Vulnerabilities > CVE-2013-1292 - Race Condition vulnerability in Microsoft products

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
microsoft
CWE-362
nessus
NVD
Published: 2013-04-09
Updated: 2023-12-07

Summary

Race condition in win32k.sys in the kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, Windows 7 Gold and SP1, Windows 8, Windows Server 2012, and Windows RT allows local users to gain privileges via a crafted application that leverages improper handling of objects in memory, aka "Win32k Race Condition Vulnerability."

Vulnerable Configurations

Part Description Count
OS
Microsoft
14

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Leveraging Race Conditions
    This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
  • Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
    This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.

Msbulletin

bulletin_idMS13-036
bulletin_url
date2013-04-09T00:00:00
impactElevation of Privilege
knowledgebase_id2829996
knowledgebase_url
severityImportant
titleVulnerabilities in Kernel-Mode Driver Could Allow Elevation Of Privilege

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS13-036.NASL
descriptionThe Windows kernel on the remote host has the following vulnerabilities : - Multiple race condition vulnerabilities exist. (CVE-2013-1283, CVE-2013-1292) - A font parsing vulnerability exists. (CVE-2013-1291) - An NTFS NULL pointer dereference vulnerability exists. (CVE-2013-1293) A local attacker could exploit any of these vulnerabilities to elevate privileges.
last seen2020-06-01
modified2020-06-02
plugin id65883
published2013-04-10
reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/65883
titleMS13-036: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2829996)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(65883);
  script_version("1.14");
  script_cvs_date("Date: 2019/11/27");

  script_cve_id(
    "CVE-2013-1283",
    "CVE-2013-1291",
    "CVE-2013-1292",
    "CVE-2013-1293"
  );
  script_bugtraq_id(
    58853,
    58858,
    58859,
    58860
  );
  script_xref(name:"MSFT", value:"MS13-036");
  script_xref(name:"MSKB", value:"2808735");
  script_xref(name:"MSKB", value:"2840149");

  script_name(english:"MS13-036: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2829996)");
  script_summary(english:"Checks file version of Win32k.sys and Ntfs.sys");

  script_set_attribute(attribute:"synopsis", value:
"The Windows kernel on the remote host is affected by multiple
vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"The Windows kernel on the remote host has the following
vulnerabilities :

  - Multiple race condition vulnerabilities exist.
    (CVE-2013-1283, CVE-2013-1292)

  - A font parsing vulnerability exists. (CVE-2013-1291)

  - An NTFS NULL pointer dereference vulnerability exists.
    (CVE-2013-1293)

A local attacker could exploit any of these vulnerabilities to elevate
privileges.");
  script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2013/ms13-036");
  script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows XP, 2003, Vista,
2008, 7, 2008 R2, 8, and 2012.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2013-1293");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2013/04/09");
  script_set_attribute(attribute:"patch_publication_date", value:"2013/04/09");
  script_set_attribute(attribute:"plugin_publication_date", value:"2013/04/10");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, "Host/patch_management_checks");

  exit(0);
}

include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");

get_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible');

bulletin = 'MS13-036';

# nb: Microsoft pulled 2823324.replaced with 2840149
kbs = make_list('2808735', '2840149');
if (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);

get_kb_item_or_exit('SMB/WindowsVersion', exit_code:1);
if (hotfix_check_sp_range(xp:'3', win2003:'2', vista:'2', win7:'0,1', win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

vuln = 0;
########## KB2808735 ###########
#  Windows XP SP3,             #
#  Windows XP SP2 x64,         #
#  Windows 2003 SP2,           #
#  Windows Vista SP2,          #
#  Windows 7,                  #
#  Windows Server 2008 SP2,    #
#  Windows Server 2008 R2      #
#  Windows Server 8            #
#  Windows Server 2012         #
################################
if (
  # Windows 8 / Windows Server 2012
  hotfix_is_vulnerable(os:"6.2", sp:0, file:"Win32k.sys", version:"6.2.9200.20663", min_version:"6.2.9200.20000", dir:"\system32", bulletin:bulletin, kb:'2808735') ||
  hotfix_is_vulnerable(os:"6.2", sp:0, file:"Win32k.sys", version:"6.2.9200.16559", min_version:"6.2.9200.16000", dir:"\system32", bulletin:bulletin, kb:'2808735') ||

  # Windows 7 and Windows Server 2008 R2
  hotfix_is_vulnerable(os:"6.1", sp:1, file:"Win32k.sys", version:"6.1.7601.22271", min_version:"6.1.7601.20000", dir:"\system32", bulletin:bulletin, kb:'2808735') ||
  hotfix_is_vulnerable(os:"6.1", sp:1, file:"Win32k.sys", version:"6.1.7601.18105", min_version:"6.1.7600.16000", dir:"\system32", bulletin:bulletin, kb:'2808735') ||
  hotfix_is_vulnerable(os:"6.1", sp:0, file:"Win32k.sys", version:"6.1.7600.21482", min_version:"6.1.7600.20000", dir:"\system32", bulletin:bulletin, kb:'2808735') ||
  hotfix_is_vulnerable(os:"6.1", sp:0, file:"Win32k.sys", version:"6.1.7600.17266", min_version:"6.1.7600.16000", dir:"\system32", bulletin:bulletin, kb:'2808735') ||

  # Vista / Windows 2008
  hotfix_is_vulnerable(os:"6.0", sp:2, file:"Win32k.sys", version:"6.0.6002.23071", min_version:"6.0.6002.22000", dir:"\system32", bulletin:bulletin, kb:'2808735') ||
  hotfix_is_vulnerable(os:"6.0", sp:2, file:"Win32k.sys", version:"6.0.6002.18800", min_version:"6.0.6002.18000", dir:"\system32", bulletin:bulletin, kb:'2808735') ||

