Vulnerabilities > CVE-2008-4036 - Numeric Errors vulnerability in Microsoft products

047910
CVSS 7.2 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
local
low complexity
microsoft
CWE-189
nessus

Summary

Integer overflow in Memory Manager in Microsoft Windows XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 allows local users to gain privileges via a crafted application that triggers an erroneous decrement of a variable, related to validation of parameters for Virtual Address Descriptors (VADs) and a "memory allocation mapping error," aka "Virtual Address Descriptor Elevation of Privilege Vulnerability."

Common Weakness Enumeration (CWE)

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS08-064.NASL
descriptionThe remote host contains a version of the Windows kernel that is vulnerable to a security flaw that could allow a local user to elevate his privileges or to crash it (therefore causing a denial of service).
last seen2020-06-01
modified2020-06-02
plugin id34409
published2008-10-15
reporterThis script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/34409
titleMS08-064: Microsoft Windows Virtual Address Descriptors (VAD) Local Privilege Escalation (956841)
code
#
# Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(34409);
 script_version("1.26");
 script_cvs_date("Date: 2018/11/15 20:50:30");

 script_cve_id("CVE-2008-4036");
 script_bugtraq_id(31675);
 script_xref(name:"MSFT", value:"MS08-064");
 script_xref(name:"MSKB", value:"956841");

 script_name(english:"MS08-064: Microsoft Windows Virtual Address Descriptors (VAD) Local Privilege Escalation (956841)");
 script_summary(english:"Checks the remote registry for 956841");

 script_set_attribute(attribute:"synopsis", value:"A local user can elevate privileges on the remote host.");
 script_set_attribute(attribute:"description", value:
"The remote host contains a version of the Windows kernel that is
vulnerable to a security flaw that could allow a local user to elevate
his privileges or to crash it (therefore causing a denial of service).");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2008/ms08-064");
 script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows XP, 2003, Vista and
2008.");
 script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");
 script_cwe_id(189);

 script_set_attribute(attribute:"vuln_publication_date", value:"2008/10/14");
 script_set_attribute(attribute:"patch_publication_date", value:"2008/10/14");
 script_set_attribute(attribute:"plugin_publication_date", value:"2008/10/15");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows : Microsoft Bulletins");

 script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
 script_require_keys("SMB/MS_Bulletin_Checks/Possible");
 script_require_ports(139, 445, 'Host/patch_management_checks');
 exit(0);
}

include("audit.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS08-064';
kb = '956841';

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(xp:'2,3', win2003:'1,2', vista:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (
  hotfix_is_vulnerable(os:"6.0", sp:0, file:"Ntoskrnl.exe", version:"6.0.6000.16754", dir:"\System32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.0", sp:0, file:"Ntoskrnl.exe", version:"6.0.6000.20921", min_version:"6.0.6000.20000", dir:"\System32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.0", sp:1, file:"Ntoskrnl.exe", version:"6.0.6001.18145", dir:"\System32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.0", sp:1, file:"Ntoskrnl.exe", version:"6.0.6001.22269", min_version:"6.0.6001.20000", dir:"\System32", bulletin:bulletin, kb:kb) ||

  hotfix_is_vulnerable(os:"5.2", sp:2, file:"Ntoskrnl.exe", version:"5.2.3790.4354", dir:"\System32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.2", sp:1, file:"Ntoskrnl.exe", version:"5.2.3790.3191", dir:"\System32", bulletin:bulletin, kb:kb) ||

  hotfix_is_vulnerable(os:"5.1", sp:3, file:"Ntoskrnl.exe", version:"5.1.2600.5657", dir:"\System32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.1", sp:2, file:"Ntoskrnl.exe", version:"5.1.2600.3427", dir:"\System32", bulletin:bulletin, kb:kb)
)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

