Vulnerabilities > CVE-2010-1893 - Numeric Errors vulnerability in Microsoft Windows 7, Windows Server 2008 and Windows Vista
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
Integer overflow in the TCP/IP stack in Microsoft Windows Vista SP1, Windows Server 2008 Gold and R2, and Windows 7 allows local users to gain privileges via a buffer of user-mode data that is copied to kernel mode, aka "Integer Overflow in Windows Networking Vulnerability."
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 8 |
Common Weakness Enumeration (CWE)
Msbulletin
| bulletin_id | MS10-058 |
| bulletin_url | |
| date | 2010-08-10T00:00:00 |
| impact | Elevation of Privilege |
| knowledgebase_id | 978886 |
| knowledgebase_url | |
| severity | Important |
| title | Vulnerabilities in TCP/IP Could Allow Elevation of Privilege |
Nessus
| NASL family | Windows : Microsoft Bulletins |
| NASL id | SMB_NT_MS10-058.NASL |
| description | The TCP/IP stack installed on the remote Windows host is affected by one or more of the following vulnerabilities : - An error exists in the Windows TCP/IP stack when processing specially crafted IPv6 packets with a malformed extension header that could cause the affected system to stop responding if IPv6 features are enabled, which is true by default in Windows Vista and 2008. (CVE-2010-1892) - The Windows TCP/IP stack fails to properly handle data copied from user mode, which could result in an integer overflow and allow a local attacker to run arbitrary code with system-level privileges. (CVE-2010-1892) |
| last seen | 2020-06-01 |
| modified | 2020-06-02 |
| plugin id | 48295 |
| published | 2010-08-11 |
| reporter | This script is Copyright (C) 2010-2018 Tenable Network Security, Inc. |
| source | https://www.tenable.com/plugins/nessus/48295 |
| title | MS10-058: Vulnerabilities in TCP/IP Could Allow Elevation of Privilege (978886) |
| code | |
Oval
| accepted | 2012-03-26T04:00:51.776-04:00 | ||||||||||||||||||||||||||||||||||||
| class | vulnerability | ||||||||||||||||||||||||||||||||||||
| contributors |
| ||||||||||||||||||||||||||||||||||||
| definition_extensions |
| ||||||||||||||||||||||||||||||||||||
| description | Integer overflow in the TCP/IP stack in Microsoft Windows Vista SP1, Windows Server 2008 Gold and R2, and Windows 7 allows local users to gain privileges via a buffer of user-mode data that is copied to kernel mode, aka "Integer Overflow in Windows Networking Vulnerability." | ||||||||||||||||||||||||||||||||||||
| family | windows | ||||||||||||||||||||||||||||||||||||
| id | oval:org.mitre.oval:def:12087 | ||||||||||||||||||||||||||||||||||||
| status | accepted | ||||||||||||||||||||||||||||||||||||
| submitted | 2010-03-13T13:00:00 | ||||||||||||||||||||||||||||||||||||
| title | Integer Overflow in Windows Networking Vulnerability | ||||||||||||||||||||||||||||||||||||
| version | 45 |
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 42254 CVE ID: CVE-2010-1893 Microsoft Windows是微软发布的非常流行的操作系统。 Windows系统中TCP/IP实现的IppSortDestinationAddresses()函数在处理SOCKET_ADDRESS_LIST 结构时存在整数溢出漏洞,本地用户可以通过调用WSAIoctl和使用SIO_ADDRESS_LIST_SORT IOCTL破坏内核内存,以系统级权限执行任意代码。 在IppSortDestinationAddresses()函数的开始处存在以下伪代码: DestinationAddresses = ExAllocatePoolWithTag(NumberOfDestinationAddresses * sizeof(SOCKADDR_IN6)); // sizeof(SOCKADDR_IN6) = 0x1C NtStatus = IppFlattenAddressList(SocketAddressList, DestinationAddresses); if (!NT_SUCCESS(NtStatus)) ExFreePoolWithTag(DestinationAddresses); 整数溢出是由IppSortDestinationAddresses()函数和IppFlattenAddressList()函数中的内核域池溢出导致的。以下伪代码仅包含有函数的最重要部分: NTSTATUS IppFlattenAddressList(IN PSOCKET_ADDRESS_LIST SocketAddressList, OUT PSOCKADDR_IN6 FlattenAddressList) { PSOCKADDR_IN6 Address; // [...] for (Index = 0; Index < SocketAddressList->iAddressCount; Index += 1) { if (SocketAddressList->Address[Index].iSockaddrLength != sizeof(SOCKADDR_IN6)) return STATUS_INVALID_PARAMETER; Address = SocketAddressList->Address[Index].lpSockaddr; // Of course, there is a ProbeForRead + __try if the function is called from Userland FlattenAddressList[Index] = *Address; // <--- Pool Overflow is occuring here. // // The following part is important if you want to proceed to the overflow. // if (FlattenAddressList[Index].sin6_family != AF_INET6) return STATUS_INVALID_PARAMETER; } // [...] } 由于SocketAddressList->iAddressCount会拥有过高的值,循环会继续向内核池拷贝数据,直至sin6_family 与AF_INET6不同或iSockaddrLength与sizeof(SOCKADDR_IN6)不同。在这两种情况下 IppFlattenAddressList()函数都会返回STATUS_INVALID_PARAMETER强制调用程序释放内核池。 sin6_family是SOCKADDR_IN6结构中的第一个字段,在从链表中摘除期间会读取为POOL_HEADER结构的PreviousSize字段,导致较难利用这个漏洞。 Microsoft Windows Vista SP1 Microsoft Windows Server 2008 R2 Microsoft Windows Server 2008 Microsoft Windows 7 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS10-058)以及相应补丁: MS10-058:Vulnerabilities in TCP/IP Could Allow Elevation of Privilege (978886) 链接:http://www.microsoft.com/technet/security/bulletin/MS10-058.mspx?pf=true |
| id | SSV:20047 |
| last seen | 2017-11-19 |
| modified | 2010-08-17 |
| published | 2010-08-17 |
| reporter | Root |
| title | Microsoft Windows TCP/IP实现IppSortDestinationAddresses()函数整数溢出漏洞(MS10-058) |
References
- http://www.us-cert.gov/cas/techalerts/TA10-222A.html
- http://www.us-cert.gov/cas/techalerts/TA10-222A.html
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-058
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-058
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12087
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12087