[NT] CSRSS Remote Code Execution (MS07-021)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



CSRSS Remote Code Execution (MS07-021)
------------------------------------------------------------------------


SUMMARY

CSRSS is the user-mode portion of the Win32 subsystem. CSRSS stands for
client/server run-time subsystem and is an essential subsystem that must
be running at all times. CSRSS is responsible for console windows,
creating and/or deleting threads.

A remote code execution vulnerability exists in the Windows Client/Server
Run-time Subsystem (CSRSS) process because of the way that it handles
error messages. A privilege elevation vulnerability exists in the way that
the Windows 32 Client/Server Run-time Subsystem (CSRSS) handles its
connections during the startup and stopping of processes and denial of
service vulnerability exists in the Client/Server Run-time Subsystem
(CSRSS) service because of the way it handles error messages.

DETAILS

Affected Software:
* Microsoft Windows 2000 Service Pack 4 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=909e3b63-4d11-4fe6-849f-1ce960eb62cd> Download the update
* Microsoft Windows XP Service Pack 2 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=69876449-25d1-41b4-b7c8-2b7fb40e59ee> Download the update
* Microsoft Windows XP Professional x64 Edition and Microsoft Windows XP
Professional x64 Edition Service Pack 2 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=91fd8716-c1a2-434e-bed0-df9d01e3d685> Download the update
* Microsoft Windows Server 2003, Microsoft Windows Server 2003 Service
Pack 1, and Microsoft Windows Server 2003 Service Pack 2 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=4dac667d-b346-461e-8bb5-6112e946349f> Download the update
* Microsoft Windows Server 2003 for Itanium-based Systems, Microsoft
Windows Server 2003 with SP1 for Itanium-based Systems, and Microsoft
Windows Server 2003 with SP2 for Itanium-based Systems -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=639de6c7-0928-469a-be68-60ea391fa770> Download the update
* Microsoft Windows Server 2003 x64 Edition and Microsoft Windows Server
2003 x64 Edition Service Pack 2 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=69dbe4bc-05a5-450b-8c72-e431e800d4f3> Download the update
* Windows Vista -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=3487b1f0-a383-41a4-a660-2768962b3bcd> Download the update
* Windows Vista x64 Edition -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=c46f62e1-dddd-4886-a82b-ebec258a495b> Download the update

MsgBox (CSRSS) Remote Code Execution Vulnerability - CVE-2006-6696:
A remote code execution vulnerability exists in the Windows Client/Server
Run-time Subsystem (CSRSS) process because of the way that it handles
error messages. An attacker could exploit the vulnerability by
constructing a specially crafted application that could potentially allow
remote code execution.

Additionally, if a user viewed a specially crafted Web site, an attacker
who successfully exploited this vulnerability could take complete control
of an affected system.

Mitigating Factors for MsgBox (CSRSS) Remote Code Execution Vulnerability
- CVE-2006-6696:
* In a local attack scenario an attacker must have valid logon
credentials and be able to log on locally to exploit this vulnerability.
The vulnerability could not be exploited remotely or by anonymous users.

* In a Web-based attack scenario, an attacker would have to host a Web
site that contains a Web page that is used to exploit this vulnerability.
An attacker would have no way to force users to visit a specially crafted
Web site. Instead, an attacker would have to convince them to visit the
Web site, typically by getting them to click a link that takes them to the
attacker's Web site. After they click the link, they would be prompted to
perform several actions. An attack could only occur after they performed
these actions.

FAQ for MsgBox (CSRSS) Remote Code Execution Vulnerability - CVE-
CVE-2006-6696:
What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who
successfully exploited this vulnerability could remotely take complete
control of an affected system. An attacker could then install programs;
view, change, or delete data; or create new accounts with full user
rights.

What causes the vulnerability?
The vulnerability is caused by incorrect handling of error messages by the
Windows Client/Server Run-time Subsystem (CSRSS).

What is the Client/Server Run-time Subsystem?
CSRSS is the user-mode portion of the Win32 subsystem. CSRSS stands for
client/server run-time subsystem and is an essential subsystem that must
be running at all times. CSRSS is responsible for console windows,
creating and/or deleting threads.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take
complete control of the affected system.

Who could exploit the vulnerability?
In a Web-based attack scenario, an attacker would have to host a Web site
that contains a Web page that is used to attempt to exploit this
vulnerability. An attacker would have no way to force users to visit a
specially crafted Web site. Instead, an attacker would have to convince
them to visit the Web site, typically by getting them to click a link that
takes them to the attacker's site. It could also be possible to display
specially crafted Web content by using banner advertisements or by using
other methods to deliver Web content to affected systems.

The vulnerability could also be exploited by a locally logged-on user by
executing a specially crafted application.

What systems are primarily at risk from the vulnerability?
This vulnerability requires that either a user either be logged on locally
and run a specially crafted application or that a user is logged on and
visits a Web site for malicious action to occur.

Therefore, any systems where Internet Explorer is used frequently or where
multiple users have permissions to log on locally and run untrusted
applications, such as workstations or terminal servers, are at the most
risk from this vulnerability.

Could the vulnerability be exploited over the Internet?
Yes. An attacker could try to exploit this vulnerability over the
Internet. Firewall best practices and standard default firewall
configurations can help protect against attacks that originate from the
Internet. Microsoft has provided information about how you can help
protect your PC. End users can visit the Protect Your PC Web site. IT
professionals can visit the Security Guidance Center Web site.

What does the update do?
The update removes the vulnerability by modifying the way that the
Client/Server Run-time Subsystem processes error messages.

