Vulnerabilities > CVE-2011-2005 - Unspecified vulnerability in Microsoft Windows Server 2003 and Windows XP

CVSS 7.8 - HIGH

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

local

low complexity

microsoft

nessus

exploit available

metasploit

NVD

Published: 2011-10-12

Updated: 2024-07-09

Summary

afd.sys in the Ancillary Function Driver in Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 does not properly validate user-mode input passed to kernel mode, which allows local users to gain privileges via a crafted application, aka "Ancillary Function Driver Elevation of Privilege Vulnerability."

Vulnerable Configurations

Part	Description	Count
OS	Microsoft Microsoft Windows XP - Microsoft Windows Server 2003 -	3

Exploit-Db

description	MS11-080 AfdJoinLeaf Privilege Escalation. CVE-2011-2005. Local exploit for windows platform
id	EDB-ID:21844
last seen	2016-02-02
modified	2012-10-10
published	2012-10-10
reporter	metasploit
source	https://www.exploit-db.com/download/21844/
title	Windows - AfdJoinLeaf Privilege Escalation MS11-080

description	Microsoft Windows XP/2003 Afd.sys - Local Privilege Escalation Exploit (MS11-080). CVE-2011-2005. Local exploit for windows platform
id	EDB-ID:18176
last seen	2016-02-02
modified	2011-11-30
published	2011-11-30
reporter	ryujin
source	https://www.exploit-db.com/download/18176/
title	Microsoft Windows XP/2003 Afd.sys - Local Privilege Escalation Exploit MS11-080

Metasploit

description	This module exploits a flaw in the AfdJoinLeaf function of the afd.sys driver to overwrite data in kernel space. An address within the HalDispatchTable is overwritten and when triggered with a call to NtQueryIntervalProfile will execute shellcode. This module will elevate itself to SYSTEM, then inject the payload into another SYSTEM process before restoring its own token to avoid causing system instability.
id	MSF:EXPLOIT/WINDOWS/LOCAL/MS11_080_AFDJOINLEAF
last seen	2020-06-07
modified	2018-10-28
published	2012-09-26
references	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2005 http://www.offensive-security.com/vulndev/ms11-080-voyage-into-ring-zero/
reporter	Rapid7
source	https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/local/ms11_080_afdjoinleaf.rb
title	MS11-080 AfdJoinLeaf Privilege Escalation

Msbulletin

bulletin_id	MS11-080
bulletin_url
date	2011-10-11T00:00:00
impact	Elevation of Privilege
knowledgebase_id	2592799
knowledgebase_url
severity	Important
title	Vulnerability in Ancillary Function Driver Could Allow Elevation of Privilege

Nessus

NASL family	Windows : Microsoft Bulletins
NASL id	SMB_NT_MS11-080.NASL
description	The remote Windows host contains a version of the Ancillary Function Driver (afd.sys) that does not properly validate input before passing it from user mode to the kernel. An attacker with local access to the affected system could exploit this issue to execute arbitrary code in kernel mode and take complete control of the affected system.
last seen	2020-06-01
modified	2020-06-02
plugin id	56454
published	2011-10-11
reporter	This script is Copyright (C) 2011-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/56454
title	MS11-080: Vulnerability in Ancillary Function Driver Could Allow Elevation of Privilege (2592799)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(56454); script_version("1.23"); script_cvs_date("Date: 2018/11/15 20:50:31"); script_cve_id("CVE-2011-2005"); script_bugtraq_id(49941); script_xref(name:"MSFT", value:"MS11-080"); script_xref(name:"EDB-ID", value:"18176"); script_xref(name:"EDB-ID", value:"21844"); script_xref(name:"MSKB", value:"2592799"); script_name(english:"MS11-080: Vulnerability in Ancillary Function Driver Could Allow Elevation of Privilege (2592799)"); script_summary(english:"Checks version of Afd.sys"); script_set_attribute( attribute:"synopsis", value: "The remote Windows host contains a driver that allows privilege escalation." ); script_set_attribute( attribute:"description", value: "The remote Windows host contains a version of the Ancillary Function Driver (afd.sys) that does not properly validate input before passing it from user mode to the kernel. An attacker with local access to the affected system could exploit this issue to execute arbitrary code in kernel mode and take complete control of the affected system." ); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2011/ms11-080"); script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Windows XP and 2003."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'MS11-080 AfdJoinLeaf Privilege Escalation'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"vuln_publication_date", value:"2011/10/11"); script_set_attribute(attribute:"patch_publication_date", value:"2011/10/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/10/11"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, 'Host/patch_management_checks'); exit(0); } include("audit.inc"); include("smb_hotfixes_fcheck.inc"); include("smb_hotfixes.inc"); include("smb_func.inc"); include("misc_func.inc"); get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible"); bulletin = 'MS11-080'; kb = "2592799"; kbs = make_list(kb); if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1); if (hotfix_check_sp_range(xp:'3', win2003:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( # Windows 2003 / XP 64-bit hotfix_is_vulnerable(os:"5.2", sp:2, file:"Afd.sys", version:"5.2.3790.4898", dir:"\system32\drivers", bulletin:bulletin, kb:kb) \|\| # Windows XP 32-bit hotfix_is_vulnerable(os:"5.1", sp:3, file:"Afd.sys", version:"5.1.2600.6142", dir:"\system32\drivers", bulletin:bulletin, kb:kb) ) { set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }

