Vulnerabilities > CVE-2010-2549 - Resource Management Errors vulnerability in Microsoft Windows Server 2008 and Windows Vista

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
microsoft
CWE-399
nessus
exploit available

Summary

Use-after-free vulnerability in the kernel-mode drivers in Microsoft Windows Vista SP1 and SP2 and Server 2008 Gold and SP2 allows local users to gain privileges or cause a denial of service (system crash) by using a large number of calls to the NtUserCheckAccessForIntegrityLevel function to trigger a failure in the LockProcessByClientId function, leading to deletion of an in-use process object, aka "Win32k Reference Count Vulnerability."

Vulnerable Configurations

Part Description Count
OS
Microsoft
8

Common Weakness Enumeration (CWE)

Exploit-Db

descriptionWindows Vista/Server 2008 NtUserCheckAccessForIntegrityLevel Use-after-free Vulnerability. CVE-2010-2549. Dos exploit for windows platform
fileexploits/windows/dos/14156.txt
idEDB-ID:14156
last seen2016-02-01
modified2010-07-01
platformwindows
port
published2010-07-01
reporterMSRC
sourcehttps://www.exploit-db.com/download/14156/
titleWindows Vista/Server 2008 NtUserCheckAccessForIntegrityLevel Use-after-free Vulnerability
typedos

Msbulletin

bulletin_idMS10-073
bulletin_url
date2010-10-12T00:00:00
impactElevation of Privilege
knowledgebase_id981957
knowledgebase_url
severityImportant
titleVulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS10-073.NASL
descriptionThe remote Windows host is running a version of the Windows kernel that is affected by the following vulnerabilities : - A reference count leak, which could result in arbitrary code execution in the kernel. (CVE-2010-2549) - Kernel-mode drivers load unspecified keyboard layers improperly, which could result in arbitrary code execution in the kernel. (CVE-2010-2743) - Kernel-mode drivers do not properly validate unspecified window class data, which could result in arbitrary code execution in the kernel. (CVE-2010-2744)
last seen2020-06-01
modified2020-06-02
plugin id49950
published2010-10-13
reporterThis script is Copyright (C) 2010-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/49950
titleMS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (981957)

Oval

accepted2014-03-03T04:00:18.897-05:00
classvulnerability
contributors
  • nameJosh Turpin
    organizationSymantec Corporation
  • nameJosh Turpin
    organizationSymantec Corporation
  • nameMaria Mikhno
    organizationALTX-SOFT
definition_extensions
  • commentMicrosoft Windows Vista (32-bit) Service Pack 1 is installed
    ovaloval:org.mitre.oval:def:4873
  • commentMicrosoft Windows Server 2008 (32-bit) is installed
    ovaloval:org.mitre.oval:def:4870
  • commentMicrosoft Windows Vista x64 Edition Service Pack 1 is installed
    ovaloval:org.mitre.oval:def:5254
  • commentMicrosoft Windows Server 2008 (64-bit) is installed
    ovaloval:org.mitre.oval:def:5356
  • commentMicrosoft Windows Server 2008 (ia-64) is installed
    ovaloval:org.mitre.oval:def:5667
  • commentMicrosoft Windows Vista (32-bit) Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:6124
  • commentMicrosoft Windows Server 2008 x64 Edition Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:6216
  • commentMicrosoft Windows Server 2008 (32-bit) Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:5653
  • commentMicrosoft Windows Vista x64 Edition Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:5594
  • commentMicrosoft Windows Server 2008 Itanium-Based Edition Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:6150
descriptionUse-after-free vulnerability in the kernel-mode drivers in Microsoft Windows Vista SP1 and SP2 and Server 2008 Gold and SP2 allows local users to gain privileges or cause a denial of service (system crash) by using a large number of calls to the NtUserCheckAccessForIntegrityLevel function to trigger a failure in the LockProcessByClientId function, leading to deletion of an in-use process object, aka "Win32k Reference Count Vulnerability."
familywindows
idoval:org.mitre.oval:def:12215
statusaccepted
submitted2010-08-10T13:00:00
titleWin32k Reference Count Vulnerability
version77

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 41280 CVE ID: CVE-2010-2549 Microsoft Windows是微软发布的非常流行的操作系统。 Vista和Server 2008系统中win32k!NtUserCheckAccessForIntegrityLevel对指定的ClientID调用 LockProcessByClientId()函数。如果这个调用失败,refcount首先会被nt!ObfDereferenceObject递减,然后再被win32k!NtUserCheckAccessForIntegrityLevel递减,导致refcount泄露。本地用户可以利用这种refcount泄露删除正在使用中的进程对象,导致获得权限提升。 Microsoft Windows Vista Microsoft Windows Server 2008 临时解决方法: * 找到HKCU\Microsoft\Windows\CurrentVersion\Security注册表项并将OurJob值更改为FALSE。 厂商补丁: Microsoft --------- 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: http://www.microsoft.com/technet/security/
idSSV:19906
last seen2017-11-19
modified2010-07-06
published2010-07-06
reporterRoot
sourcehttps://www.seebug.org/vuldb/ssvid-19906
titleMicrosoft Windows NtUserCheckAccessForIntegrityLevel释放后使用漏洞