HOME > VULNERABILITY NOTES


   VULNERABILITY NOTE

 

CERT-In Vulnerability Note CIVN-2009-32
Microsoft Windows Kernel Code Execution and Privilege Escalation Vulnerabilities

Original Issue Date:March 12, 2009

Severity Rating: High

Systems Affected

  • Windows Server 2008 for Itanium-based Systems
  • Windows Server 2008 for x64-based Systems
  • Windows Server 2008 for 32-bit Systems
  • Windows Vista x64 Edition SP1 and prior
  • Windows Vista SP1 and prior
  • Windows Server 2003 64-bit (Itanium) SP2 and prior
  • Windows Server 2003 x64 Edition SP2 and prior
  • Windows Server 2003 SP2 and prior
  • Windows XP Professional x64 Edition SP2 and prior
  • Windows XP SP3 and prior
  • Windows 2000 SP4 and prior

Overview

Multiple input validation vulnerabilities have been reported in the windows kernel that allow random code execution though the GDI component and privilege escalations that allow local users to run random code in kernel mode.

Successful exploitation allows the attacker to execute arbitrary code on the system in kernel mode, which could result in a full system compromise.

Description

 1. Windows Kernel Input Validation Vulnerability
     (CVE-2009-0081)

The vulnerability exists in the graphics device interface (GDI) implementation in the kernel in Microsoft Windows that does not properly validate input received from user mode, which allows remote attackers to execute arbitrary code via a crafted Windows Metafile (WMF) or Enhanced Metafile (EMF) image file.

An attacker could exploit this vulnerability “ remotely ” by persuading a user to view or preview a specially crafted e-mail with embedded WMF/EMF image file or convincing to visit a specially crafted website that hosts a WMF / EMF image file.

Workaround

  • Turn off metafile processing by creating/modifying the registry
    • HKLM \SOFTWARE\Microsoft\Windows T\CurrentVersion\
      GRE_Initialize\
      DisableMetaFiles=1
  • Read e-mails in plain text

For detailed steps and impact of applying these workarounds refer to Microsoft Security Bulletin MS09-006

2. Windows Kernel Handle Validation Vulnerability
     (CVE-2009-0082)

The vulnerability is due to an error in the way the Windows kernel validates handles.

A local attacker could exploit the vulnerability to execute arbitrary code on the system in kernel mode. After successful exploitation the attacker could gain elevated privileges and completely compromise a vulnerable system.

3. Windows Kernel Invalid Pointer Vulnerability
    (CVE-2009-0083)

The vulnerability is due to an error in the way the Windows kernel handles invalid pointers.

A local attacker could exploit this error by running a malicious program that is designed to submit an invalid pointer to the Windows kernel.  When processed, the pointer could trigger the execution of arbitrary code in kernel mode, allowing the attacker to completely compromise a vulnerable host.

Windows 2000 SP4 and prior, Windows XP SP3 and prior, Windows XP Professional x64 Edition, Windows Server 2003 SP1 and prior are affected by this vulnerability.

Note: For exploiting the vulnerabilities (CVE-2009-0082, CVE-2009-0083) an attacker must have valid logon credentials and be able to log on locally to a vulnerable system .T his update replaces Microsoft Security Bulletin MS08-061

Solution

Apply appropriate patches as mentioned in Microsoft Security Bulletin MS09-006

Vendor Information

Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS09-006.mspx

References

 Microsoft
http://www.microsoft.com/technet/security/Bulletin/MS09-006.mspx
http://www.microsoft.com/technet/security/Bulletin/MS08-061.mspx
http://msdn.microsoft.com/en-us/library/ms536391.aspx
http://msdn.microsoft.com/en-us/library/aa286572.aspx

ISS- XFORCE
http://www.iss.net/threats/321.html

 CISCO
http://tools.cisco.com/security/center/viewAlert.x?alertId=17745
http://tools.cisco.com/security/center/viewAlert.x?alertId=17746
http://tools.cisco.com/security/center/viewAlert.x?alertId=17747

CVE Name
CVE-2009-0081
CVE-2009-0082
CVE-2009-0083

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003