Vigil@nce: Windows, code execution via Workstation Service
August 2009 by Vigil@nce
SYNTHESIS OF THE VULNERABILITY
An authenticated attacker can generate a double memory free in Workstation Service in order to elevate his privileges.
Consequences: administrator access/rights
Provenance: user shell
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 12/08/2009
Microsoft Windows 2003
Microsoft Windows 2008
Microsoft Windows Vista
Microsoft Windows XP
DESCRIPTION OF THE VULNERABILITY
The Workstation Service is enabled by default, and provides access to shared resources.
An authenticated attacker can send a malicious RPC NetrGetJoinInformation message to the service, in order to force it to free a memory area twice. This error corrupts the memory, and leads to code execution with system privileges.
A local attacker can thus elevate his privileges.
Identifiers: 971657, BID-35972, CVE-2009-1544, MS09-041, TPTI-09-06, VIGILANCE-VUL-8941