Vulnerabilities > CVE-2008-2251 - Resource Management Errors vulnerability in Microsoft products

047910
CVSS 7.2 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
local
low complexity
microsoft
CWE-399
nessus

Summary

Double free vulnerability in the kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 allows local users to gain privileges via a crafted application that makes system calls within multiple threads, aka "Windows Kernel Unhandled Exception Vulnerability." NOTE: according to Microsoft, this is not a duplicate of CVE-2008-4510.

Common Weakness Enumeration (CWE)

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS08-061.NASL
descriptionThe remote host contains a version of the Windows kernel that is vulnerable to a security flaw that could allow a local user to elevate his privileges or to crash it (therefore causing a denial of service).
last seen2020-06-01
modified2020-06-02
plugin id34406
published2008-10-15
reporterThis script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/34406
titleMS08-061: Microsoft Windows Kernel Multiple Privilege Elevation (954211)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(34406);
 script_version("1.26");
 script_cvs_date("Date: 2018/11/15 20:50:30");

 script_cve_id("CVE-2008-2250", "CVE-2008-2251", "CVE-2008-2252");
 script_bugtraq_id(31651, 31652, 31653);
 script_xref(name:"MSFT", value:"MS08-061");
 script_xref(name:"MSKB", value:"954211");

 script_name(english:"MS08-061: Microsoft Windows Kernel Multiple Privilege Elevation (954211)");
 script_summary(english:"Make sure update 954211 has been installed on the remote host");

 script_set_attribute(attribute:"synopsis", value:"A local user can elevate his privileges on the remote host.");
 script_set_attribute(attribute:"description", value:
"The remote host contains a version of the Windows kernel that is
vulnerable to a security flaw that could allow a local user to elevate
his privileges or to crash it (therefore causing a denial of service).");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2008/ms08-061");
 script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows 2000, XP, 2003,
Vista, 2008.");
 script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");
 script_cwe_id(264, 399);

 script_set_attribute(attribute:"vuln_publication_date", value:"2008/10/14");
 script_set_attribute(attribute:"patch_publication_date", value:"2008/10/14");
 script_set_attribute(attribute:"plugin_publication_date", value:"2008/10/15");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows : Microsoft Bulletins");

 script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
 script_require_keys("SMB/MS_Bulletin_Checks/Possible");
 script_require_ports(139, 445, 'Host/patch_management_checks');
 exit(0);
}

include("audit.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS08-061';
kb = '954211';

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);


get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(win2k:'4,5', xp:'2,3', win2003:'1,2', vista:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (
  hotfix_is_vulnerable(os:"6.0", sp:1, file:"Win32k.sys", version:"6.0.6001.22265", min_version:"6.0.6001.20000", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.0", sp:1, file:"Win32k.sys", version:"6.0.6001.18141", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.0", sp:0, file:"Win32k.sys", version:"6.0.6000.20917", min_version:"6.0.6000.20000", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.0", sp:0, file:"Win32k.sys", version:"6.0.6000.16750", dir:"\system32", bulletin:bulletin, kb:kb) ||

  hotfix_is_vulnerable(os:"5.2", sp:2, file:"Win32k.sys", version:"5.2.3790.4375", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.2", sp:1, file:"Win32k.sys", version:"5.2.3790.3212", dir:"\system32", bulletin:bulletin, kb:kb) ||

  hotfix_is_vulnerable(os:"5.1", sp:2, file:"Win32k.sys", version:"5.1.2600.3446", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.1", sp:3, file:"Win32k.sys", version:"5.1.2600.5676", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.0", file:"Win32k.sys", version:"5.0.2195.7194", dir:"\system32", bulletin:bulletin, kb:kb)
)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

