Advisory Details

February 8th, 2011

Microsoft Windows WmiTraceMessageVa Local Kernel Vulnerability

ZDI-11-064
ZDI-CAN-890

CVE ID CVE-2011-0045
CVSS SCORE 6.8, (AV:L/AC:L/Au:S/C:C/I:C/A:C)
AFFECTED VENDORS Microsoft
AFFECTED PRODUCTS Windows XP
VULNERABILITY DETAILS

This vulnerability allows local attackers to execute arbitrary code from the context of kernelspace on vulnerable installations of Microsoft Windows. The ability to make a system call is required in order to exploit this vulnerability.

The specific flaw exists within the kernel's support for Trace Events. Due to a bad type conversion, the kernel will use a truncated length for allocating data from userspace. When populating this buffer the kernel will use a differing length causing a buffer overflow. This will cause memory corruption and can lead to code execution under the context of the kernel.

VENDOR RESPONSE Microsoft has issued an update to correct this vulnerability. More details can be found at:
http://www.microsoft.com/technet/security/bulletin/ms11-011.mspx
DISCLOSURE TIMELINE
  • 2010-09-29 - Vulnerability reported to vendor
  • 2011-02-08 - Coordinated public release of advisory
CREDIT std_logic
BACK TO ADVISORIES