Vulnerabilities > CVE-2012-1868 - Race Condition vulnerability in Microsoft Windows XP

CVSS 6.9 - MEDIUM

Attack vector

LOCAL

Attack complexity

MEDIUM

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

local

microsoft

CWE-362

nessus

NVD

Published: 2012-06-12

Updated: 2018-10-12

Summary

Race condition in the thread-creation implementation in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP3 allows local users to gain privileges via a crafted application, aka "Win32k.sys Race Condition Vulnerability."

Vulnerable Configurations

Part	Description	Count
OS	Microsoft Microsoft Windows XP *	1

Common Weakness Enumeration (CWE)

CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Common Attack Pattern Enumeration and Classification (CAPEC)

Leveraging Race Conditions
This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.

Msbulletin

bulletin_id	MS12-041
bulletin_url
date	2012-06-12T00:00:00
impact	Elevation of Privilege
knowledgebase_id	2709162
knowledgebase_url
severity	Important
title	Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege

Nessus

NASL family	Windows : Microsoft Bulletins
NASL id	SMB_NT_MS12-041.NASL
description	The remote Windows host is affected by several vulnerabilities in the Kernel-Mode drivers that could allow elevation of privilege : - Flaws in the way the Windows kernel-mode drivers manage driver objects could be exploited to execute arbitrary code in kernel mode. (CVE-2012-1864, CVE-2012-1865, CVE-2012-1866) - Windows kernel-mode drivers do not properly allocate memory when handling fonts, which could be exploited to execute arbitrary code in kernel mode. (CVE-2012-1867) - A race condition exists in the way that the kernel deals with specific thread creation attempts. This could be exploited to execute arbitrary code in kernel mode. (CVE-2012-1868)
last seen	2020-06-01
modified	2020-06-02
plugin id	59459
published	2012-06-13
reporter	This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/59459
title	MS12-041: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2709162)
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(59459); script_version("1.18"); script_cvs_date("Date: 2019/12/04"); script_cve_id( "CVE-2012-1864", "CVE-2012-1865", "CVE-2012-1866", "CVE-2012-1867", "CVE-2012-1868" ); script_bugtraq_id( 53815, 53816, 53817, 53819, 53820 ); script_xref(name:"MSFT", value:"MS12-041"); script_xref(name:"MSKB", value:"2709162"); script_name(english:"MS12-041: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2709162)"); script_summary(english:"Checks version of win32k.sys"); script_set_attribute(attribute:"synopsis", value: "The remote Windows host is affected by multiple privilege escalation vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote Windows host is affected by several vulnerabilities in the Kernel-Mode drivers that could allow elevation of privilege : - Flaws in the way the Windows kernel-mode drivers manage driver objects could be exploited to execute arbitrary code in kernel mode. (CVE-2012-1864, CVE-2012-1865, CVE-2012-1866) - Windows kernel-mode drivers do not properly allocate memory when handling fonts, which could be exploited to execute arbitrary code in kernel mode. (CVE-2012-1867) - A race condition exists in the way that the kernel deals with specific thread creation attempts. This could be exploited to execute arbitrary code in kernel mode. (CVE-2012-1868)"); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2012/ms12-041"); script_set_attribute(attribute:"solution", value: "Microsoft has released a set of patches for Windows XP, 2003, Vista, 2008, 7, and 2008 R2."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2012-1867"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2012/06/12"); script_set_attribute(attribute:"patch_publication_date", value:"2012/06/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/06/13"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, "Host/patch_management_checks"); exit(0); } include("audit.inc"); include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("misc_func.inc"); get_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible'); bulletin = 'MS12-041'; kb = '2709162'; kbs = make_list(kb); if (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit('SMB/WindowsVersion', exit_code:1); if (hotfix_check_sp_range(xp:'3', win2003:'2', vista:'2', win7:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); if ( # Windows 7 / 2008 R2 hotfix_is_vulnerable(os:"6.1", sp:1, file:"Win32k.sys", version:"6.1.7601.21995", min_version:"6.1.7601.21000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.1", sp:1, file:"Win32k.sys", version:"6.1.7601.17842", min_version:"6.1.7601.17000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.1", sp:0, file:"Win32k.sys", version:"6.1.7600.21215", min_version:"6.1.7600.20000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.1", sp:0, file:"Win32k.sys", version:"6.1.7600.17024", min_version:"6.1.7600.16000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| # Windows Vista / 2008 hotfix_is_vulnerable(os:"6.0", sp:2, file:"Win32k.sys", version:"6.0.6002.22860", min_version:"6.0.6002.22000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| hotfix_is_vulnerable(os:"6.0", sp:2, file:"Win32k.sys", version:"6.0.6002.18633", min_version:"6.0.6002.18000", dir:"\system32", bulletin:bulletin, kb:kb) \|\| # Windows 2003 / XP 64-bit hotfix_is_vulnerable(os:"5.2", sp:2, file:"Win32k.sys", version:"5.2.3790.5004", dir:"\system32", bulletin:bulletin, kb:kb) \|\| # Windows XP 32-bit hotfix_is_vulnerable(os:"5.1", sp:3, file:"Win32k.sys", version:"5.1.2600.6228", dir:"\system32", bulletin:bulletin, kb:kb) ) { set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }

Oval

accepted

2012-07-30T04:00:32.601-04:00

class

vulnerability

contributors

name	SecPod Team
organization	SecPod Technologies

definition_extensions

comment	Microsoft Windows XP (x86) SP3 is installed
oval	oval:org.mitre.oval:def:5631

description

family

windows

oval:org.mitre.oval:def:15647

status

accepted

submitted

2012-06-18T13:31:23

title

Win32k.sys Race Condition Vulnerability (CVE-2012-1868)

version

Seebug

bulletinFamily	exploit
description	CVE ID: CVE-2012-1868 Microsoft Windows是微软公司推出的一系列操作系统。 Windows内核处理特定线程创建时存在权限提升漏洞，成功利用后可允许在内核模式中运行任意代码。 0 Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Vista Microsoft Server 2008 Microsoft Windows 7 厂商补丁： Microsoft --------- Microsoft已经为此发布了一个安全公告（ms12-041）以及相应补丁: ms12-041：Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2709162) 链接：http://www.microsoft.com/technet/security/bulletin/ms12-041.asp
id	SSV:60208
last seen	2017-11-19
modified	2012-06-13
published	2012-06-13
reporter	Root
title	Windows Kernel-Mode Drivers Win32k.sys竞争条件漏洞 (CVE-2012-1868) (MS12-041)

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

Msbulletin

Nessus

Oval

Seebug

References