Vulnerability Name:

CVE-2008-3636 (CCN-45012)

Assigned:2008-09-09
Published:2008-09-09
Updated:2018-10-11
Summary:Integer overflow in the IopfCompleteRequest API in the kernel in Microsoft Windows 2000, XP, Server 2003, and Vista allows context-dependent attackers to gain privileges.
Note: this issue was originally reported for GEARAspiWDM.sys 2.0.7.5 in Gear Software CD DVD Filter driver before 4.001.7, as used in other products including Apple iTunes and multiple Symantec and Norton products, which allows local users to gain privileges via repeated IoAttachDevice IOCTL calls to \\.\GEARAspiWDMDevice in this GEARAspiWDM.sys. However, the root cause is the integer overflow in the API call itself.
CVSS v3 Severity:9.3 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:7.2 High (CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C)
5.3 Medium (Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
7.2 High (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C)
5.3 Medium (CCN Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-189
Vulnerability Consequences:Gain Privileges
References:Source: MITRE
Type: CNA
CVE-2008-3636

Source: APPLE
Type: UNKNOWN
APPLE-SA-2009-09-09

Source: CCN
Type: SA31824
Apple iTunes Privilege Escalation Vulnerability

Source: CCN
Type: SYM08-017
Symantec Device Driver Local Elevation of Privilege

Source: CONFIRM
Type: UNKNOWN
http://securityresponse.symantec.com/avcenter/security/Content/2008.10.07a.html

Source: CCN
Type: SECTRACK ID: 1020839
iTunes Windows Driver Integer Overflow Lets Local Users Gain Elevated Privileges

Source: SECTRACK
Type: UNKNOWN
1020839

Source: CCN
Type: SECTRACK ID: 1020997
Symantec BackupExec System Recovery Bug in 'GEARAspiWDM.Sys' Driver Lets Local Users Gain Elevated Privileges

Source: CCN
Type: SECTRACK ID: 1020998
Norton Ghost Bug in 'GEARAspiWDM.Sys' Driver Lets Local Users Gain Elevated Privileges

Source: CCN
Type: SECTRACK ID: 1020999
Symantec LiveState Recovery Bug in 'GEARAspiWDM.Sys' Driver Lets Local Users Gain Elevated Privileges

Source: CCN
Type: Apple Web site
About the security content of iTunes 8.0

Source: CONFIRM
Type: UNKNOWN
http://support.apple.com/kb/HT3025

Source: CONFIRM
Type: UNKNOWN
http://www.gearsoftware.com/support/GEARAspi%20Security%20Information.pdf

Source: CCN
Type: US-CERT VU#146896
Gear Software CD DVD Filter driver privilege escalation vulnerability

Source: CERT-VN
Type: US Government Resource
VU#146896

Source: CCN
Type: OSVDB ID: 48009
Microsoft Windows Kernel IopfCompleteRequest API Overflow

Source: BUGTRAQ
Type: UNKNOWN
20081007 [W02-1008] GearSoftware Powered Products Local Privilege Escalation (Microsoft Windows Kernel IopfCompleteRequest Integer Overflow)

Source: BID
Type: Patch
31089

Source: CCN
Type: BID-31089
GEAR Software CD DVD Filter Driver 'GEARAspiWDM.sys' Local Privilege Escalation Vulnerability

Source: SECTRACK
Type: UNKNOWN
1020997

Source: SECTRACK
Type: UNKNOWN
1020998

Source: SECTRACK
Type: UNKNOWN
1020999

Source: CONFIRM
Type: UNKNOWN
http://www.symantec.com/avcenter/security/Content/2008.10.07a.html

Source: VUPEN
Type: UNKNOWN
ADV-2008-2526

Source: VUPEN
Type: UNKNOWN
ADV-2008-2769

Source: VUPEN
Type: UNKNOWN
ADV-2008-2770

Source: MISC
Type: UNKNOWN
http://www.wintercore.com/advisories/advisory_W021008.html

Source: XF
Type: UNKNOWN
multiple-gearaspiwdm-privilege-escalation(45012)

