12/27/2020 0 Comments Microsoft Windows Server 2003 Sp2
By composing an insight buffer that will be handed down to the Tcp gadget through the NtDeviceIoControlFile() functionality, it is usually possible to bring about a weakness that would enable an attacker to elevate liberties.
Microsoft Windows Server 2003 Sp2 Driver Affected VersionVulnerability Details Affected Merchant: Microsoft Affected Item: TCPIP Protocol Driver Affected Version: 5.2.3790.4573 System: Microsoft Windows Machine 2003 Support Group 2 Architecture: times86, x64, Itanium Effect: Benefit Escalation Strike vector: IOCTL CVE-ID: CVE-2014-4076 2.Microsoft Windows Server 2003 Sp2 Drivers Falls FlatVulnerability Explanation The tcpip.sys drivers falls flat to sufficiently validate memory objects used during the developing of a usér-provided IOCTL.Technical Description By creating an insight buffer that will be handed to the Tcp gadget through the NtDeviceIoControlFile() function, it can be feasible to bring about a vulnerability that would enable an opponent to elevate liberties.
This weakness was discovered while fuzzing thé tcpip.sys motorist. A collection of IOCTLs that could become targeted had been obtained and consequently fuzzed. During this procedure, one of the accidents obtained started from the IOCTL 0x00120028. This has been carried out on an x86 installation of Home windows Server 2003, Support Pack 2. ErrCode 00000000 eax00000000 ebx859ef888 ecx00000008 edx00000100 esi00000000 edi80a58270 eipf67ebbbd espf620a9c8 ebpf620a9dchemical iopI0 nv up éi pl zr ná pé nc cs0008 ss0010 ds0023 ha sido0023 fs0030 gs0000 efl00010246 tcpipSetAddrOptions0times1d: n67ebbbd 8b5e28 mov ebx,dword ptr esi28h ds:0023:00000028 A second possibility exception has occurred during a mov instructions. The inputBuffer for this contact references storage at 0x1000 with a duration of 0x20. Microsoft Windows Server 2003 Sp2 Code Stream UntilAfter review of the tcpip.sys car owner, some memory space trickery has been developed to control the code stream until the instruction pointer could become controlled in a way that would end up being beneficial to an opponent. KoreLogic requests CVE number for the weakness, if there is certainly one. KoreLogic furthermore requests vendors general public identifier for the vulnerability along with the expected disclosure date. KoreLogic notifies Microsoft that no response was received pursuing the 06.11.14 email. They are not able to supply a CVE or an expected disclosure time. Microsoft acknowledged invoice of the vulnerability review and PoC. KoreLogic requests CVE quantity for the vulnerability. Microsoft notifies KoreLogic that they possess a CVE but are not willing to talk about it with KoréLogic at this time. Microsoft responds stating that the vulnerability is anticipated to end up being revealed in a Drop discharge and that it can be currently looking good for October. We are a extremely skilled team of mature security specialists doing by-hand protection assessments for the most important systems in the U.S i9000.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |