There is an integer overflow in the BaseSrvActivationContextCacheDuplicateUnicodeString function in the sxssrv.dll module of the CSRSS process.
The vulnerable function can be accessed from the BaseSrvSxsCreateActivationContextFromMessage CSR routine. However, the default size of the CSR shared memory section is only 0x10000 bytes, so by default it is impossible to pass a large enough UNICODE_STRING to CSRSS. Fortunately, the section size is controlled entirely by the client process, and if an attacker can modify ntdll! CsrpConnectToServer early enough during the start of the process, you'll be able to pass strings larger than 0x10000 in size.
The vulnerable function can be accessed from the BaseSrvSxsCreateActivationContextFromMessage CSR routine. However, the default size of the CSR shared memory section is only 0x10000 bytes, so by default it is impossible to pass a large enough UNICODE_STRING to CSRSS. Fortunately, the section size is controlled entirely by the client process, and if an attacker can modify ntdll! CsrpConnectToServer early enough during the start of the process, you'll be able to pass strings larger than 0x10000 in size.
CVE Link
Exploit Platform
Exploit Type
Product Name