Vulnerabilities > CVE-2005-2827 - Local Privilege Escalation vulnerability in Microsoft Windows 2000 and Windows NT

047910
CVSS 7.2 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
local
low complexity
microsoft
nessus
exploit available
NVD
Published: 2005-12-14
Updated: 2019-04-30

Summary

The thread termination routine in the kernel for Windows NT 4.0 and 2000 (NTOSKRNL.EXE) allows local users to modify kernel memory and execution flow via steps in which a terminating thread causes Asynchronous Procedure Call (APC) entries to free the wrong data, aka the "Windows Kernel Vulnerability."

Vulnerable Configurations

Part Description Count
OS
Microsoft
6

Exploit-Db

descriptionMS Windows 2k Kernel APC Data-Free Local Escalation Exploit (MS05-055). CVE-2005-2827. Local exploit for windows platform
idEDB-ID:1407
last seen2016-01-31
modified2006-01-05
published2006-01-05
reporterSoBeIt
sourcehttps://www.exploit-db.com/download/1407/
titleMicrosoft Windows 2000 - Kernel APC Data-Free Local Escalation Exploit MS05-055

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS05-055.NASL
descriptionThe remote host contains a version of the Windows kernel that may allow a local user to elevate his privileges or to crash it (therefore causing a denial of service).
last seen2020-06-01
modified2020-06-02
plugin id20298
published2005-12-13
reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/20298
titleMS05-055: Vulnerability in Windows Kernel Could Allow Elevation of Privilege (908523)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(20298);
 script_version("1.32");
 script_cvs_date("Date: 2018/11/15 20:50:29");

 script_cve_id("CVE-2005-2827");
 script_bugtraq_id(15826);
 script_xref(name:"MSFT", value:"MS05-055");
 script_xref(name:"EDB-ID", value:"1407");
 script_xref(name:"MSKB", value:"908523");

 script_name(english:"MS05-055: Vulnerability in Windows Kernel Could Allow Elevation of Privilege (908523)");
 script_summary(english:"Checks the remote registry for 908523");

 script_set_attribute(attribute:"synopsis", value:"A local user can elevate his privileges on the remote host.");
 script_set_attribute(attribute:"description", value:
"The remote host contains a version of the Windows kernel that may allow
a local user to elevate his privileges or to crash it (therefore causing
a denial of service).");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2005/ms05-055");
 script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Windows 2000.");
 script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");

 script_set_attribute(attribute:"vuln_publication_date", value:"2005/12/13");
 script_set_attribute(attribute:"patch_publication_date", value:"2005/12/13");
 script_set_attribute(attribute:"plugin_publication_date", value:"2005/12/13");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows : Microsoft Bulletins");

 script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
 script_require_keys("SMB/MS_Bulletin_Checks/Possible");
 script_require_ports(139, 445, 'Host/patch_management_checks');
 exit(0);
}

include("audit.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS05-055';
kb = '908523';

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(win2k:'4,5') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (hotfix_is_vulnerable(os:"5.0", file:"Ntoskrnl.exe", version:"5.0.2195.7071", dir:"\system32", bulletin:bulletin, kb:kb))
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

Oval

accepted2011-05-09T04:01:15.331-04:00
classvulnerability
contributors
  • nameRobert L. Hollis
    organizationThreatGuard, Inc.
  • nameJonathan Baker
    organizationThe MITRE Corporation
  • nameShane Shaffer
    organizationG2, Inc.
descriptionThe thread termination routine in the kernel for Windows NT 4.0 and 2000 (NTOSKRNL.EXE) allows local users to modify kernel memory and execution flow via steps in which a terminating thread causes Asynchronous Procedure Call (APC) entries to free the wrong data, aka the "Windows Kernel Vulnerability."
familywindows
idoval:org.mitre.oval:def:1583
statusaccepted
submitted2005-12-13T12:00:00.000-04:00
titleWin2K Kernel Privilege Escalation Vulnerability
version68

References