Vulnerabilities > CVE-2013-3660 - Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in Microsoft products
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
The EPATHOBJ::pprFlattenRec function in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, and Windows Server 2012 does not properly initialize a pointer for the next object in a certain list, which allows local users to obtain write access to the PATHRECORD chain, and consequently gain privileges, by triggering excessive consumption of paged memory and then making many FlattenPath function calls, aka "Win32k Read AV Vulnerability."
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| OS | 10 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Overflow Buffers Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
- Client-side Injection-induced Buffer Overflow This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
- Filter Failure through Buffer Overflow In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
- MIME Conversion An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
Exploit-Db
description Win32k!EPATHOBJ::pprFlattenRec Uninitialized Next Pointer Testcase. CVE-2013-3130,CVE-2013-3660,CVE-2013-3661. Dos exploit for windows platform file exploits/windows/dos/25611.txt id EDB-ID:25611 last seen 2016-02-03 modified 2013-05-21 platform windows port published 2013-05-21 reporter Tavis Ormandy source https://www.exploit-db.com/download/25611/ title Win32k!EPATHOBJ::pprFlattenRec Uninitialized Next Pointer Testcase type dos description Windows NT/2K/XP/2K3/Vista/2K8/7/8 - EPATHOBJ Local Ring Exploit. CVE-2013-3130,CVE-2013-3660,CVE-2013-3661. Local exploit for windows platform id EDB-ID:25912 last seen 2016-02-03 modified 2013-06-03 published 2013-06-03 reporter Tavis Ormandy source https://www.exploit-db.com/download/25912/ title Windows NT/2K/XP/2K3/Vista/2K8/7/8 - EPATHOBJ Local Ring Exploit description Windows EPATHOBJ::pprFlattenRec Local Privilege Escalation. CVE-2013-3130,CVE-2013-3660,CVE-2013-3661. Local exploit for windows platform id EDB-ID:26554 last seen 2016-02-03 modified 2013-07-02 published 2013-07-02 reporter metasploit source https://www.exploit-db.com/download/26554/ title Windows EPATHOBJ::pprFlattenRec Local Privilege Escalation
Metasploit
| description | This module exploits a vulnerability on EPATHOBJ::pprFlattenRec due to the usage of uninitialized data which allows to corrupt memory. At the moment, the module has been tested successfully on Windows XP SP3, Windows 2003 SP1, and Windows 7 SP1. |
| id | MSF:EXPLOIT/WINDOWS/LOCAL/PPR_FLATTEN_REC |
| last seen | 2020-06-04 |
| modified | 2018-11-25 |
| published | 2013-06-29 |
| references | |
| reporter | Rapid7 |
| source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/local/ppr_flatten_rec.rb |
| title | Windows EPATHOBJ::pprFlattenRec Local Privilege Escalation |
Msbulletin
| bulletin_id | MS13-053 |
| bulletin_url | |
| date | 2013-07-09T00:00:00 |
| impact | Remote Code Execution |
| knowledgebase_id | 2850851 |
| knowledgebase_url | |
| severity | Critical |
| title | Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution |
Nessus
NASL family Windows : Microsoft Bulletins NASL id SMB_NT_MS13-053.NASL description The Windows kernel on the remote host has the following vulnerabilities : - A memory allocation vulnerability exists. (CVE-2013-1300) - A dereference vulnerability exists. (CVE-2013-1340) - A privilege escalation vulnerability exists in the Windows kernel-mode driver. (CVE-2013-1345) - A TrueType Font parsing vulnerability exists. (CVE-2013-3129) - An information disclosure vulnerability exists. (CVE-2013-3167) - A buffer overflow vulnerability exists. (CVE-2013-3173) - A flaw exists in kernel-mode drivers in how linked lists pointers are handled in PATHREC objects. (CVE-2013-3660) A remote attacker could exploit any of these vulnerabilities to elevate privileges. last seen 2020-06-01 modified 2020-06-02 