Windows CSRSS HardError Message Box Vulnerability

CVE id: CVE-2006-6696

Public disclosure: Dec 15, 2006
Determina advisory: Dec 20, 2006
Vendor patch: Apr 10, 2007

Systems Affected:

  • Windows 2000
  • Windows XP
  • Windows 2003
  • Windows Vista

Not affected:

  • Windows NT

Overview:

Determina Security Research has discovered a vulnerability in the way the Windows Client/Server Runtime Server Subsystem (CSRSS) processes HardError messages. This vulnerability allows a logged on user to execute arbitrary code in the CSRSS.EXE process and elevate their privileges to SYSTEM level. The vulnerable code is present in Windows 2000, XP, 2003 and Vista.

This vulnerability was independently disclosed on Dec 15, prompting the release of this advisory. Microsoft has been notified and is working on a patch. Exploitation details have been omitted from the advisory until a vendor patch is available.

Technical Details:

If the MB_SERVICE_NOTIFICATION flag is specified when calling the MessageBox function from the Windows API, it will use the NtRaiseHardError syscall to send a HardError message to CSRSS. This message contains the caption and text of a message box to be displayed by CSRSS on behalf of the caller. This functionality is designed to allow non-interactive services to notify the user of critical errors.

The HardError message is handled by the UserHardError function in WINSRV.DLL. It calls GetHardErrorText to read the message parameters from the address space of the sender. The GetHardErrorText function returns pointers to the caption and text of the message box. If the caption or text parameters start with the \??\ prefix, the function inexplicably frees the buffer and returns a pointer to freed memory. After the message box is closed by the user, the same buffer is freed again in the FreePhi function, resulting in a double free vulnerability.

By sending a second message to CSRSS before the user closes the first message box, it is possible to overwrite the freed memory with arbitrary data before the second free call. This allows an attacker to free a fake malloc chunk that will trigger an arbitrary 4-byte memory overwrite. The vulnerability is trivially exploitable on Windows 2000 and Windows XP before SP2, and might still be exploitable on later systems.

Proof of Concept:

The following piece of code is sufficient to trigger a double free in CSRSS, causing heap corruption and overwriting random memory. The most likely outcome is for the CSRSS request thread to terminate, making it impossible to start new processes or use certain Win32 API function. In some cases the CSRSS process will crash and cause a blue screen of death.

while (1) {
    MessageBoxW(NULL, L"\\??\\AAAAAAAA", L"\\??\\AAAAAAAA", MB_SERVICE_NOTIFICATION);
}

Solution:

The GetHardErrorText function in WINSRV.DLL should not free the buffers with the text and caption parameters when they start with the \??\ prefix.

Credit:

Discovery: Tim Garnett
Research: Alexander Sotirov, Determina Security Research