Vulnerability

CERT-In Vulnerability Note CIVN-2013-0209
Microsoft Windows NDproxy Kernel Component Privilege Escalation Vulnerability

Original Issue Date:November 29, 2013

Severity Rating: HIGH

Systems Affected

Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2(32 & 64 bit)
Windows Server 2003 with SP2 for Itanium-based Systems

Software Affected

Adobe Reader 9.5.4
Adobe Reader 10.1.16
Adobe Reader 11.0.02

Overview

A local privilege escalation Vulnerability has been reported in Microsoft Windows NDProxy (ndproxy.sys) kernel component which could allow an attacker to gain elevated privileges and execute arbitrary code in the kernel mode on the targeted system which could lead to complete system compromise.

Description

The vulnerability of Microsoft windows NDProxy (ndproxy.sys) kernel component is used in conjunction with an Adobe Reader Exploit that targets a patched vulnerability of Adobe Reader on Windows XP SP3. An attacker could exploit this vulnerability by logging in with valid credentials and thereafter executing arbitrary code in kernel mode.

Successful exploitation of this vulnerability could allow an attacker to gain elevated privileges which leads to complete compromise of the system.

Note: Exploitation of this vulnerability has been reported in limited targeted attacks.

Workaround

Reroute the NDProxy service to Null.sys as shown below:

From an elevated command prompt, execute the following commands:
sc stop ndproxy
reg add HKLM\System\CurrentControlSet\Services\ndproxy /v ImagePath /t REG_EXPAND_SZ /d system32\drivers\null.sys /f
Restart the system.
Upgrade to the latest Adobe Reader

http://get.adobe.com/reader/otherversions/

Upgrade to Microsoft Windows 7 or higher
Deploy the Enhanced Mitigation Experience Toolkit (EMET)

Solution

Apply appropriate patch as mentioned in Microsoft Security Bulletin MS14-002

Vendor Information

Microsoft
http://technet.microsoft.com/en-us/security/advisory/2914486
http://technet.microsoft.com/en-us/security/bulletin/ms14-002

References

Microsoft
http://technet.microsoft.com/en-us/security/advisory/2914486
http://technet.microsoft.com/en-us/security/bulletin/ms14-002

FIREEYE
http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/ms-windows-local-privilege-escalation-zero-day-in-the-wild.html

Adobe
http://www.adobe.com/support/security/bulletins/apsb13-15.html

CVE Name
CVE-2013-5065

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India