plugin id 67210 published 2013-07-10 reporter This script is Copyright (C) 2013-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/67210 title MS13-053: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Remote Code Execution (2850851) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(67210); script_version("1.13"); script_cvs_date("Date: 2018/11/15 20:50:31"); script_cve_id( "CVE-2013-1300", "CVE-2013-1340", "CVE-2013-1345", "CVE-2013-3129", "CVE-2013-3167", "CVE-2013-3172", "CVE-2013-3173", "CVE-2013-3660" ); script_bugtraq_id( 60051, 60946, 60947, 60948, 60949, 60950, 60951, 60978 ); script_xref(name:"EDB-ID", value:"25611"); script_xref(name:"EDB-ID", value:"25912"); script_xref(name:"EDB-ID", value:"26554"); script_xref(name:"EDB-ID", value:"33213"); script_xref(name:"MSFT", value:"MS13-053"); script_xref(name:"MSKB", value:"2850851"); script_name(english:"MS13-053: Vulnerabilities in Windows Kernel-Mode Driver Could Allow Remote Code Execution (2850851)"); script_summary(english:"Checks file version of Win32k.sys"); script_set_attribute( attribute:"synopsis", value: "The Windows kernel on the remote host is affected by multiple vulnerabilities." ); script_set_attribute( attribute:"description", value: "The Windows kernel on the remote host has the following vulnerabilities : - A memory allocation vulnerability exists. (CVE-2013-1300) - A dereference vulnerability exists. (CVE-2013-1340) - A privilege escalation vulnerability exists in the Windows kernel-mode driver. (CVE-2013-1345) - A TrueType Font parsing vulnerability exists. (CVE-2013-3129) - An information disclosure vulnerability exists. (CVE-2013-3167) - A buffer overflow vulnerability exists. (CVE-2013-3173) - A flaw exists in kernel-mode drivers in how linked lists pointers are handled in PATHREC objects. (CVE-2013-3660) A remote attacker could exploit any of these vulnerabilities to elevate privileges." ); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-13-170/"); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-13-171/"); script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2013/ms13-053"); script_set_attribute( attribute:"solution", value: "Microsoft has released a set of patches for Windows XP, 2003, Vista, 2008, 7, 2008 R2, 8, and 2012." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"exploited_by_malware", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Windows EPATHOBJ::pprFlattenRec Local Privilege Escalation'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2013/05/17"); script_set_attribute(attribute:"patch_publication_date", value:"2013/07/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/10"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows : Microsoft Bulletins"); script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl"); script_require_keys("SMB/MS_Bulletin_Checks/Possible"); script_require_ports(139, 445, "Host/patch_management_checks"); exit(0); } include("audit.inc"); include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("misc_func.inc"); get_kb_item_or_exit('SMB/MS_Bulletin_Checks/Possible'); bulletin = 'MS13-053'; kb = '2850851'; kbs = make_list(kb); if (get_kb_item('Host/patch_management_checks')) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit('SMB/WindowsVersion', exit_code:1); if (hotfix_check_sp_range(xp:'3', win2003:'2', vista:'2', win7:'1', win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN); rootfile = hotfix_get_systemroot(); if (!rootfile) exit(1, "Failed to get the system root."); share = hotfix_path2share(path:rootfile); if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share); ########## KB2850851 ########### # Windows XP SP3, # # Windows XP SP2 x64, # # Windows 2003 SP2, # # Windows Vista SP2, # # Windows 7, # # Windows Server 2008 SP2, # # Windows Server 2008 R2 # # Windows Server 8 # # Windows Server 2012 # ################################ if ( # Windows 8 / Windows Server 2012 