Vigil@nce: Windows, privilege elevation via NtUserCheckAccessForIntegrityLevel
July 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
A local attacker can use the NtUserCheckAccessForIntegrityLevel()
system call, in order to create a denial of service or to execute
code with system privileges.
– Severity: 2/4
– Creation date: 01/07/2010
DESCRIPTION OF THE VULNERABILITY
The NtUserCheckAccessForIntegrityLevel() system call is
implemented by user32.dll:
NtUserCheckAccessForIntegrityLevel(pid1, pid2, &result);
However, when an invalid pid1 process number is used, an object of
LockProcessByClientId() is freed twice, which corrupts the memory.
A local attacker can therefore use the NtUserCheckAccessForIntegrityLevel()
system call, in order to create a denial of service or to execute
code with system privileges.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN