201407AnalysisandExploitofCSRSSVulnerabilitiesbasedonWindowsLIMeng-zhe1,WUXue-li2,ZHANGTao1,WENWei-ping1(1.SchoolofSoftware&Microelectronics,PekingUniversity,Beijing102600,China;2.ChinaPetroleumGroupDongfangGeophysicalExplorationCo.,Ltd.,ChangqingShanxi710021,China)Abstract:Withadvancesintechnology,Windowsoperatingsystemhasimprovedsteadily.Thecombinationofmanymemoryprotectionmechanismsmakesthetraditionalbuffer-overflow-basedattackstobemoreuseless.Inthiscase,thekernelvulnerabilitiescanbeusedtobreakthroughthesecuritylineofdefenseasastartingpoint.IfthesevulnerabilitiesareusedbyvirusesandTrojans,thedefenseofsecuritysoftwarewillbecollapsed.Thatmeansaheavyblowtothesystemsecurity.SincetheMicrosoftWindowsNT'sdevelopment,theoperatingsystemhasbeendesignedtosupportanumberofdifferentsubsystems,suchasPOSIXorOS/2.ThispaperopensaseriesofCSRSS-orientedstudy,aimingatdescribingtheuncoveredCSRSSmechanisminternals.Althoughsomegreatresearchhasalreadybeencarriedoutbysomearticles,nothoroughcasestudyisavailableuntilnow.Thispapercoversboththeverybasicideasandtheirimplementations,aswellastherecentCSRSSchangesappliedinmodernoperatingsystems.Inaddition,standingonthepointofsafety,inthispaper,theWindowskernelvulnerabilitiesareclassified,asetofvulnerabilityresearchprocessispresented.Accordingtotheprocess,thisarticlestudieslocalprivilegeescalationvulnerabilityanddenialofservicevulnerabilityaboutCSRSS.ThroughtheanalysisoftheCVE-2011-1281vulnerability,use-after-freeexploitnotonlyappearsinthebrowservulnerabilities,butalsointhesoftwareofthesystem.Keywords:Windowssubsystem;CSRSS;Windowskernel;vulnerabilitiesstudydoi10.3969/j.issn.1671-1122.2014.07.005201407201407201407201407201407201407201407……�……………………�……�………201407……�…………�…………�201407