Oval

accepted2011-11-14T04:00:26.330-05:00
classvulnerability
contributors
  • nameJeff Ito
    organizationSecure Elements, Inc.
  • nameChandan S
    organizationSecPod Technologies
definition_extensions
  • commentMicrosoft Windows XP SP2 or later is installed
    ovaloval:org.mitre.oval:def:521
  • commentMicrosoft Windows XP (x86) SP3 is installed
    ovaloval:org.mitre.oval:def:5631
  • commentMicrosoft Windows XP Professional x64 Edition SP1 is installed
    ovaloval:org.mitre.oval:def:720
  • commentMicrosoft Windows Server 2003 SP1 (x86) is installed
    ovaloval:org.mitre.oval:def:565
  • commentMicrosoft Windows Server 2003 (x64) is installed
    ovaloval:org.mitre.oval:def:730
  • commentMicrosoft Windows XP x64 Edition SP2 is installed
    ovaloval:org.mitre.oval:def:4193
  • commentMicrosoft Windows Server 2003 SP2 (x86) is installed
    ovaloval:org.mitre.oval:def:1935
  • commentMicrosoft Windows Server 2003 SP2 (x64) is installed
    ovaloval:org.mitre.oval:def:2161
  • commentMicrosoft Windows Server 2003 SP1 for Itanium is installed
    ovaloval:org.mitre.oval:def:1205
  • commentMicrosoft Windows Server 2003 (ia64) SP2 is installed
    ovaloval:org.mitre.oval:def:1442
  • commentMicrosoft Windows Vista (32-bit) is installed
    ovaloval:org.mitre.oval:def:1282
  • commentMicrosoft Windows Vista x64 Edition is installed
    ovaloval:org.mitre.oval:def:2041
  • commentMicrosoft Windows Vista (32-bit) Service Pack 1 is installed
    ovaloval:org.mitre.oval:def:4873
  • commentMicrosoft Windows Vista x64 Edition Service Pack 1 is installed
    ovaloval:org.mitre.oval:def:5254
  • commentMicrosoft Windows Server 2008 (32-bit) is installed
    ovaloval:org.mitre.oval:def:4870
  • commentMicrosoft Windows Server 2008 (64-bit) is installed
    ovaloval:org.mitre.oval:def:5356
  • commentMicrosoft Windows Server 2008 (ia-64) is installed
    ovaloval:org.mitre.oval:def:5667
descriptionInteger overflow in Memory Manager in Microsoft Windows XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 allows local users to gain privileges via a crafted application that triggers an erroneous decrement of a variable, related to validation of parameters for Virtual Address Descriptors (VADs) and a "memory allocation mapping error," aka "Virtual Address Descriptor Elevation of Privilege Vulnerability."
familywindows
idoval:org.mitre.oval:def:5343
statusaccepted
submitted2008-10-14T14:00:00
titlescriptor Elevation of Privilege Vulnerability (MS08-064)
version72

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 31675 CVE(CAN) ID: CVE-2008-4036 Microsoft Windows是微软发布的非常流行的操作系统。 Windows的内存管理器处理内存分配和虚拟地址描述符(VAD)的方式中存在一个整数溢出漏洞。如果通过认证的攻击者在受影响的系统上运行特制的程序,此漏洞可能允许权限提升。成功利用此漏洞的攻击者可以在受影响的系统上获得特权提升。攻击者随后可安装程序;查看、更改或删除数据;或者创建拥有完全管理权限的新帐户。 Microsoft Windows XP SP3 Microsoft Windows XP SP2 Microsoft Windows Vista SP1 Microsoft Windows Vista Microsoft Windows Server 2008 Microsoft Windows Server 2003 SP2 Microsoft Windows Server 2003 SP1 Microsoft --------- Microsoft已经为此发布了一个安全公告(MS08-064)以及相应补丁: MS08-064:Vulnerability in Virtual Address Descriptor Manipulation Could Allow Elevation of Privilege (956841) 链接:<a href=http://www.microsoft.com/technet/security/Bulletin/MS08-064.mspx?pf=true target=_blank>http://www.microsoft.com/technet/security/Bulletin/MS08-064.mspx?pf=true</a>
idSSV:4243
last seen2017-11-19
modified2008-10-15
published2008-10-15
reporterRoot
titleMicrosoft Windows VAD本地权限提升漏洞(MS08-064)