Security Advisory SA42356 - Microsoft Windows Kernel Two Privilege Escalation Vulnerabilities

Overview

Advisories

Research

Forums

Create Profile

Our Commitment

Database

Advisories by Product

Advisories by Vendor

Terminology

Report Vulnerability

Insecure Library Loading

Secunia Advisory SA42356

Microsoft Windows Kernel Two Privilege Escalation Vulnerabilities

Secunia Advisory

SA42356

Release Date

2010-11-26

Last Update

2011-02-09

Popularity

6,765 views

Comments

1 comment

Criticality level

Less critical

Impact

Privilege escalation

Where

Local system

Authentication level

This information is available to Secunia VIM customers

Report reliability

This information is available to Secunia VIM customers

Solution Status

Vendor Patch

3rd party PoC/exploit

Link available in Customer Area

Systems affected

This information is available to Secunia VIM customers

Approve distribution

This information is available to Secunia VIM customers

Remediation status

Secunia CSI, Secunia PSI

Automated scanning

Secunia CSI, Secunia PSI

Operating System

Microsoft Windows 7

Microsoft Windows Server 2003 Datacenter Edition

Microsoft Windows Server 2003 Enterprise Edition

Microsoft Windows Server 2003 Standard Edition

Microsoft Windows Server 2003 Web Edition

Microsoft Windows Server 2008

Microsoft Windows Storage Server 2003

Microsoft Windows Vista

Microsoft Windows XP Home Edition

Microsoft Windows XP Professional

Secunia CVSS Score

This information is available to Secunia VIM Customers

CVE Reference(s)

CVE-2010-4398 CVSS score available to Secunia VIM customers
CVE-2011-0045 CVSS score available to Secunia VIM customers

Description

Two vulnerabilities have been reported in Microsoft Windows, which can be exploited by malicious, local users to gain escalated privileges.

1) An error in the "RtlQueryRegistryValues()" function can be exploited to cause a buffer overflow when e.g. called by the "GreEnableEUDC()" function in win32k.sys to copy a specially crafted "SystemDefaultEUDCFont" registry value.

2) A type conversion error in the kernel's support for Trace Events may result in an insufficiently sized buffer being allocated for userspace data, which can be exploited to cause a buffer overflow.

Solution
Apply patches.
Further details available to Secunia VIM customers

Provided and/or discovered by
1) noobpwnftw
2) std_logic via ZDI.

Changelog
Further details available to Secunia VIM customers

Original Advisory
MS11-011 (KB2393802):
http://www.microsoft.com/technet/security/bulletin/ms11-011.mspx

ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-11-064/

Other references
Further details available to Secunia VIM customers

Deep Links
Links available to Secunia VIM customers

Do you have additional information related to this advisory?

Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this information to vuln@secunia.com

Subject: Microsoft Windows Kernel Two Privilege Escalation Vulnerabilities

User

Message

henktiggelaar

RE: Microsoft Windows win32k.sys Driver "GreEnableEUDC()" Vulnerability

1st Dec, 2010 11:58

Score: 0
Posts: 1
User Since: 1st Dec 2010
System Score: N/A
Location: NL
Last edited on 1st Dec, 2010 11:58

Workaround:

- Create a subkey "EUDC" directly under "HKEY_CURRENT_USER"
- Open the advanced permissions dialog for the "EUDC" key
- Add the group "Everyone" and deny this group the following permissions:
Query Value
Set Value
Create Subkey
Delete

Was this reply relevant?

-0

Secunia Advisory SA42356

Microsoft Windows Kernel Two Privilege Escalation Vulnerabilities

Do you have additional information related to this advisory?

You must be logged in to post a comment.

Secunia Customer Login

Not a customer already?