Vulnerabilities > CVE-2010-2549 - Resource Management Errors vulnerability in Microsoft Windows Server 2008 and Windows Vista
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
Use-after-free vulnerability in the kernel-mode drivers in Microsoft Windows Vista SP1 and SP2 and Server 2008 Gold and SP2 allows local users to gain privileges or cause a denial of service (system crash) by using a large number of calls to the NtUserCheckAccessForIntegrityLevel function to trigger a failure in the LockProcessByClientId function, leading to deletion of an in-use process object, aka "Win32k Reference Count Vulnerability."
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 8 |
Common Weakness Enumeration (CWE)
Exploit-Db
| description | Windows Vista/Server 2008 NtUserCheckAccessForIntegrityLevel Use-after-free Vulnerability. CVE-2010-2549. Dos exploit for windows platform |
| file | exploits/windows/dos/14156.txt |
| id | EDB-ID:14156 |
| last seen | 2016-02-01 |
| modified | 2010-07-01 |
| platform | windows |
| port | |
| published | 2010-07-01 |
| reporter | MSRC |
| source | https://www.exploit-db.com/download/14156/ |
| title | Windows Vista/Server 2008 NtUserCheckAccessForIntegrityLevel Use-after-free Vulnerability |
| type | dos |
Msbulletin
| bulletin_id | MS10-073 |
| bulletin_url | |
| date | 2010-10-12T00:00:00 |
| impact | Elevation of Privilege |
| knowledgebase_id | 981957 |
| knowledgebase_url | |
| severity | Important |
| title | Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege |
Nessus
| NASL family | Windows : Microsoft Bulletins |
| NASL id | SMB_NT_MS10-073.NASL |
| description | The remote Windows host is running a version of the Windows kernel that is affected by the following vulnerabilities : - A reference count leak, which could result in arbitrary code execution in the kernel. (CVE-2010-2549) - Kernel-mode drivers load unspecified keyboard layers improperly, which could result in arbitrary code execution in the kernel. (CVE-2010-2743) - Kernel-mode drivers do not properly validate unspecified window class data, which could result in arbitrary code execution in the kernel. (CVE-2010-2744) |
| last seen | 2020-06-01 |
| modified | 2020-06-02 |
| plugin id | 49950 |
| published | 2010-10-13 |
| reporter | This script is Copyright (C) 2010-2018 Tenable Network Security, Inc. |
| source | https://www.tenable.com/plugins/nessus/49950 |
| title | MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957) |
Oval
| accepted | 2014-03-03T04:00:18.897-05:00 | ||||||||||||||||||||||||||||||||||||||||
| class | vulnerability | ||||||||||||||||||||||||||||||||||||||||
| contributors |
| ||||||||||||||||||||||||||||||||||||||||
| definition_extensions |
| ||||||||||||||||||||||||||||||||||||||||
| description | Use-after-free vulnerability in the kernel-mode drivers in Microsoft Windows Vista SP1 and SP2 and Server 2008 Gold and SP2 allows local users to gain privileges or cause a denial of service (system crash) by using a large number of calls to the NtUserCheckAccessForIntegrityLevel function to trigger a failure in the LockProcessByClientId function, leading to deletion of an in-use process object, aka "Win32k Reference Count Vulnerability." | ||||||||||||||||||||||||||||||||||||||||
| family | windows | ||||||||||||||||||||||||||||||||||||||||
| id | oval:org.mitre.oval:def:12215 | ||||||||||||||||||||||||||||||||||||||||
| status | accepted | ||||||||||||||||||||||||||||||||||||||||
| submitted | 2010-08-10T13:00:00 | ||||||||||||||||||||||||||||||||||||||||
| title | Win32k Reference Count Vulnerability | ||||||||||||||||||||||||||||||||||||||||
| version | 77 |
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 41280 CVE ID: CVE-2010-2549 Microsoft Windows是微软发布的非常流行的操作系统。 Vista和Server 2008系统中win32k!NtUserCheckAccessForIntegrityLevel对指定的ClientID调用 LockProcessByClientId()函数。如果这个调用失败,refcount首先会被nt!ObfDereferenceObject递减,然后再被win32k!NtUserCheckAccessForIntegrityLevel递减,导致refcount泄露。本地用户可以利用这种refcount泄露删除正在使用中的进程对象,导致获得权限提升。 Microsoft Windows Vista Microsoft Windows Server 2008 临时解决方法: * 找到HKCU\Microsoft\Windows\CurrentVersion\Security注册表项并将OurJob值更改为FALSE。 厂商补丁: Microsoft --------- 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: http://www.microsoft.com/technet/security/ |
| id | SSV:19906 |
| last seen | 2017-11-19 |
| modified | 2010-07-06 |
| published | 2010-07-06 |
| reporter | Root |
| source | https://www.seebug.org/vuldb/ssvid-19906 |
| title | Microsoft Windows NtUserCheckAccessForIntegrityLevel释放后使用漏洞 |
References
- http://osvdb.org/66003
- http://osvdb.org/66003
- http://seclists.org/fulldisclosure/2010/Jul/3
- http://seclists.org/fulldisclosure/2010/Jul/3
- http://secunia.com/advisories/40421
- http://secunia.com/advisories/40421
- http://www.exploit-db.com/exploits/14156
- http://www.exploit-db.com/exploits/14156
- http://www.securityfocus.com/bid/41280
- http://www.securityfocus.com/bid/41280
- http://www.us-cert.gov/cas/techalerts/TA10-285A.html
- http://www.us-cert.gov/cas/techalerts/TA10-285A.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/60120
- https://exchange.xforce.ibmcloud.com/vulnerabilities/60120
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12215
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12215