Windows Vista CSRSS Dangling Process Pointer Privilege Escalation

Release Date:
April 10, 2007

Date Reported:
January 19, 2007

Severity:
Medium (Local Privilege Escalation to SYSTEM)

Vendor:
Microsoft

Systems Affected:
Windows Vista

Overview:
eEye Digital Security has discovered a local privilege escalation
vulnerability in Windows Vista that allows a program executing without
privileges to fully compromise an affected system.  A malicious user or
malware program could exploit this vulnerability to execute arbitrary
code with SYSTEM privileges within the CSRSS process, permitting the
bypass of Vista's vaunted user privilege limitations and administrator
approval mode.

By establishing and closing multiple connections to CSRSS's "ApiPort",
an application may cause a private data structure within CSRSS that
describes its process to be used after it has been freed, creating an
exploitable "dangling pointer" condition.  This vulnerability is
entirely separate from the CSRSS NtRaiseHardError message box flaw
publicly disclosed in December 2006, although both affect code within
the CSRSS process.

It is interesting to note that this vulnerability only affects Windows
Vista, due to new, flawed code added to CSRSRV.DLL in support of
functionality introduced in Vista.

Technical Details:
Starting with Windows Vista, an extended form of Local Procedure Call
(LPC) known as Advanced Local Procedure Call (ALPC) is used in place of
legacy LPC for communicating with CSRSS.  Each new process establishes
an ALPC connection to the "ApiPort" of its session's CSRSS
("\Windows\ApiPort" or "\Sessions\<sessionid>\Windows\ApiPort"), which
it uses to communicate various events and requests.

As part of its duties, CSRSS maintains an internal doubly-linked list of
structures corresponding to the processes in the session it serves.
With the introduction of ALPC, CSRSS can associate an ALPC connection
with the process structure corresponding to the calling process, by
using a pointer field within the connection's context attribute.  (Prior
to this capability, CSRSS looked up the process structure according to
the caller's PID.)

Unfortunately, there are multiple places within CSRSS where it is
wrongly assumed that a process will only make one "ApiPort" connection;
perhaps the worst is CSRSRV.DLL!CsrApiRequestThread, which extracts and
uses the process structure pointer from a connection's context
attribute.  Each process structure contains a reference count which is
not incremented when a new ALPC connection is established (the initial
count allows for one connection), but may be decremented when a
connection is closed.  As a result, it is possible to establish multiple
"ApiPort" connections, then destroy the client's process structure by
closing the first connection, and finally, close or otherwise generate
activity on the second connection to cause the defunct process structure
pointer to be improperly reused.

This oversight allows an attacker to act upon memory that either is free
or has since been reallocated for another purpose.  With enough careful
crafting, an attacker may free the process structure by closing the
first connection (NTDLL.DLL!CsrPortHandle is not protected on Vista),
replace the heap memory formerly occupied by the process structure with
arbitrary data, and then cause this arbitrary data to be dereferenced
and destroyed like a process structure, by closing the second
connection.  (This is not to suggest that an exploit will only open two
connections, however, as a close message may not be generated for the
second connection unless a third connection also exists.)

Once this sequence completes, execution within CSRSS may be diverted to

然后还有这里
https://www.securinfos.info/english/the-week-of-vista-bugs.php
an attacker-supplied function pointer.