The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Microsoft Windows NT

cybersecurity vulnerability 9879

Windows: code execution via DLL Preload

Synthesis of the vulnerability

An attacker can use a malicious DLL in order to execute code in the context of the targeted application.
Severity: 2/4.
Creation date: 25/08/2010.
Identifiers: 2269637, VIGILANCE-VUL-9879, VU#707943.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An application can use several DLL libraries (Dynamic Link library).

When an application uses a function of a DLL, it is first loaded via LoadLibrary(), and then the function is called.

If the application does not specify the DLL path, Windows searches the DLL at many places (current directory, system directory, etc.) and loads the first match. When a malicious DLL with the same name is located in the search path, it is thus loaded before the legitimate DLL.

An attacker can therefore place a malicious DLL in a WebDAV of SMB share, and can invite the victim to open a document from this site, in order to execute code in the context of the targeted application.
Full Vigil@nce bulletin... (Free trial)

computer threat CVE-2010-0232

Windows: privilege elevation via NtVdm

Synthesis of the vulnerability

A local attacker, on a x86 processor, can use the 16 bit compatibility system, in order to elevate his privileges.
Severity: 2/4.
Creation date: 20/01/2010.
Identifiers: 977165, 979682, BID-37864, CERTA-2010-AVI-073, CVE-2010-0232, MS10-015, VIGILANCE-VUL-9363.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Windows NT/2000/XP/2003/2008/Vista/7 can run 16 bit programs, created for MS-DOS and Windows 3.1, with NtVdm.exe (NT Virtual Dos Machine) and the Virtual-8086 mode of the processor.

When a 16 bit application calls a legacy BIOS service, the GP trap handler (nt!KiTrap0D) modifies the execution context (installed by NtVdmControl), and restores it later. However, a local attacker can modify this context, in order to execute code with kernel privileges.

A local attacker, on a x86 processor, can therefore use the 16 bit compatibility system, in order to elevate his privileges.
Full Vigil@nce bulletin... (Free trial)

cybersecurity announce CVE-2007-1206 CVE-2007-1973

Windows: privilege elevation via VDM Zero Page

Synthesis of the vulnerability

A local attacker can alter the zero page in order to elevate his privileges on systems with a x86 processor.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 2.
Creation date: 11/04/2007.
Identifiers: 931784, BID-23367, CERTA-2007-AVI-169, CVE-2007-1206, CVE-2007-1973, MS07-022, VIGILANCE-VUL-6730, VU#337953.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

First bytes of physical memory, which are on page zero, contain the IDT (Interrupt Descriptor Table, on a computer with a x86 processor).

When a VDM (Virtual DOS Machine) is initialized by VdmpInitialize() function, page zero is copied to virtual address zero. The virtual machine then uses this copy.

However, during the copy operation, a thread can access to page zero and alter its content, because area is mapped as PAGE_READWRITE.

This vulnerability then permits a local attacker to obtain system privileges.
Full Vigil@nce bulletin... (Free trial)

computer weakness note CVE-2006-3439

Windows: buffer overflow of server service via RPC

Synthesis of the vulnerability

An attacker can send a malicious RPC message in order to execute code on system.
Severity: 3/4.
Creation date: 09/08/2006.
Revisions dates: 10/08/2006, 28/08/2006, 01/09/2006, 13/09/2006.
Identifiers: 232, 70997, 921883, BID-19409, CERTA-2006-AVI-338, CVE-2006-3439, MS06-040, VIGILANCE-VUL-6064, VU#650769.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The server service provides the RPC feature (Remote Procedure Call), which is available via SMB/CIFS.

An attacker can create a RPC message leading to an overflow in the server service.

This vulnerability permits a remote attacker to execute code on system.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2006-3942

Windows: denial of service of server service

Synthesis of the vulnerability

An attacker can send a malicious SMB packet in order to stop system.
Severity: 2/4.
Creation date: 31/07/2006.
Revision date: 16/08/2006.
Identifiers: 231, 923414, BID-19215, CERTA-2006-AVI-443, CORE-2006-0714, CVE-2006-3942, MS06-063, VIGILANCE-VUL-6050.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The server service implements the SMB/CIFS protocol (ports 139/445). It uses the SRV.SYS driver.

