Microsoft Windows CSRSS Local Privilege Elevation Vulnerability

windows:csrss:local priv escal:vulnerability:security:hacking
Today is Exploit Wednesday, so it means that yesterday was Patch Tuesday. So, as every month, Microsoft published Microsoft Security Bulletin Summary (for February 2010) and a couple of patches. One of the vulnerabilities included in the summary (there are 25 altogether) was researched by j00ru and me (in this exact order - j00ru has found it, and we cooperated in researching the possibility of a successful exploitation) - it's the csrss.exe one, which could allow, inter alia, local privilege elevation or information disclosure.

Vulnerability ID (in Microsoft's notation): MS10-011
CVE: CVE-2010-0023 (at this moment there is nothing there)

Affected version:
* Windows 2000 x86 SP4
* Windows XP x86 SP2 i SP3
* Windows XP x86-64 SP2
* Windows Server 2003 x86 SP2
* Windows Server 2003 x86-64 SP2
* Windows Server 2003 Itanium SP2
(as one can see, there is no Vista, W7, nor 2008 here ;>)

At this moment I won't reveal much detail :) (but they will be revealed later for sure)
All I can say it that this specific vulnerability (and believe me, it's very specific) allows the survival of a given application of the user log out process. So, if the attacker has a user account on the PC (?terminal?) he can launch some app and log off. When another user (the admin?) logs in, the attackers application is still in the background. Even more! It can interact with the logged in user session: create windows, log keystrokes, send keystrokes, etc.
As one can see, this is not a standard 'click and root' type of exploit. Exploiting this vulnerability is a lot different... which makes this vulnerability almost unusable in the wild (except for malware to gain priv elev.), but at the same time, it's very interesting because of it :)

That's it for now :)


2010-02-10 15:16:49 = Four Evil Monkeys
Cool. This one looks particularly intresting and we'll be certainly waiting for details.
2010-02-10 17:30:41 = Ivan
Nice job. Btw i saw the vuln was from CsrRemoveThread() into csrsrv.dll but i didn't investigate more :p
2010-02-12 02:31:55 = Dreg
nice work! waiting for details :-)
2010-02-22 15:10:50 = Gynvael Coldwind
@Four Evil Monkeys
Guess the details will be published in April/May.. Maybe sooner, but not this month :)

Thanks :)
Hehe, no details yet :)

Thanks! :)

Add a comment:

URL (optional):
Math captcha: 3 ∗ 1 + 10 =