Vigil@nce - Windows: privilege elevation via win32k.sys
June 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
A local attacker can use three vulnerabilities of the win32k.sys
driver, in order to elevate his privileges.
Severity: 2/4
Creation date: 09/06/2010
DESCRIPTION OF THE VULNERABILITY
The win2k.sys driver implements in particular the management for
windows, the keyboard and the screen. It is impacted by three
vulnerabilities.
A local attacker can change certain kernel objects via GetDCEx(),
in order to corrupt the memory. [severity:2/4; BID-40508,
CVE-2010-0484]
A local attacker can create windows with malicious parameters, in
order to corrupt the memory. [severity:2/4; BID-40569,
CVE-2010-0485]
A local attacker can use a TrueType font, with a malicious
outline, in order to corrupt the memory. [severity:2/4; BID-40570,
CVE-2010-1255]
A local attacker can therefore use three vulnerabilities of the
win32k.sys driver, in order to elevate his privileges.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Windows-privilege-elevation-via-win32k-sys-9688