Computer Security
[EN] no-pyccku

Microsoft Windows memory corruption
updated since 16.12.2006
SecurityVulns ID:6944
Threat Level:
Description:CSRSS memory corruption on MessageBox with MB_SERVICE_NOTIFICATION beginning with "\??\".
Affected:MICROSOFT : Windows 2000 Server
 MICROSOFT : Windows 2000 Professional
 MICROSOFT : Windows 2003 Server
 MICROSOFT : Windows Vista
CVE:CVE-2007-1209 (Use-after-free vulnerability in the Client/Server Run-time Subsystem (CSRSS) in Microsoft Windows Vista does not properly handle connection resources when starting and stopping processes, which allows local users to gain privileges by opening and closing multiple ApiPort connections, which leaves a "dangling pointer" to a process data structure.)
 CVE-2006-6797 (The Client Server Run-Time Subsystem (CSRSS) in Microsoft Windows allows local users to cause a denial of service (crash) or read arbitrary memory from csrss.exe via crafted arguments to the NtRaiseHardError function with status 0x50000018, a different vulnerability than CVE-2006-6696.)
 CVE-2006-6696 (Double-free vulnerability in Microsoft Windows 2000, XP, 2003, and Vista allows local users to gain privileges by calling the MessageBox function with a MB_SERVICE_NOTIFICATION message with crafted data, which sends a HardError message to Client/Server Runtime Server Subsystem (CSRSS) process, which is not properly handled when invoking the UserHardError and GetHardErrorText functions in WINSRV.DLL.)
Original documentdocumentEEYE, EEYE: Windows Vista CSRSS Dangling Process Pointer Privilege Escalation (11.04.2007)
 documentMICROSOFT, Microsoft Security Bulletin MS07-021 Vulnerabilities in CSRSS Could Allow Remote Code Execution (930178) (11.04.2007)
 documentReversemode, csrss.exe double-free vulnerability - arbitrary DWORD overwrite exploit (31.12.2006)
 document3APA3A, Microsoft Windows csrss (?) memory corruption exploited in-the-wild (16.12.2006)
 documentwins mallow, ms ;) (16.12.2006)
Files:Microsoft MessageBox memory corruption PoC
 Exploits Microsoft Windows NtRaiseHardError Csrss.exe-winsrv.dll Double Free
 exploit NtRaiseHardError privesc and load dll into csrss
 Убийственный MessageBox от Мелкомягких
 Windows CSRSS HardError Message Box Vulnerability
 Microsoft Security Bulletin MS07-021 Vulnerabilities in CSRSS Could Allow Remote Code Execution (930178)

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod