The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Windows: privilege elevation via MessageBox

Synthesis of the vulnerability 

An attacker can use MessageBox with MB_SERVICE_NOTIFICATION in order to execute code with system privileges.
Vulnerable systems: Windows 2000, Windows 2003, Windows Vista, Windows XP.
Severity of this threat: 4/4.
Creation date: 22/12/2006.
Revisions dates: 27/12/2006, 28/12/2006, 02/01/2007, 11/04/2007.
Références of this weakness: 930178, BID-21688, BID-23324, CERTA-2007-AVI-168, CVE-2006-6696, EEYEZD-20061215, MS07-021, VIGILANCE-VUL-6422.

Description of the vulnerability 

The MessageBox() function displays error messages in a window:
  int MessageBox(HWND ownerwindow, LPCTSTR message, LPCTSTR caption, UINT uType);
The uType parameter defines window's characteristics:
 - MB_YESNO: displays two buttons : Yes and No
 - MB_SERVICE_NOTIFICATION: permits a service to notify user
 - etc.

When the MB_SERVICE_NOTIFICATION flag is used, and if error message starts with \??\, the GetHardErrorText() function of winsrv.dll (called by NtRaiseHardError() then UserHardErrorEx()) frees a buffer, which will be freed twice. This error occurs in CSRSS which runs with system privileges.

A local attacker can therefore corrupt memory in order to execute code with privileged rights. A remote attacker can also create a HTML page exploiting this vulnerability.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This threat alert impacts software or systems such as Windows 2000, Windows 2003, Windows Vista, Windows XP.

Our Vigil@nce team determined that the severity of this computer vulnerability bulletin is critical.

The trust level is of type confirmed by the editor, with an origin of document.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a specialist ability can exploit this weakness note.

Solutions for this threat 

Windows: patch for CSRSS.
A patch is available:
Windows 2000 SP4
  http://www.microsoft.com/downloads/details.aspx?FamilyId=909e3b63-4d11-4fe6-849f-1ce960eb62cd
Windows XP SP2
  http://www.microsoft.com/downloads/details.aspx?FamilyId=69876449-25d1-41b4-b7c8-2b7fb40e59ee
Windows XP Professional x64 Edition Gold, SP2
  http://www.microsoft.com/downloads/details.aspx?FamilyId=91fd8716-c1a2-434e-bed0-df9d01e3d685
Windows Server 2003 Gold, SP1, SP2
  http://www.microsoft.com/downloads/details.aspx?FamilyId=4dac667d-b346-461e-8bb5-6112e946349f
Windows Server 2003 Itanium Gold, SP1, SP2
  http://www.microsoft.com/downloads/details.aspx?FamilyId=639de6c7-0928-469a-be68-60ea391fa770
Windows Server 2003 x64 Edition Gold, SP1
  http://www.microsoft.com/downloads/details.aspx?FamilyId=69dbe4bc-05a5-450b-8c72-e431e800d4f3
Windows Vista
  http://www.microsoft.com/downloads/details.aspx?FamilyId=3487b1f0-a383-41a4-a660-2768962b3bcd
Windows Vista x64 Edition
  http://www.microsoft.com/downloads/details.aspx?FamilyId=c46f62e1-dddd-4886-a82b-ebec258a495b
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides application vulnerability announces. The Vigil@nce vulnerability database contains several thousand vulnerabilities.