  # Windows 2003 / XP x64
  hotfix_is_vulnerable(os:"5.2", sp:2, file:"Win32k.sys", version:"5.2.3790.5134",  dir:"\system32", bulletin:bulletin, kb:'2808735') ||

  # Windows XP x86
  hotfix_is_vulnerable(os:"5.1", sp:3, arch:"x86", file:"Win32k.sys", version:"5.1.2600.6364", dir:"\system32", bulletin:bulletin, kb:'2808735')
) vuln++;

########## KB2840149 ###########
#  Windows Vista SP2,          #
#  Windows 7,                  #
#  Windows Server 2008 SP2,    #
#  Windows Server 2008 R2      #
################################
if(
  # Windows 7 and Windows Server 2008 R2
  hotfix_is_vulnerable(os:"6.1", sp:1, file:"Ntfs.sys", version:"6.1.7601.22297", min_version:"6.1.7601.20000", dir:"\system32\drivers", bulletin:bulletin, kb:'2840149') ||
  hotfix_is_vulnerable(os:"6.1", sp:1, file:"Ntfs.sys", version:"6.1.7601.18127", min_version:"6.1.7600.16000", dir:"\system32\drivers", bulletin:bulletin, kb:'2840149') ||
  hotfix_is_vulnerable(os:"6.1", sp:0, file:"Ntfs.sys", version:"6.1.7600.21499", min_version:"6.1.7600.20000", dir:"\system32\drivers", bulletin:bulletin, kb:'2840149') ||
  hotfix_is_vulnerable(os:"6.1", sp:0, file:"Ntfs.sys", version:"6.1.7600.17281", min_version:"6.1.7600.16000", dir:"\system32\drivers", bulletin:bulletin, kb:'2840149') ||

  # Vista / Windows 2008
  hotfix_is_vulnerable(os:"6.0", sp:2, file:"Ntfs.sys", version:"6.0.6002.23070", min_version:"6.0.6002.22000", dir:"\system32\drivers", bulletin:bulletin, kb:'2840149') ||
  hotfix_is_vulnerable(os:"6.0", sp:2, file:"Ntfs.sys", version:"6.0.6002.18799", min_version:"6.0.6002.18000", dir:"\system32\drivers", bulletin:bulletin, kb:'2840149')
) vuln++;

if(vuln > 0)
{
  set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);
  hotfix_security_warning();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

Oval

accepted2014-03-03T04:00:56.554-05:00
classvulnerability
contributors
  • nameSecPod Team
    organizationSecPod Technologies
  • nameSharath S
    organizationSecPod Technologies
  • nameBhavya K
    organizationSecPod Technologies
  • nameMaria Mikhno
    organizationALTX-SOFT
definition_extensions
  • commentMicrosoft Windows Vista (32-bit) Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:6124
  • commentMicrosoft Windows Vista x64 Edition Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:5594
  • commentMicrosoft Windows Server 2008 (32-bit) Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:5653
  • commentMicrosoft Windows Server 2008 Itanium-Based Edition Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:6150
  • commentMicrosoft Windows Server 2008 x64 Edition Service Pack 2 is installed
    ovaloval:org.mitre.oval:def:6216
  • commentMicrosoft Windows 7 is installed
    ovaloval:org.mitre.oval:def:12541
  • commentMicrosoft Windows Server 2008 R2 is installed
    ovaloval:org.mitre.oval:def:12754
  • commentMicrosoft Windows 7 (32-bit) Service Pack 1 is installed
    ovaloval:org.mitre.oval:def:12292
  • commentMicrosoft Windows 7 x64 Service Pack 1 is installed
    ovaloval:org.mitre.oval:def:12627
  • commentMicrosoft Windows Server 2008 R2 x64 Service Pack 1 is installed
    ovaloval:org.mitre.oval:def:12567
  • commentMicrosoft Windows Server 2008 R2 Itanium-Based Edition Service Pack 1 is installed
    ovaloval:org.mitre.oval:def:12583
  • commentMicrosoft Windows 8 is installed
    ovaloval:org.mitre.oval:def:15732
  • commentMicrosoft Windows Server 2012 is installed
    ovaloval:org.mitre.oval:def:16359
descriptionRace condition in win32k.sys in the kernel-mode drivers in Microsoft Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, Windows 7 Gold and SP1, Windows 8, Windows Server 2012, and Windows RT allows local users to gain privileges via a crafted application that leverages improper handling of objects in memory, aka "Win32k Race Condition Vulnerability."
familywindows
idoval:org.mitre.oval:def:16575
statusaccepted
submitted2013-04-10T11:39:28
titleMicrosoft Windows Kernel-Mode Driver privilege elevation vulnerability (CVE-2013-1292) - MS13-036
version78

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 58859 CVE(CAN) ID: CVE-2013-1292 Microsoft Windows是微软公司推出的一系列操作系统。 如果 Windows 内核模式驱动程序不正确地处理内存中的对象,则存在一个特权提升漏洞。成功利用此漏洞的攻击者可以获得更高的特权和读取任意内存数据。 0 Microsoft Windows Vista Microsoft Windows Server 2008 Microsoft Windows 7 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS13-036)以及相应补丁: MS13-036:Vulnerabilities in Kernel-Mode Driver Could Allow Elevation Of Privilege (2829996) 链接:http://technet.microsoft.com/security/bulletin/MS13-036
idSSV:60728
last seen2017-11-19
modified2013-04-11
published2013-04-11
reporterRoot
titleMicrosoft Windows 'Win32k.sys'本地权限提升漏洞(CVE-2013-1292)(MS13-036)

References