Vigil@nce: Windows, code execution via Workstation Service
August 2009 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
An authenticated attacker can generate a double memory free in
Workstation Service in order to elevate his privileges.
Severity: 2/4
Consequences: administrator access/rights
Provenance: user shell
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 12/08/2009
IMPACTED PRODUCTS
– Microsoft Windows 2003
– Microsoft Windows 2008
– Microsoft Windows Vista
– Microsoft Windows XP
DESCRIPTION OF THE VULNERABILITY
The Workstation Service is enabled by default, and provides access
to shared resources.
An authenticated attacker can send a malicious RPC
NetrGetJoinInformation message to the service, in order to force
it to free a memory area twice. This error corrupts the memory,
and leads to code execution with system privileges.
A local attacker can thus elevate his privileges.
CHARACTERISTICS
Identifiers: 971657, BID-35972, CVE-2009-1544, MS09-041,
TPTI-09-06, VIGILANCE-VUL-8941
http://vigilance.fr/vulnerability/Windows-code-execution-via-Workstation-Service-8941