Vulnerabilities > CVE-2010-1888 - Race Condition vulnerability in Microsoft Windows XP

047910
CVSS 6.8 - MEDIUM
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
SINGLE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
local
low complexity
microsoft
CWE-362
nessus
exploit available
NVD
Published: 2010-08-11
Updated: 2018-10-12

Summary

Race condition in the kernel in Microsoft Windows XP SP3 allows local users to gain privileges via vectors involving thread creation, aka "Windows Kernel Data Initialization Vulnerability."

Vulnerable Configurations

Part Description Count
OS
Microsoft
1

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Leveraging Race Conditions
    This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
  • Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
    This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.

Exploit-Db

descriptionMicrosoft Windows nt!NtCreateThread Race Condition with Invalid Code Segment (MS10-047). CVE-2010-1888. Dos exploit for windows platform
idEDB-ID:14666
last seen2016-02-01
modified2010-08-17
published2010-08-17
reporterTavis Ormandy
sourcehttps://www.exploit-db.com/download/14666/
titleMicrosoft Windows nt!NtCreateThread Race Condition with Invalid Code Segment MS10-047

Msbulletin

bulletin_idMS10-047
bulletin_url
date2010-08-10T00:00:00
impactElevation of Privilege
knowledgebase_id981852
knowledgebase_url
severityImportant
titleVulnerabilities in Windows Kernel Could Allow Elevation of Privilege

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS10-047.NASL
descriptionThe remote Windows host is running a version of the Windows kernel that is affected by one or more of the following vulnerabilities : - A race condition when creating certain types of kernel threads may allow a local attacker to execute arbitrary code in kernel mode and take complete control of the affected system. (CVE-2010-1888) - A double free vulnerability when the kernel initializes objects while handling certain errors may allow a local attacker to execute arbitrary code in kernel mode and take complete control of the affected system. (CVE-2010-1889) - A failure to properly validate access control lists on kernel objects may allow a local attacker to cause the system to become unresponsive and automatically restart. (CVE-2010-1890)
last seen2020-06-01
modified2020-06-02
plugin id48284
published2010-08-11
reporterThis script is Copyright (C) 2010-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/48284
titleMS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(48284);
  script_version("1.23");
  script_cvs_date("Date: 2018/11/15 20:50:30");

  script_cve_id("CVE-2010-1888", "CVE-2010-1889", "CVE-2010-1890");
  script_bugtraq_id(42211, 42213, 42221);
  script_xref(name:"MSFT", value:"MS10-047");
  script_xref(name:"MSKB", value:"981852");

  script_name(english:"MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852)");
  script_summary(english:"Checks version of Ntoskrnl.exe");

  script_set_attribute(attribute:"synopsis", value:
"The Windows kernel is affected by several vulnerabilities that could
allow escalation of privileges.");
  script_set_attribute(attribute:"description", value:
"The remote Windows host is running a version of the Windows kernel
that is affected by one or more of the following vulnerabilities :

  - A race condition when creating certain types of kernel
    threads may allow a local attacker to execute arbitrary
    code in kernel mode and take complete control of the
    affected system. (CVE-2010-1888)

  - A double free vulnerability when the kernel initializes
    objects while handling certain errors may allow a local
    attacker to execute arbitrary code in kernel mode and
    take complete control of the affected system.
    (CVE-2010-1889)

  - A failure to properly validate access control lists on
    kernel objects may allow a local attacker to cause the
    system to become unresponsive and automatically
    restart. (CVE-2010-1890)");
  script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2010/ms10-047");
  script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows XP, Vista, 2008,
7, and 2008 R2.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2010/08/10");
  script_set_attribute(attribute:"patch_publication_date", value:"2010/08/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2010/08/11");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.");

  script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, 'Host/patch_management_checks');

  exit(0);
}

include("audit.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS10-047';
kbs = make_list("981852");
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);

get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(xp:'3', vista:'1,2', win7:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

kb = '981852';
if (
  # Windows 7 / Server 2008 R2
  hotfix_is_vulnerable(os:"6.1", sp:0,             file:"Ntoskrnl.exe", version:"6.1.7600.20738", min_version:"6.1.7600.20000", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.1", sp:0,             file:"Ntoskrnl.exe", version:"6.1.7600.16617", min_version:"6.1.7600.16000", dir:"\system32", bulletin:bulletin, kb:kb) ||

