Vigil@nce: Windows, privilege elevation
October 2009 by Vigil@nce
A local attacker can use three vulnerabilities of the Windows
kernel, in order to generate a denial of service or to execute
code with system privileges.
Severity: 2/4
Consequences: administrator access/rights
Provenance: user shell
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Number of vulnerabilities in this bulletin: 3
Creation date: 14/10/2009
IMPACTED PRODUCTS
– Microsoft Windows 2000
– Microsoft Windows 2003
– Microsoft Windows 2008
– Microsoft Windows Vista
– Microsoft Windows XP
DESCRIPTION OF THE VULNERABILITY
Three vulnerabilities were announced in the Windows kernel.
A local attacker can use PAE (Physical Address Extension - memory
size > 4Gb), and force the truncation of a 64 bits integer to 32
bits. After this error, a number becomes negative, and then the
memory is corrupted, which leads to code execution. [grav:2/4;
BID-36623, CVE-2009-2515]
A local attacker can place a malicious PE application in a
directory, and invite the victim to browse this directory. The
kernel then uses a NULL pointer, which leads to code execution.
[grav:2/4; BID-36624, CVE-2009-2516, NSFOCUS SA2009-03]
Under Windows Server 2003 SP2, a local attacker can generate an
exception, in order to block the system. [grav:1/4; BID-36625,
CVE-2009-2517]
A local attacker can therefore generate a denial of service or
execute code with system privileges.
CHARACTERISTICS
Identifiers: 971486, BID-36623, BID-36624, BID-36625,
CVE-2009-2515, CVE-2009-2516, CVE-2009-2517, MS09-058, NSFOCUS
SA2009-03, VIGILANCE-VUL-9090
http://vigilance.fr/vulnerability/Windows-privilege-elevation-9090