Signature Detail

HTTP: Microsoft Windows CSRSS HardError Message Box Vulnerability

This signature detects attempts to exploit a known memory corruption vulnerability in Microsoft Windows. It due to improper handling of "HardError" messages in Windows Client/Server Runtime Server Subsystem (CSRSS). A remote unauthenticated attacker can exploit this by enticing the target user to visit a malicious Web site using Internet Explorer. A successful attack allows the remote attackers to execute arbitrary code with the privileges of the System. The behavior of the target is entirely dependent on the intended function of the injected code. An unsuccessful attack results in a kernel error condition, which is also known as the "Blue Screen of Death." The vulnerable system can reboot or halt, which results in a denial-of-service condition.

Extended Description

Double free vulnerability in Microsoft Windows 2000, XP, 2003, and Vista allows local users to gain privileges by calling the MessageBox function with a MB_SERVICE_NOTIFICATION message with crafted data, which sends a HardError message to Client/Server Runtime Server Subsystem (CSRSS) process, which is not properly handled when invoking the UserHardError and GetHardErrorText functions in WINSRV.DLL.

Affected Products

• Microsoft windows_2000 *
• Microsoft windows_2003_server datacenter_edition
• Microsoft windows_2003_server enterprise_edition
• Microsoft windows_2003_server sp1
• Microsoft windows_2003_server standard
• Microsoft windows_2003_server web
• Microsoft windows_vista *
• Microsoft windows_xp *

References

• BugTraq: 21688
• CVE: CVE-2006-6696