Oval

accepted2011-11-14T04:00:54.510-05:00
classvulnerability
contributors
  • nameSudhir Gandhe
    organizationSecure Elements, Inc.
  • nameChandan S
    organizationSecPod Technologies
definition_extensions
  • commentMicrosoft Windows 2000 SP4 or later is installed
    ovaloval:org.mitre.oval:def:229
  • commentMicrosoft Windows XP (x86) SP2 is installed
    ovaloval:org.mitre.oval:def:754
  • commentMicrosoft Windows XP (x86) SP3 is installed
    ovaloval:org.mitre.oval:def:5631
  • commentMicrosoft Windows Server 2003 SP1 (x86) is installed
    ovaloval:org.mitre.oval:def:565
  • commentMicrosoft Windows Server 2003 SP1 for Itanium is installed
    ovaloval:org.mitre.oval:def:1205
  • commentMicrosoft Windows Server 2003 SP1 (x64) is installed
    ovaloval:org.mitre.oval:def:4386
  • commentMicrosoft Windows XP Professional x64 Edition SP1 is installed
    ovaloval:org.mitre.oval:def:720
  • commentMicrosoft Windows Server 2003 (ia64) SP2 is installed
    ovaloval:org.mitre.oval:def:1442
  • commentMicrosoft Windows Server 2003 SP2 (x86) is installed
    ovaloval:org.mitre.oval:def:1935
  • commentMicrosoft Windows Server 2003 SP2 (x64) is installed
    ovaloval:org.mitre.oval:def:2161
  • commentMicrosoft Windows XP x64 Edition SP2 is installed
    ovaloval:org.mitre.oval:def:4193
  • commentMicrosoft Windows Vista (32-bit) is installed
    ovaloval:org.mitre.oval:def:1282
  • commentMicrosoft Windows Vista x64 Edition is installed
    ovaloval:org.mitre.oval:def:2041
  • commentMicrosoft Windows Vista (32-bit) Service Pack 1 is installed
    ovaloval:org.mitre.oval:def:4873
  • commentMicrosoft Windows Vista x64 Edition Service Pack 1 is installed
    ovaloval:org.mitre.oval:def:5254
  • commentMicrosoft Windows Server 2008 (ia-64) is installed
    ovaloval:org.mitre.oval:def:5667
  • commentMicrosoft Windows Server 2008 (32-bit) is installed
    ovaloval:org.mitre.oval:def:4870
  • commentMicrosoft Windows Server 2008 (64-bit) is installed
    ovaloval:org.mitre.oval:def:5356
descriptionDouble free vulnerability in the kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 allows local users to gain privileges via a crafted application that makes system calls within multiple threads, aka "Windows Kernel Unhandled Exception Vulnerability." NOTE: according to Microsoft, this is not a duplicate of CVE-2008-4510.
familywindows
idoval:org.mitre.oval:def:6010
statusaccepted
submitted2008-10-14T13:33:00
titleWindows Kernel Unhandled Exception Vulnerability
version72

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 31651,31652,31653 CVE(CAN) ID: CVE-2008-2250,CVE-2008-2252,CVE-2008-2251 Microsoft Windows是微软发布的非常流行的操作系统。 Windows内核未正确验证新窗口创建过程中所传递的窗口属性,未正确验证某些用户态输出,或可能处于双重释放的状态。成功利用此漏洞的攻击者可以运行任意内核态代码。攻击者可随后安装程序;查看、更改或删除数据;或者创建拥有完全用户权限的新帐户。 以下是双重释放漏洞的代码段:<pre>// Attacker controls lParam void win32k_entry_point(...) { […] // lParam has already passed successfully the ProbeForRead my_struct = (PMY_STRUCT)lParam; if (my_struct -&gt;lpData) { cbCapture = sizeof(MY_STRUCT) + my_struct-&gt;cbData; // [1] first fetch […] // my_struct -&gt;lpData has already passed successfully the ProbeForRead […] if ( my_allocation = UserAllocPoolWithQuota(cbCapture, TAG_SMS_CAPTURE)) != NULL) { RtlCopyMemory(my_allocation, my_struct-&gt;lpData, my_struct-&gt;cbData); // [2] second fetch } } […] }</pre>在上面的代码中,两次取了相同的用户态数据([1]和[2])。由于内核无法保证这两次取值都拥有相同的值,在[1]可能出现较小的内存分配而之后在[2]内核拷贝了较长的数据,导致内存池溢出。 Microsoft Windows XP SP3 Microsoft Windows XP SP2 Microsoft Windows Vista SP1 Microsoft Windows Vista Microsoft Windows Server 2008 Microsoft Windows Server 2003 SP2 Microsoft Windows Server 2003 SP1 Microsoft Windows 2000SP4 Microsoft --------- Microsoft已经为此发布了一个安全公告(MS08-061)以及相应补丁: MS08-061:Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (954211) 链接:<a href=http://www.microsoft.com/technet/security/Bulletin/MS08-061.mspx?pf=true target=_blank>http://www.microsoft.com/technet/security/Bulletin/MS08-061.mspx?pf=true</a>
idSSV:4248
last seen2017-11-19
modified2008-10-16
published2008-10-16
reporterRoot
titleMicrosoft Windows多个内核权限提升漏洞(MS08-061)