hotfix_is_vulnerable(os:"6.2", sp:0, file:"Win32k.sys", version:"6.2.9200.20732", min_version:"6.2.9200.20000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.2", sp:0, file:"Win32k.sys", version:"6.2.9200.16627", min_version:"6.2.9200.16000", dir:"\system32", bulletin:bulletin, kb:kb) || # Windows 7 and Windows Server 2008 R2 hotfix_is_vulnerable(os:"6.1", sp:1, file:"Win32k.sys", version:"6.1.7601.22348", min_version:"6.1.7601.21000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.1", sp:1, file:"Win32k.sys", version:"6.1.7601.18176", min_version:"6.1.7600.17000", dir:"\system32", bulletin:bulletin, kb:kb) || # Vista / Windows 2008 hotfix_is_vulnerable(os:"6.0", sp:2, file:"Win32k.sys", version:"6.0.6002.23132", min_version:"6.0.6002.22000", dir:"\system32", bulletin:bulletin, kb:kb) || hotfix_is_vulnerable(os:"6.0", sp:2, file:"Win32k.sys", version:"6.0.6002.18861", min_version:"6.0.6002.18000", dir:"\system32", bulletin:bulletin, kb:kb) || # Windows 2003 / XP x64 hotfix_is_vulnerable(os:"5.2", sp:2, file:"Win32k.sys", version:"5.2.3790.5174", dir:"\system32", bulletin:bulletin, kb:kb) || # Windows XP x86 hotfix_is_vulnerable(os:"5.1", sp:3, arch:"x86", file:"Win32k.sys", version:"5.1.2600.6404", dir:"\system32", bulletin:bulletin, kb:kb) ) { set_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE); hotfix_security_hole(); hotfix_check_fversion_end(); exit(0); } else { hotfix_check_fversion_end(); audit(AUDIT_HOST_NOT, 'affected'); }NASL family Windows NASL id SMB_NT_CVE-2013-3660.NASL description The Microsoft Windows host has a flaw in Win32k.sys which can be exploited by local users to gain elevated privileges or trigger a denial of service condition. The issue is due to a flaw in how linked list pointers are handled in PATHREC objects. last seen 2017-10-29 modified 2013-09-28 plugin id 66878 published 2013-06-12 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=66878 title Microsoft Windows Kernel Win32k.sys PATHRECORD chain Multiple Vulnerabilities code #%NASL_MIN_LEVEL 999999 # # (C) Tenable Network Security, Inc. # # @DEPRECATED@ # # Disabled on 2013/07/10. Deprecated by smb_nt_ms13-053.nasl. include("compat.inc"); if (description) { script_id(66878); script_version("1.12"); script_cvs_date("Date: 2018/07/27 18:38:15"); script_cve_id("CVE-2013-3660", "CVE-2013-3661"); script_bugtraq_id(60051); script_xref(name:"EDB-ID", value:"25611"); script_xref(name:"EDB-ID", value:"25912"); script_name(english:"Microsoft Windows Kernel Win32k.sys PATHRECORD chain Multiple Vulnerabilities"); script_summary(english:"Checks Operating System version"); script_set_attribute(attribute:"synopsis", value:"The remote host is affected by multiple vulnerabilities."); script_set_attribute( attribute:"description", value: "The Microsoft Windows host has a flaw in Win32k.sys which can be exploited by local users to gain elevated privileges or trigger a denial of service condition. The issue is due to a flaw in how linked list pointers are handled in PATHREC objects." ); script_set_attribute(attribute:"see_also", value:"http://seclists.org/fulldisclosure/2013/May/91"); script_set_attribute(attribute:"see_also", value:"http://seclists.org/fulldisclosure/2013/Jun/5"); script_set_attribute(attribute:"solution", value:"There is currently no known solution for this vulnerability."); script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:H/RL:U/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Windows EPATHOBJ::pprFlattenRec Local Privilege Escalation'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2013/05/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/06/12"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2013-2018 Tenable Network Security, Inc."); script_dependencies("smb_hotfixes.nasl"); script_require_ports(139, 445); exit(0); } # Deprecated exit(0, "This plugin has been deprecated. Use smb_nt_ms13-053.nasl (plugin #67210) instead."); include("audit.inc"); include("smb_func.inc"); include("smb_hotfixes.inc"); include("smb_hotfixes_fcheck.inc"); include("misc_func.inc"); port = kb_smb_transport(); if (!get_port_state(port)) audit(AUDIT_PORT_CLOSED, port); get_kb_item_or_exit("SMB/Registry/Enumerated"); get_kb_item_or_exit('SMB/WindowsVersion', exit_code:1); if (hotfix_check_sp_range(xp:'3', win2003:'2', vista:'2', win7:'1', win8:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN); security_warning(port);
