Vigil@nce: Vista, privilege elevation
November 2008 by Vigil@nce
SYNTHESIS
A local attacker, member of the Network Configuration Operators
group can corrupt the memory in order to elevate his privileges.
Gravity: 1/4
Consequences: administrator access/rights
Provenance: user shell
Means of attack: 2 proofs of concept
Ability of attacker: specialist (3/4)
Confidence: unique source (2/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 20/11/2008
IMPACTED PRODUCTS
– Microsoft Windows Vista
DESCRIPTION
Members of the Network Configuration Operators group are allowed
to alter the network configuration of the system.
The CreateIpForwardEntry2() function adds an IP route. A route is
defined with a prefix indicating the mask to apply (for example
"192.168.1.0/24" has a prefix of 24).
When the DestinationPrefix.PrefixLength field of the
MIB_IPFORWARD_ROW2 structure is greater than 128, the call to
CreateIpForwardEntry2() corrupts the memory.
A local attacker, member of the Network Configuration Operators
group can thus elevate his privileges.
CHARACTERISTICS
Identifiers: BID-32357, VIGILANCE-VUL-8259