Microsoft Windows memory corruption updated since 16.12.2006
Published:		11.04.2007
Source:		WINS
SecurityVulns ID:		6944
Type:		library
Level:		7/10
Description:		CSRSS memory corruption on MessageBox with MB_SERVICE_NOTIFICATION beginning with "\??\".

Affected:		MICROSOFT : Windows 2000 Server
		MICROSOFT : Windows 2000 Professional
		MICROSOFT : Windows XP
		MICROSOFT : Windows 2003 Server
		MICROSOFT : Windows Vista
CVE:		CVE-2007-1209 (Use-after-free vulnerability in the Client/Server Run-time Subsystem (CSRSS) in Microsoft Windows Vista does not properly handle connection resources when starting and stopping processes, which allows local users to gain privileges by opening and closing multiple ApiPort connections, which leaves a "dangling pointer" to a process data structure.)
		CVE-2006-6797 (The Client Server Run-Time Subsystem (CSRSS) in Microsoft Windows allows local users to cause a denial of service (crash) or read arbitrary memory from csrss.exe via crafted arguments to the NtRaiseHardError function with status 0x50000018, a different vulnerability than CVE-2006-6696.)
		CVE-2006-6696 (Double-free vulnerability in Microsoft Windows 2000, XP, 2003, and Vista allows local users to gain privileges by calling the MessageBox function with a MB_SERVICE_NOTIFICATION message with crafted data, which sends a HardError message to Client/Server Runtime Server Subsystem (CSRSS) process, which is not properly handled when invoking the UserHardError and GetHardErrorText functions in WINSRV.DLL.)

Original document		EEYE, EEYE: Windows Vista CSRSS Dangling Process Pointer Privilege Escalation (11.04.2007)
		MICROSOFT, Microsoft Security Bulletin MS07-021 Vulnerabilities in CSRSS Could Allow Remote Code Execution (930178) (11.04.2007)
		Reversemode, csrss.exe double-free vulnerability - arbitrary DWORD overwrite exploit (31.12.2006)
		3APA3A, Microsoft Windows csrss (?) memory corruption exploited in-the-wild (16.12.2006)
		wins mallow, ms ;) (16.12.2006)

Files:		Microsoft MessageBox memory corruption PoC
		Exploits Microsoft Windows NtRaiseHardError Csrss.exe-winsrv.dll Double Free
		exploit NtRaiseHardError privesc and load dll into csrss
		Убийственный MessageBox от Мелкомягких
		Windows CSRSS HardError Message Box Vulnerability
		Microsoft Security Bulletin MS07-021 Vulnerabilities in CSRSS Could Allow Remote Code Execution (930178)
Discuss:		Read or add your comments to this news (2 comments)

	anonimous: MessageBox  22.12.2006 15:00:26
	компилятор Lcc-win32 тест под VMware на 2003-SP1 XP-SP2 Никаких багов

	Dimchansky: exploit in С#  18.12.2006 15:38:40
	// mbox.cs using System; using System.Runtime.InteropServices; ... full text

---

Show Threads Messages

Login:* (Register) Password:* (private) To: (reply) Subject:* Text:

Main Forum (Eng) General security questions not appropriate for another forums.	3proxy Forum (Eng) All 3proxy question must be posted to this forum.	Bugs, Vulnerabilities, PoCs and Exploits (Eng) All vulnerability related questions, vulnerability digging and exploit creation.	Windows programming and administration (Eng) Administering Windows and application development.	Unix programming and administation (Eng) Administering Unix and application development.	Test forum Please post all test messages here. All test messages from different forums will be deteted.
Main Forum (Rus)	3proxy Forum (Rus)	Bugs, Vulnerabilities, PoCs and Exploits (Rus)	Windows programming and administration (Rus)	Unix programming and administation (Rus)