When a SMB packet of SMB_COM_TRANSACTION type contains a non terminated string, a NULL pointer is dereferenced in SRV.SYS. This error generates a blue screen.

This vulnerability therefore permits an attacker, allowed to connect to server, to generate a denial of service.
Full Vigil@nce bulletin... (Free trial)

threat bulletin 5835

Windows: creating unreachable files

Synthesis of the vulnerability

A local attacker can create a file on system which is not detected or cleaned by some checking tools, such as antivirus.
Severity: 1/4.
Creation date: 11/05/2006.
Identifiers: BID-17934, VIGILANCE-VUL-5835.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The RtlDosPathNameToNtPathName_U() function converts a Unicode MS-DOS pathname to NT pathname. It uses:
 - RtlGetFullPathName_Ustr(), if path has to be converted
 - RtlpWin32NTNameToNtPathName_U(), if path is already in NT format

However, both functions differently manage spaces located at end of paths:
 - the first one suppress them
 - the second one keeps them
Thus, the "\\?\C:\test " NT filename cannot be accessed using "C:\test " MS-DOS path.

For example, antivirus using the MS-DOS filename format cannot detect or disinfect viruses located in these files.
Full Vigil@nce bulletin... (Free trial)

cybersecurity bulletin 5540

VPN-1: program execution by SecureClient

Synthesis of the vulnerability

An attacker can store a program on system, in order to make it run by SecureClient.
Severity: 1/4.
Creation date: 19/01/2006.
Identifiers: TZO-012006, VIGILANCE-VUL-5540.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The SR_Watchdog.exe program runs the SR_GUI.exe graphical interface using CreateProcess() function:
  C:\Program Files\CheckPoint\SecuRemote\bin\SR_GUI.exe

However, this path is not enclosed between quotes. When permissions permit it, an attacker can thus create a program with a short name:
  C:\Program.exe

This program is then run with SR_Watchdog.exe rights.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2005-4560

Windows: code execution with a WMF file

Synthesis of the vulnerability

Displaying a malicious WMF file leads to code execution.
Severity: 3/4.
Creation date: 28/12/2005.
Revisions dates: 29/12/2005, 02/01/2006, 04/01/2006, 06/01/2006.
Identifiers: 912840, BID-16074, CERTA-2006-AVI-011, CVE-2005-4560, MS06-001, VIGILANCE-VUL-5459, VU#181038.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Images in WMF (Windows Metafile) format are supported by the Graphics Rendering Engine. It is used in the Windows Picture and Fax Viewer (shimgvw.dll), which is used to pre-visualize images in explorer (Windows XP and 2003)

A WMF image can contain a META_ESCAPE record of SETABORTPROC type indicating code to run when an error occurs. Thus, when an invalid WMF image containing this function type is displayed, code is run.

An attacker can therefore send a malicious image to user, or invite him to surf on a web site, in order to run code on his computer.
Full Vigil@nce bulletin... (Free trial)

computer weakness note CVE-2005-4505

McAfee VirusScan: program execution by naPrdMgr.exe

Synthesis of the vulnerability

An attacker can store a program on system, in order to make it run by naPrdMgr.exe.
Severity: 1/4.
Creation date: 23/12/2005.
Identifiers: BID-16040, CVE-2005-4505, VIGILANCE-VUL-5448.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The naPrdMgr.exe program periodically runs, with Local System rights:
  C:\Program Files\Network Associates\VirusScan\EntVUtil.EXE

However, this path is not enclosed between quotes. When permissions permit it, an attacker can thus create a program with a short name:
  C:\Program.exe
  C:\Program Files\Network.exe

This program is then run with system rights.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2005-2120

Windows: buffer overflow of Plug and Play

Synthesis of the vulnerability

An authenticated attacker can overflow a buffer in Plug and Play in order to increase his privileges.
Severity: 2/4.
Creation date: 12/10/2005.
Revisions dates: 24/10/2005, 25/10/2005.
Identifiers: AD20051011, BID-15065, CERTA-2005-AVI-398, CVE-2005-2120, MS05-047, VIGILANCE-VUL-5262, VU#214572.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Service Plug and Play (umpnpmgr.dll) automatically detects new hardware installed on system.

However, an authenticated attacker can send a message leading to an overflow in function wsprintfW() used by service. This overflow permits to execute code with rights of system user.

This vulnerability therefore permits an attacker to increase his privileges.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.