A vulnerability has been reported in Microsoft Windows Client/Server Runtime Server Subsystem CSRSS that could be exploited by an attacker to execute arbitrary code.
CSRSS is the user-mode portion of the Win32 subsystem. CSRSS is responsible for console windows, creating and/or deleting threads.
When MB_SERVICE_NOTIFICATION flag is specified while calling the MessageBox function from the Windows API, it will use the NtRaiseHardError syscall to send a HardError message to CSRSS which contains the caption and text of a message box to be displayed by CSRSS on behalf of the caller.
The vulnerability is caused due to an error in WINSRV.DLL while Handling HardError Messages through UserHardError function. It calls GetHarderrorText function to return pointer to the caption and text of the message box.
If the caption or text parameters start with the \??\ prefix, the function inexplicably frees the buffer and returns a pointer to free memory. After the message box is closed by the user, the same buffer is freed again in the FreePhi function, resulting in a double free vulnerability.
The attacker could exploit this vulnerability by creating specially crafted message box to execute arbitrary code in the CSRSS.exe and could elevate system level privileges.
It may be noted that exploit code for this vulnerability is available on Internet.
The information provided herein is on "as is" basis, without warranty of any kind.