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:6035

Vulnerable Configuration:Configuration 1:
  • cpe:/a:apple:itunes:1.0:*:windows:*:*:*:*:*
  • OR cpe:/a:apple:itunes:1.1.1:*:windows:*:*:*:*:*
  • OR cpe:/a:apple:itunes:1.1.2:*:windows:*:*:*:*:*
  • OR cpe:/a:apple:itunes:2.0:*:windows:*:*:*:*:*
  • OR cpe:/a:apple:itunes:2.0.1:*:windows:*:*:*:*:*
  • OR cpe:/a:apple:itunes:2.0.2:*:windows:*:*:*:*:*
  • OR cpe:/a:apple:itunes:2.0.3:*:windows:*:*:*:*:*
  • OR cpe:/a:apple:itunes:2.0.4:*:windows:*:*:*:*:*
  • OR cpe:/a:apple:itunes:3.0:*:windows:*:*:*:*:*
  • OR cpe:/a:apple:itunes:3.0.1:*:windows:*:*:*:*:*
  • OR cpe:/a:apple:itunes:4.0:*:windows:*:*:*:*:*
  • OR cpe:/a:apple:itunes:4.0.1:*:windows:*:*:*:*:*
  • OR cpe:/a:apple:itunes:4.1:*:windows:*:*:*:*:*
  • OR cpe:/a:apple:itunes:4.2:*:windows:*:*:*:*:*
  • OR cpe:/a:apple:itunes:4.2.72:*:windows:*:*:*:*:*
  • OR cpe:/a:apple:itunes:4.5:*:windows:*:*:*:*:*
  • OR cpe:/a:apple:itunes:4.6:*:windows:*:*:*:*:*
  • OR cpe:/a:apple:itunes:4.7:*:windows:*:*:*:*:*
  • OR cpe:/a:apple:itunes:4.7.1:*:windows:*:*:*:*:*
  • OR cpe:/a:apple:itunes:4.7.1.30:*:windows:*:*:*:*:*
  • OR cpe:/a:apple:itunes:4.8:*:windows:*:*:*:*:*
  • OR cpe:/a:apple:itunes:4.9:*:windows:*:*:*:*:*
  • OR cpe:/a:apple:itunes:5.0:*:windows:*:*:*:*:*
  • OR cpe:/a:apple:itunes:5.0.1:*:windows:*:*:*:*:*
  • OR cpe:/a:apple:itunes:6.0:*:windows:*:*:*:*:*
  • OR cpe:/a:apple:itunes:6.0.1:*:windows:*:*:*:*:*
  • OR cpe:/a:apple:itunes:6.0.2:*:windows:*:*:*:*:*
  • OR cpe:/a:apple:itunes:6.0.3:*:windows:*:*:*:*:*
  • OR cpe:/a:apple:itunes:6.0.4:*:windows:*:*:*:*:*
  • OR cpe:/a:apple:itunes:6.0.4.2:*:windows:*:*:*:*:*
  • OR cpe:/a:apple:itunes:6.0.5:*:windows:*:*:*:*:*
  • OR cpe:/a:apple:itunes:7.0.2:*:windows:*:*:*:*:*
  • OR cpe:/a:apple:itunes:7.3.2:*:windows:*:*:*:*:*
  • OR cpe:/a:apple:itunes:7.4:*:windows:*:*:*:*:*
  • OR cpe:/a:apple:itunes:7.4.1:*:windows:*:*:*:*:*
  • OR cpe:/a:apple:itunes:7.4.2:*:windows:*:*:*:*:*
  • OR cpe:/a:apple:itunes:7.4.3:*:windows:*:*:*:*:*
  • OR cpe:/a:apple:itunes:7.5:*:windows:*:*:*:*:*
  • OR cpe:/a:apple:itunes:7.6:*:windows:*:*:*:*:*
  • OR cpe:/a:apple:itunes:*:*:windows:*:*:*:*:* (Version <= 7.6.1)
  • OR cpe:/a:apple:itunes:7.6.2:*:windows:*:*:*:*:*
  • OR cpe:/a:apple:itunes:7.7:*:windows:*:*:*:*:*
  • OR cpe:/a:apple:itunes:7.7.1:*:windows:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:apple:itunes:6.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:apple:itunes:6.0:*:*:*:*:*:*:*
  • OR cpe:/a:apple:itunes:7.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:symantec:norton_ghost:10.0:*:*:*:*:*:*:*
  • OR cpe:/a:symantec:norton_ghost:12.0:*:*:*:*:*:*:*
  • OR cpe:/a:symantec:backupexec_system_recovery:7.0:*:*:*:*:*:*:*
  • OR cpe:/a:symantec:backupexec_system_recovery:7.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:symantec:norton_360:1.0:*:*:*:*:*:*:*
  • OR cpe:/a:apple:itunes:4.5:*:*:*:*:*:*:*