Oval
| accepted | 2013-08-26T04:00:28.729-04:00 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| class | vulnerability | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| contributors |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| definition_extensions |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| description | The EPATHOBJ::pprFlattenRec function in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, and Windows Server 2012 does not properly initialize a pointer for the next object in a certain list, which allows local users to obtain write access to the PATHRECORD chain, and consequently gain privileges, by triggering excessive consumption of paged memory and then making many FlattenPath function calls, aka "Win32k Read AV Vulnerability." | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| family | windows | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| id | oval:org.mitre.oval:def:17360 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| status | accepted | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| submitted | 2013-07-15T19:34:20 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| title | Win32k Read AV Vulnerability - CVE-2013-3660 (MS13-053) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| version | 72 |
Packetstorm
| data source | https://packetstormsecurity.com/files/download/122246/ppr_flatten_rec.rb.txt |
| id | PACKETSTORM:122246 |
| last seen | 2016-12-05 |
| published | 2013-07-01 |
| reporter | Tavis Ormandy |
| source | https://packetstormsecurity.com/files/122246/Windows-EPATHOBJ-pprFlattenRec-Local-Privilege-Escalation.html |
| title | Windows EPATHOBJ::pprFlattenRec Local Privilege Escalation |
Seebug
| bulletinFamily | exploit |
| description | No description provided by source. |
| id | SSV:80185 |
| last seen | 2017-11-19 |
| modified | 2014-07-01 |
| published | 2014-07-01 |
| reporter | Root |
| source | https://www.seebug.org/vuldb/ssvid-80185 |
| title | Windows EPATHOBJ::pprFlattenRec Local Privilege Escalation |
The Hacker News
id THN:3FCFA5CBD357708BA46B300C9DED3EF1 last seen 2017-01-08 modified 2013-07-07 published 2013-07-07 reporter Mohit Kumar source http://thehackernews.com/2013/07/microsoft-to-patch-six-critical-remote.html title Microsoft to patch Six critical Remote Code Execution vulnerabilities this Tuesday id THN:06CAAE54C3A3DAD8D7D978231B992D1B last seen 2018-01-27 modified 2014-05-11 published 2014-05-11 reporter Swati Khandelwal source https://thehackernews.com/2014/05/beware-cyber-criminals-spreading-click.html title Beware! Cyber Criminals Spreading Click Fraud Trojan for Making Money
References
- http://twitter.com/taviso/statuses/335557286657400832
- http://archives.neohapsis.com/archives/fulldisclosure/2013-05/0094.html
- http://www.theverge.com/2013/5/23/4358400/google-engineer-bashes-microsoft-discloses-windows-flaw
- http://www.osvdb.org/93539
- http://www.reddit.com/r/netsec/comments/1eqh66/0day_windows_kernel_epathobj_vulnerability/
- http://www.computerworld.com/s/article/9239477
- http://twitter.com/taviso/statuses/309157606247768064
- http://archives.neohapsis.com/archives/fulldisclosure/2013-05/0090.html
- http://www.exploit-db.com/exploits/25611/
- http://secunia.com/advisories/53435
- http://archives.neohapsis.com/archives/fulldisclosure/2013-06/0006.html
- http://www.us-cert.gov/ncas/alerts/TA13-190A
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A17360
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2013/ms13-053