  # Vista / Windows Server 2008
  hotfix_is_vulnerable(os:"6.0", sp:2,             file:"Ntoskrnl.exe", version:"6.0.6002.22420", min_version:"6.0.6002.22000", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.0", sp:2,             file:"Ntoskrnl.exe", version:"6.0.6002.18267", min_version:"6.0.6002.18000", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.0", sp:1,             file:"Ntoskrnl.exe", version:"6.0.6001.22707", min_version:"6.0.6001.22000", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.0", sp:1,             file:"Ntoskrnl.exe", version:"6.0.6001.18488", min_version:"6.0.6001.16000", dir:"\system32", bulletin:bulletin, kb:kb) ||

  # Windows XP x86
  hotfix_is_vulnerable(os:"5.1", sp:3, arch:"x86", file:"Ntoskrnl.exe", version:"5.1.2600.5973",  min_version:"5.1.0.0",         dir:"\system32", bulletin:bulletin, kb:kb)
)
{
  set_kb_item(name:"SMB/Missing/MS10-047", value:TRUE);
  hotfix_security_hole();

  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

Oval

accepted2010-09-27T04:00:13.737-04:00
classvulnerability
contributors
nameDragos Prisaca
organizationSymantec Corporation
definition_extensions
commentMicrosoft Windows XP (x86) SP3 is installed
ovaloval:org.mitre.oval:def:5631
descriptionRace condition in the kernel in Microsoft Windows XP SP3 allows local users to gain privileges via vectors involving thread creation, aka "Windows Kernel Data Initialization Vulnerability."
familywindows
idoval:org.mitre.oval:def:11825
statusaccepted
submitted2010-08-10T13:00:00
titleWindows Kernel Data Initialization Vulnerability
version71

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/92839/mswinntcreatethread-racecondition.txt
idPACKETSTORM:92839
last seen2016-12-05
published2010-08-17
reporterTavis Ormandy
sourcehttps://packetstormsecurity.com/files/92839/Microsoft-Windows-nt-NtCreateThread-Race-Condition.html
titleMicrosoft Windows nt!NtCreateThread Race Condition

Seebug

  • bulletinFamilyexploit
    descriptionNo description provided by source.
    idSSV:69611
    last seen2017-11-19
    modified2014-07-01
    published2014-07-01
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-69611
    titleMicrosoft Windows nt!NtCreateThread Race Condition with Invalid Code Segment (MS10-047)
  • bulletinFamilyexploit
    descriptionBUGTRAQ ID: 42211 CVE ID: CVE-2010-1888 Microsoft Windows是微软发布的非常流行的操作系统。 Windows内核在创建特定类型的线程时存在竞争条件错误,本地用户可以通过运行恶意应用程序获得内核级权限提升。成功利用这个漏洞的攻击者可以执行任意内核态代码。攻击者可随后安装程序;查看、更改或删除数据;或者创建拥有完全用户权限的新帐户。 Microsoft Windows XP SP3 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS10-047)以及相应补丁: MS10-047:Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (981852) 链接:http://www.microsoft.com/technet/security/bulletin/MS10-047.mspx?pf=true 补丁下载: http://www.microsoft.com/downloads/details.aspx?familyid=E3574047-5CE5-4461-94AA-4EB3258D5E71
    idSSV:20039
    last seen2017-11-19
    modified2010-08-12
    published2010-08-12
    reporterRoot
    titleMicrosoft Windows XP SP3内核创建线程本地权限提升漏洞(MS10-047)

References