Vulnerabilities > CVE-2011-2005 - Unspecified vulnerability in Microsoft Windows Server 2003 and Windows XP
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
afd.sys in the Ancillary Function Driver in Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 does not properly validate user-mode input passed to kernel mode, which allows local users to gain privileges via a crafted application, aka "Ancillary Function Driver Elevation of Privilege Vulnerability."
Vulnerable Configurations
Part | Description | Count |
---|---|---|
OS | 3 |
Exploit-Db
description MS11-080 AfdJoinLeaf Privilege Escalation. CVE-2011-2005. Local exploit for windows platform id EDB-ID:21844 last seen 2016-02-02 modified 2012-10-10 published 2012-10-10 reporter metasploit source https://www.exploit-db.com/download/21844/ title Windows - AfdJoinLeaf Privilege Escalation MS11-080 description Microsoft Windows XP/2003 Afd.sys - Local Privilege Escalation Exploit (MS11-080). CVE-2011-2005. Local exploit for windows platform id EDB-ID:18176 last seen 2016-02-02 modified 2011-11-30 published 2011-11-30 reporter ryujin source https://www.exploit-db.com/download/18176/ title Microsoft Windows XP/2003 Afd.sys - Local Privilege Escalation Exploit MS11-080
Metasploit
description | This module exploits a flaw in the AfdJoinLeaf function of the afd.sys driver to overwrite data in kernel space. An address within the HalDispatchTable is overwritten and when triggered with a call to NtQueryIntervalProfile will execute shellcode. This module will elevate itself to SYSTEM, then inject the payload into another SYSTEM process before restoring its own token to avoid causing system instability. |
id | MSF:EXPLOIT/WINDOWS/LOCAL/MS11_080_AFDJOINLEAF |
last seen | 2020-06-07 |
modified | 2018-10-28 |
published | 2012-09-26 |
references | |
reporter | Rapid7 |
source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/local/ms11_080_afdjoinleaf.rb |
title | MS11-080 AfdJoinLeaf Privilege Escalation |
Msbulletin
bulletin_id | MS11-080 |
bulletin_url | |
date | 2011-10-11T00:00:00 |
impact | Elevation of Privilege |
knowledgebase_id | 2592799 |
knowledgebase_url | |
severity | Important |
title | Vulnerability in Ancillary Function Driver Could Allow Elevation of Privilege |
Nessus
NASL family | Windows : Microsoft Bulletins |
NASL id | SMB_NT_MS11-080.NASL |
description | The remote Windows host contains a version of the Ancillary Function Driver (afd.sys) that does not properly validate input before passing it from user mode to the kernel. An attacker with local access to the affected system could exploit this issue to execute arbitrary code in kernel mode and take complete control of the affected system. |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 56454 |
published | 2011-10-11 |
reporter | This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. |
source | https://www.tenable.com/plugins/nessus/56454 |
title | MS11-080: Vulnerability in Ancillary Function Driver Could Allow Elevation of Privilege (2592799) |
code |
|
Oval
accepted | 2011-11-28T04:00:30.241-05:00 | ||||||||||||||||||||
class | vulnerability | ||||||||||||||||||||
contributors |
| ||||||||||||||||||||
definition_extensions |
| ||||||||||||||||||||
description | afd.sys in the Ancillary Function Driver in Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 does not properly validate user-mode input passed to kernel mode, which allows local users to gain privileges via a crafted application, aka "Ancillary Function Driver Elevation of Privilege Vulnerability." | ||||||||||||||||||||
family | windows | ||||||||||||||||||||
id | oval:org.mitre.oval:def:13114 | ||||||||||||||||||||
status | accepted | ||||||||||||||||||||
submitted | 2011-10-11T13:00:00 | ||||||||||||||||||||
title | Ancillary Function Driver Elevation of Privilege Vulnerability | ||||||||||||||||||||
version | 42 |
Packetstorm
data source https://packetstormsecurity.com/files/download/117077/ms11_080_afdjoinleaf.rb.txt id PACKETSTORM:117077 last seen 2016-12-05 published 2012-10-03 reporter Matteo Memelli source https://packetstormsecurity.com/files/117077/MS11-080-AfdJoinLeaf-Privilege-Escalation.html title MS11-080 AfdJoinLeaf Privilege Escalation data source https://packetstormsecurity.com/files/download/107402/ms11-080.txt id PACKETSTORM:107402 last seen 2016-12-05 published 2011-11-30 reporter Matteo Memelli source https://packetstormsecurity.com/files/107402/MS11-080-Afd.sys-Privilege-Escalation.html title MS11-080 Afd.sys Privilege Escalation
Seebug
bulletinFamily exploit description No description provided by source. id SSV:24269 last seen 2017-11-19 modified 2011-12-01 published 2011-12-01 reporter Root source https://www.seebug.org/vuldb/ssvid-24269 title MS11-080 Afd.sys Privilege Escalation Exploit( CVE-2011-2005) bulletinFamily exploit description No description provided by source. id SSV:72372 last seen 2017-11-19 modified 2014-07-01 published 2014-07-01 reporter Root source https://www.seebug.org/vuldb/ssvid-72372 title Windows Afd.sys - Privilege Escalation Exploit (MS11-080) bulletinFamily exploit description No description provided by source. id SSV:75663 last seen 2017-11-19 modified 2014-07-01 published 2014-07-01 reporter Root source https://www.seebug.org/vuldb/ssvid-75663 title MS11-080 AfdJoinLeaf Privilege Escalation
References
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-080
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13114
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-080
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13114