Vigil@nce - Windows: privilege escalation via pprFlattenRec
June 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use a PATHRECORD object, to corrupt the memory of
the Windows win32k!EPATHOBJ::pprFlattenRec() function, in order to
escalate his privileges.
Impacted products: Windows 2003, Windows 2008, Microsoft Windows
2012, Windows 7, Windows 8, Windows RT, Windows Vista, Windows XP
Severity: 2/4
Creation date: 21/05/2013
DESCRIPTION OF THE VULNERABILITY
The EPATHOBJ::pprFlattenRec() function of the win32k.sys driver
uses an internal PATHRECORD object, which is a double chained list.
However, one of the pointers is not initialized before being used.
An attacker can therefore use a PATHRECORD object, to corrupt the
memory of the Windows win32k!EPATHOBJ::pprFlattenRec() function,
in order to escalate his privileges.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Windows-privilege-escalation-via-pprFlattenRec-12849