRSS) that could be exploited by an attacker to execute arbitrary code.

Description

CSRSS is the user-mode portion of the Win32 subsystem. CSRSS is responsible for console windows, creating and/or deleting threads.

When MB_SERVICE_NOTIFICATION flag is specified while calling the MessageBox function from the Windows API, it will use the NtRaiseHardError syscall to send a HardError message to CSRSS which contains the caption and text of a message box to be displayed by CSRSS on behalf of the caller.

The vulnerability is caused due to an error in WINSRV.DLL while Handling HardError Messages through UserHardError function. It calls GetHarderrorText function to return pointer to the caption and text of the message box.

If the caption or text parameters start with the \??\ prefix, the function inexplicably frees the buffer and returns a pointer to free memory. After the message box is closed by the user, the same buffer is freed again in the FreePhi function, resulting in a double free vulnerability.

The attacker could exploit this vulnerability by creating specially crafted message box to execute arbitrary code in the CSRSS.exe and could elevate system level privileges.

It may be noted that exploit code for this vulnerability is available on Internet.

WorkAround

Grant access to trusted users only

References

eEye
http://research.eeye.com/html/alerts/zeroday/20061215.html

Security focus
http://www.securityfocus.com/bid/21688/info

Determina Security Research
http://www.determina.com/security.research/vulnerabilities/
csrss-harderror.html

CVE Name
CVE-2006-6696

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003