Oval

accepted

2011-11-28T04:00:30.241-05:00

class

vulnerability

contributors

name	Dragos Prisaca
organization	Symantec Corporation

definition_extensions

comment Microsoft Windows XP (x86) SP3 is installed
oval oval:org.mitre.oval:def:5631
comment Microsoft Windows XP x64 Edition SP2 is installed
oval oval:org.mitre.oval:def:4193
comment Microsoft Windows Server 2003 SP2 (x86) is installed
oval oval:org.mitre.oval:def:1935
comment Microsoft Windows Server 2003 SP2 (x64) is installed
oval oval:org.mitre.oval:def:2161
comment Microsoft Windows Server 2003 (ia64) SP2 is installed
oval oval:org.mitre.oval:def:1442

description

family

windows

oval:org.mitre.oval:def:13114

status

accepted

submitted

2011-10-11T13:00:00

title

Ancillary Function Driver Elevation of Privilege Vulnerability

version

Packetstorm

data source	https://packetstormsecurity.com/files/download/117077/ms11_080_afdjoinleaf.rb.txt
id	PACKETSTORM:117077
last seen	2016-12-05
published	2012-10-03
reporter	Matteo Memelli
source	https://packetstormsecurity.com/files/117077/MS11-080-AfdJoinLeaf-Privilege-Escalation.html
title	MS11-080 AfdJoinLeaf Privilege Escalation

data source	https://packetstormsecurity.com/files/download/107402/ms11-080.txt
id	PACKETSTORM:107402
last seen	2016-12-05
published	2011-11-30
reporter	Matteo Memelli
source	https://packetstormsecurity.com/files/107402/MS11-080-Afd.sys-Privilege-Escalation.html
title	MS11-080 Afd.sys Privilege Escalation

Seebug

bulletinFamily	exploit
description	No description provided by source.
id	SSV:24269
last seen	2017-11-19
modified	2011-12-01
published	2011-12-01
reporter	Root
source	https://www.seebug.org/vuldb/ssvid-24269
title	MS11-080 Afd.sys Privilege Escalation Exploit( CVE-2011-2005)

bulletinFamily	exploit
description	No description provided by source.
id	SSV:72372
last seen	2017-11-19
modified	2014-07-01
published	2014-07-01
reporter	Root
source	https://www.seebug.org/vuldb/ssvid-72372
title	Windows Afd.sys - Privilege Escalation Exploit (MS11-080)

bulletinFamily	exploit
description	No description provided by source.
id	SSV:75663
last seen	2017-11-19
modified	2014-07-01
published	2014-07-01
reporter	Root
source	https://www.seebug.org/vuldb/ssvid-75663
title	MS11-080 AfdJoinLeaf Privilege Escalation

Summary

Vulnerable Configurations

Exploit-Db

Metasploit

Msbulletin

Nessus

Oval

Packetstorm

Seebug

References