Executive Summary
Summary | |
---|---|
Title | Microsoft Windows RtlQueryRegistryValues() does not adequately validate registry data |
Informations | |||
---|---|---|---|
Name | VU#529673 | First vendor Publication | 2010-11-26 |
Vendor | VU-CERT | Last vendor Modification | 2010-11-26 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:L/AC:L/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 7.2 | Attack Range | Local |
Cvss Impact Score | 10 | Attack Complexity | Low |
Cvss Expoit Score | 3.9 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Vulnerability Note VU#529673Microsoft Windows RtlQueryRegistryValues() does not adequately validate registry dataOverviewMicrosoft Windows does not adequately validate registry data read using the function RtlQueryRegistryValues(). By modifying an EUDC registry key value, a local user could execute arbitrary code with SYSTEM privileges.I. DescriptionMicrosoft Windows supports end-user-defined characters (EUDC) to allow users to define custom unicode characters. The Windows kernel (win32k.sys) graphics device interface (GDI) reads the EUDC registry key for font information. More specifically, GreEnableEudc() uses RtlQueryRegistryValues() to read HKCUEUDC{codepage}SystemDefaultEUDCFont. In this case RtlQueryRegistryValues() expects to read a REG_SZ (string) value into a buffer whose length and contents are determined by the type and value of SystemDefaultEUDCFont.By default, an unprivileged user has access to modify the EUDC registry key. Furthermore, RtlQueryRegistryValues() does not validate the data read from SystemDefaultEUDCFont. Restrict access to EUDC registry key
Referenceshttp://secunia.com/advisories/42356 This vulnerability was publicly disclosed by noobpwnftw. This document was written by Art Manion.
|
Original Source
Url : http://www.kb.cert.org/vuls/id/529673 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-119 | Failure to Constrain Operations within the Bounds of a Memory Buffer |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:12162 | |||
Oval ID: | oval:org.mitre.oval:def:12162 | ||
Title: | Driver Improper Interaction with Windows Kernel Vulnerability | ||
Description: | Stack-based buffer overflow in the RtlQueryRegistryValues function in win32k.sys in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 allows local users to gain privileges, and bypass the User Account Control (UAC) feature, via a crafted REG_BINARY value for a SystemDefaultEUDCFont registry key, aka "Driver Improper Interaction with Windows Kernel Vulnerability." | ||
Family: | windows | Class: | vulnerability |
Reference(s): | CVE-2010-4398 | Version: | 6 |
Platform(s): | Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Vista Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows 7 | Product(s): | |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Os | 1 | |
Os | 1 | |
Os | 5 | |
Os | 1 | |
Os | 1 |
OpenVAS Exploits
Date | Description |
---|---|
2011-02-09 | Name : Microsoft Windows Kernel Elevation of Privilege Vulnerability (2393802) File : nvt/secpod_ms11-011.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
69501 | Microsoft Windows win32k.sys Driver GreEnableEUDC() Function Local Overflow Microsoft Windows is prone to an overflow condition. win32k.sys fails to properly process the 'GreEnableEUDC()' function, resulting in a buffer overflow. With a specially crafted 'SystemDefaultEUDCFont' registry value, a local attacker can potentially execute arbitrary code. |
Information Assurance Vulnerability Management (IAVM)
Date | Description |
---|---|
2011-02-10 | IAVM : 2011-A-0022 - Multiple Vulnerabilities in Microsoft Windows Kernel Severity : Category I - VMSKEY : V0026065 |
Snort® IPS/IDS
Date | Description |
---|---|
2017-02-21 | Microsoft Windows RtlQueryRegistryValues buffer overflow attempt RuleID : 41365 - Revision : 3 - Type : OS-WINDOWS |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2011-02-08 | Name : The Windows kernel is affected by several vulnerabilities that could allow es... File : smb_nt_ms11-011.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 12:07:55 |
|