Advisory Details

March 10th, 2015

Microsoft Windows NtUserfnINOUTNCCALCSIZE Information Leak Vulnerability

ZDI-15-078
ZDI-CAN-2537

CVE ID CVE-2015-0094
CVSS SCORE 2.1, (AV:L/AC:L/Au:N/C:P/I:N/A:N)
AFFECTED VENDORS Microsoft
AFFECTED PRODUCTS Windows
VULNERABILITY DETAILS


This vulnerability allows local attackers to leak sensitive information on vulnerable installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the handling of NtUserfnINOUTNCCALCSIZE function. The issue lies in the failure to sanitize a buffer before calling a userland function resulting in the leak of an address on the kernel trap frame. An attacker can leverage this in concert with another vulnerability to achieve code execution at SYSTEM.

ADDITIONAL DETAILS Microsoft has issued an update to correct this vulnerability. More details can be found at:
https://technet.microsoft.com/library/security/MS15-023
DISCLOSURE TIMELINE
  • 2014-12-04 - Vulnerability reported to vendor
  • 2015-03-10 - Coordinated public release of advisory
CREDIT WanderingGlitch of HP's Zero Day Initiative
BACK TO ADVISORIES