Vigil@nce: Windows 2000, 2003, XP, privileges elevation via CSRSS
February 2010 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
A local attacker can execute a process which keeps executing after his logout, and captures data of next users connecting to the system.
Consequences: administrator access/rights, privileged access/rights, user access/rights
Provenance: user shell
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 10/02/2010
Microsoft Windows 2000
Microsoft Windows 2003
Microsoft Windows XP
DESCRIPTION OF THE VULNERABILITY
The CSRSS (Windows Client/Server Run-time Subsystem) manages users treads and processes.
When a user logouts, CSRSS should end his processes. However, this is not the case.
A local attacker can therefore execute a process which keeps executing after his logout, and captures data of next users connecting to the system.
Identifiers: 978037, CVE-2010-0023, MS10-011, VIGILANCE-VUL-9435