  • OR cpe:/a:apple:itunes:4.6:*:*:*:*:*:*:*
  • OR cpe:/a:apple:itunes:4.7:*:*:*:*:*:*:*
  • OR cpe:/a:apple:itunes:4.7.1:*:*:*:*:*:*:*
  • OR cpe:/a:apple:itunes:5.0:*:*:*:*:*:*:*
  • OR cpe:/a:apple:itunes:6.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:apple:itunes:7.3.2:*:*:*:*:*:*:*
  • OR cpe:/a:symantec:backupexec_system_recovery:7.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:symantec:backupexec_system_recovery:7.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:symantec:backupexec_system_recovery:8.0:*:*:*:*:*:*:*
  • OR cpe:/a:symantec:backupexec_system_recovery:8.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:apple:itunes:7.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:apple:itunes:7.3.0:-:mac:*:*:*:*:*
  • OR cpe:/a:apple:itunes:6.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:apple:itunes:4.8:*:*:*:*:*:*:*
  • OR cpe:/a:apple:itunes:6.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:apple:itunes:7.4:*:*:*:*:*:*:*
  • OR cpe:/a:symantec:norton_ghost:14.0:*:*:*:*:*:*:*
  • OR cpe:/a:symantec:norton_360:2.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.mitre.oval:def:6035
    V
    		Apple iTunes Local Privilege Escalation Vulnerability
    2015-06-22
    BACK
    apple itunes 1.0
    apple itunes 1.1.1
    apple itunes 1.1.2
    apple itunes 2.0
    apple itunes 2.0.1
    apple itunes 2.0.2
    apple itunes 2.0.3
    apple itunes 2.0.4
    apple itunes 3.0
    apple itunes 3.0.1
    apple itunes 4.0
    apple itunes 4.0.1
    apple itunes 4.1
    apple itunes 4.2
    apple itunes 4.2.72
    apple itunes 4.5
    apple itunes 4.6
    apple itunes 4.7
    apple itunes 4.7.1
    apple itunes 4.7.1.30
    apple itunes 4.8
    apple itunes 4.9
    apple itunes 5.0
    apple itunes 5.0.1
    apple itunes 6.0
    apple itunes 6.0.1
    apple itunes 6.0.2
    apple itunes 6.0.3
    apple itunes 6.0.4
    apple itunes 6.0.4.2
    apple itunes 6.0.5
    apple itunes 7.0.2
    apple itunes 7.3.2
    apple itunes 7.4
    apple itunes 7.4.1
    apple itunes 7.4.2
    apple itunes 7.4.3
    apple itunes 7.5
    apple itunes 7.6
    apple itunes *
    apple itunes 7.6.2
    apple itunes 7.7
    apple itunes 7.7.1
    apple itunes 6.0.1
    apple itunes 6.0
    apple itunes 7.0.2
    symantec norton ghost 10.0
    symantec norton ghost 12.0
    symantec backupexec system recovery 7.0
    symantec backupexec system recovery 7.0.1
    symantec norton 360 1.0
    apple itunes 4.5
    apple itunes 4.6
    apple itunes 4.7
    apple itunes 4.7.1
    apple itunes 5.0
    apple itunes 6.0.4
    apple itunes 7.3.2
    symantec backupexec system recovery 7.0.2
    symantec backupexec system recovery 7.0.3
    symantec backupexec system recovery 8.0
    symantec backupexec system recovery 8.0.1
    apple itunes 7.3.1
    apple itunes 7.3.0 -
    apple itunes 6.0.3
    apple itunes 4.8
    apple itunes 6.0.5
    apple itunes 7.4
    symantec norton ghost 14.0
    symantec norton 360 2.0