Vulnerability CVE-2010-4398 - CERT Civis.Net

Vulnerability Name:

CVE-2010-4398 (CCN-63450)

Assigned:

2010-11-26

Published:

2010-11-26

Updated:

2018-10-12

Summary:

Stack-based buffer overflow in the RtlQueryRegistryValues function in win32k.sys in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 allows local users to gain privileges, and bypass the User Account Control (UAC) feature, via a crafted REG_BINARY value for a SystemDefaultEUDCFont registry key, aka "Driver Improper Interaction with Windows Kernel Vulnerability."

CVSS v3 Severity:

9.3 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

CVSS v2 Severity:

7.2 High (CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C)
5.9 Medium (Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

7.2 High (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C)
5.9 Medium (CCN Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

Vulnerability Type:

Vulnerability Consequences:

Gain Privileges

References:

Source: MITRE
Type: CNA
CVE-2010-4398

Source: MISC
Type: UNKNOWN
http://isc.sans.edu/diary.html?storyid=9988

Source: MISC
Type: UNKNOWN
http://nakedsecurity.sophos.com/2010/11/25/new-windows-zero-day-flaw-bypasses-uac/

Source: CCN
Type: Packetstorm Security Website
Windows Escalate UAC Protection Bypass

Source: CCN
Type: SA42356
Microsoft Windows win32k.sys Driver GreEnableEUDC() Vulnerability

Source: SECUNIA
Type: Vendor Advisory
42356

Source: CONFIRM
Type: UNKNOWN
http://support.avaya.com/css/P8/documents/100127248

Source: MISC
Type: UNKNOWN
http://twitter.com/msftsecresponse/statuses/7590788200402945

Source: MISC
Type: Exploit
http://www.exploit-db.com/bypassing-uac-with-user-privilege-under-windows-vista7-mirror/

Source: EXPLOIT-DB
Type: Exploit
15609

Source: CCN
Type: US-CERT VU#529673
Microsoft Windows RtlQueryRegistryValues() does not adequately validate registry data

Source: CERT-VN
Type: US Government Resource
VU#529673

Source: CCN
Type: Microsoft Web site
Microsoft Windows

Source: CCN
Type: Microsoft Security Bulletin MS11-011
Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802)

Source: BID
Type: UNKNOWN
45045

Source: CCN
Type: BID-45045
Microsoft Windows User Access Control (UAC) Bypass Local Privilege Escalation Vulnerability

Source: SECTRACK
Type: UNKNOWN
1025046

Source: VUPEN
Type: UNKNOWN
ADV-2011-0324

Source: MS
Type: UNKNOWN
MS11-011

Source: XF
Type: UNKNOWN
ms-win-regbinary-privilege-escalation(63450)

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:12162

Source: CCN
Type: Packet Storm Security [03-04-2014]
Windows Escalate UAC Protection Bypass (In Memory Injection)

Source: EXPLOIT-DB
Type: EXPLOIT
Offensive Security Exploit Database [11-24-2010]

Source: EXPLOIT-DB
Type: EXPLOIT
Offensive Security Exploit Database [10-10-2012]

Vulnerable Configuration:

Configuration 1:

cpe:/o:microsoft:windows_2003_server:*:*:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_7:*:*:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_server_2008:*:*:*:*:*:*:itanium:*

OR cpe:/o:microsoft:windows_server_2008:*:*:*:*:*:*:x32:*

OR cpe:/o:microsoft:windows_server_2008:*:*:x64:*:*:*:*:*

OR cpe:/o:microsoft:windows_server_2008:r2:*:*:*:*:*:itanium:*

OR cpe:/o:microsoft:windows_server_2008:r2:*:*:*:*:*:x64:*

OR cpe:/o:microsoft:windows_vista:*:*:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_xp:*:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/o:microsoft:windows:server_2003:sp2:*:*:*:*:*:*

OR cpe:/o:microsoft:windows:server_2003:sp2:itanium:*:*:*:*:*

OR cpe:/o:microsoft:windows:server_2003:sp2:x64:*:*:*:*:*

OR cpe:/o:microsoft:windows_xp::sp2:x64:*:professional:*:*:*

OR cpe:/o:microsoft:windows_vista:*:sp1:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_vista:*:sp1:*:*:*:*:x64:*

OR cpe:/o:microsoft:windows_server_2008:*:*:*:*:*:*:itanium:*

OR cpe:/o:microsoft:windows_server_2008:*:*:*:*:*:*:x32:*

OR cpe:/o:microsoft:windows_server_2008:*:*:*:*:*:*:x64:*

OR cpe:/o:microsoft:windows:xp:sp3:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_vista:*:sp2:*:*:*:*:x64:*

OR cpe:/o:microsoft:windows_vista:*:sp2:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_server_2008:*:sp2:*:*:*:*:x32:*

OR cpe:/o:microsoft:windows_server_2008:*:sp2:*:*:*:*:x64:*

OR cpe:/o:microsoft:windows_7:*:*:*:*:*:*:x64:*

OR cpe:/o:microsoft:windows_7:-:*:*:*:*:*:x32:*

OR cpe:/o:microsoft:windows_server_2008:*:r2:x64:*:*:*:*:*

OR cpe:/o:microsoft:windows_server_2008:*:r2:itanium:*:*:*:*:*

OR cpe:/o:microsoft:windows_server_2008:*:sp2:*:*:*:*:itanium:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.mitre.oval:def:12162	V	Driver Improper Interaction with Windows Kernel Vulnerability	2012-03-26