When this security bulletin was issued, had this vulnerability been
publicly disclosed?
Yes. While the initial report was provided through responsible disclosure,
the vulnerability was later disclosed publicly by another security
researcher. It has been assigned Common Vulnerability and Exposure number
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6696>
CVE-2006-6696. It also has been named Vista Memory Corruption Zero-Day by
the larger security community. This security bulletin addresses the
publicly disclosed vulnerability as well as additional issues discovered
through internal investigations.

When this security bulletin was issued, had Microsoft received any reports
that this vulnerability was being exploited?
No. Microsoft had seen examples of proof of concept code published
publicly but had not received any information to indicate that this
vulnerability had been publicly used to attack customers when this
security bulletin was originally issued.

Does applying this security update help protect customers from the code
that has been published publicly that attempts to exploit this
vulnerability?
This security update addresses the vulnerability that potentially could be
exploited by using the published proof of concept code. The vulnerability
that has been addressed has been assigned the Common Vulnerability and
Exposure number
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6696>
CVE-2006-6696.

CSRSS Local Elevation of Privilege Vulnerability - CVE-2007-1209:
A privilege elevation vulnerability exists in the way that the Windows 32
Client/Server Run-time Subsystem (CSRSS) handles its connections during
the startup and stopping of processes.

Mitigating Factors for CSRSS Local Elevation of Privilege Vulnerability -
CVE-2007-1209:
An attacker must have valid logon credentials and be able to log on
locally to exploit this vulnerability. The vulnerability could not be
exploited remotely or by anonymous users.

FAQ for CSRSS Local Elevation of Privilege Vulnerability - CVE-2007-1209:
What is the scope of the vulnerability?
This is a privilege elevation vulnerability. An attacker who successfully
exploited this vulnerability could take complete control of an affected
system. An attacker could then install programs; view, change, or delete
data; or create new accounts with full user rights. To attempt to exploit
the vulnerability, an attacker must be able to log on locally to the
system and run a program.

What causes the vulnerability?
The vulnerability is caused by the incorrect marshaling of system
resources by the Client/Server Run-time Subsystem.

What is the Client/Server Run-time Subsystem?
CSRSS is the user-mode portion of the Win32 subsystem. CSRSS stands for
client/server run-time subsystem and is an essential subsystem that must
be running at all times. CSRSS is responsible for console windows,
creating and/or deleting threads.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take
complete control of the affected system.

What systems are primarily at risk from the vulnerability?
Systems where multiple users have permissions to log on locally and run
untrusted applications, are at the most risk from this vulnerability.

Could the vulnerability be exploited over the Internet?
No. An attacker must be able to log on to the specific system that is
targeted for attack. An attacker cannot load and run a program remotely by
using this vulnerability.

What does the update do?
The update removes the vulnerability by ensuring the memory resources
utilized by the Client/Server Run-time Subsystem are freed appropriately
after use.

When this security bulletin was issued, had this vulnerability been
publicly disclosed?
No. Microsoft received information about this vulnerability through
responsible disclosure.

CSRSS DoS Vulnerability - CVE-2006-6797:
A denial of service vulnerability exists in the Client/Server Run-time
Subsystem (CSRSS) service because of the way it handles error messages. An
attacker could exploit the vulnerability by running a specially crafted
application causing the system to restart.

Mitigating Factors for CSRSS DoS Vulnerability - CVE-2006-6797:
An attacker must have valid logon credentials and be able to log on
locally to exploit this vulnerability. The vulnerability could not be
exploited remotely or by anonymous users.

FAQ for CSRSS DoS Vulnerability - CVE-2006-6797:
What is the scope of the vulnerability?
This is a denial of service vulnerability. An attacker who exploited this
vulnerability could cause the affected system to stop responding and
automatically restart. Note that the denial of service vulnerability would
not allow an attacker to run code or to elevate their user rights, but it
could cause the affected system to stop accepting requests.

What causes the vulnerability?
The vulnerability is caused by incorrect error handling by the CSRSS
service.

What is the Client/Server Run-time Subsystem?
CSRSS is the user-mode portion of the Win32 subsystem (with Win32.sys
being the kernel-mode portion). CSRSS stands for client/server run-time
subsystem and is an essential subsystem that must be running at all times.
CSRSS is responsible for console windows, creating and/or deleting
threads.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could cause the
affected system to stop responding.

Who could exploit the vulnerability?
To try to exploit the vulnerability, an attacker must be able to log on
locally to a system and run a program.

How could an attacker exploit the vulnerability?
To exploit this vulnerability, an attacker would first have to log on to
the system. An attacker could then run a specially crafted application
that could exploit the vulnerability and cause the system to stop
responding and restart.

What systems are primarily at risk from the vulnerability?
Windows systems where multiple users have permissions to log on locally
and run untrusted applications are at the most risk from this
vulnerability.

Could the vulnerability be exploited over the Internet?
No. An attacker must be able to log on to the specific system that is
targeted for attack. An attacker cannot load and run a program remotely by
using this vulnerability.

What does the update do?
The update removes the vulnerability by ensuring that the Client/Server
Run-time Subsystem correctly processes error messages.

When this security bulletin was issued, had Microsoft received any reports
that this vulnerability was being exploited?
No. Microsoft had seen examples of proof of concept code published
publicly but had not received any information to indicate that this
vulnerability had been publicly used to attack customers when this
security bulletin was originally issued.

Does applying this security update help protect customers from the code
that has been published publicly that attempts to exploit this
vulnerability?
This security update addresses the vulnerability that potentially could be
exploited by using the published proof of concept code. The vulnerability
that has been addressed has been assigned the Common Vulnerability and
Exposure number
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-6797>
CVE-2006-6797.


ADDITIONAL INFORMATION

The information has been provided by Microsoft Security Bulletin MS07-021.
The original article can be found at:
<http://www.microsoft.com/technet/security/bulletin/ms07-021.mspx>
http://www.microsoft.com/technet/security/bulletin/ms07-021.mspx



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages