ID CVE-2010-2554 Type cve Reporter NVD Modified 2018-10-30T12:27:21
Description
The Tracing Feature for Services in Microsoft Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 has incorrect ACLs on its registry keys, which allows local users to gain privileges via vectors involving a named pipe and impersonation, aka "Tracing Registry Key ACL Vulnerability."
{"id": "CVE-2010-2554", "bulletinFamily": "NVD", "title": "CVE-2010-2554", "description": "The Tracing Feature for Services in Microsoft Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 has incorrect ACLs on its registry keys, which allows local users to gain privileges via vectors involving a named pipe and impersonation, aka \"Tracing Registry Key ACL Vulnerability.\"", "published": "2010-08-11T14:47:50", "modified": "2018-10-30T12:27:21", "cvss": {"score": 6.8, "vector": "AV:LOCAL/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2554", "reporter": "NVD", "references": ["https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-059"], "cvelist": ["CVE-2010-2554"], "type": "cve", "lastseen": "2018-11-01T05:12:48", "history": [{"bulletin": {"assessment": {"href": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12082", "name": "oval:org.mitre.oval:def:12082", "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"}, "bulletinFamily": "NVD", "cpe": ["cpe:/o:microsoft:windows_7:-:-:x32", "cpe:/o:microsoft:windows_server_2008::sp2:x32", "cpe:/o:microsoft:windows_server_2008::sp2:x64", "cpe:/o:microsoft:windows_server_2008::r2:x64", "cpe:/o:microsoft:windows_server_2008::r2:itanium", "cpe:/o:microsoft:windows_server_2008:-:sp2:itanium", "cpe:/o:microsoft:windows_vista::sp1", "cpe:/o:microsoft:windows_vista::sp2:x64", "cpe:/o:microsoft:windows_7:-:-:x64", "cpe:/o:microsoft:windows_vista::sp1:x64", "cpe:/o:microsoft:windows_server_2008:::x64", "cpe:/o:microsoft:windows_vista:-:sp2", "cpe:/o:microsoft:windows_vista::sp2", "cpe:/o:microsoft:windows_server_2008:::itanium", "cpe:/o:microsoft:windows_server_2008:::x32", "cpe:/o:microsoft:windows_vista:-:sp1"], "cvelist": ["CVE-2010-2554"], "cvss": {"score": 6.8, "vector": "AV:LOCAL/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "The Tracing Feature for Services in Microsoft Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 has incorrect ACLs on its registry keys, which allows local users to gain privileges via vectors involving a named pipe and impersonation, aka \"Tracing Registry Key ACL Vulnerability.\"", "edition": 3, "enchantments": {"score": {"modified": "2018-10-13T11:34:53", "value": 7.2, "vector": "NONE"}}, "hash": "221d000941eb8ec16cb332b773888fc57041e67a040073b2147d6cc58f44f54d", "hashmap": [{"hash": "601892ece72be3be2f57266ca2354792", "key": "reporter"}, {"hash": "4d38c5d7ac8ac9bd450d2c180e42525e", "key": "title"}, {"hash": "982a1cf8e9359d8abe16f3ba238ce372", "key": "modified"}, {"hash": "2da084e3d4a2ac0072c7dd4cec9a8b39", "key": "cpe"}, {"hash": "7c4eebdf83c7c41aba8ca503c4def7ce", "key": "description"}, {"hash": "a432fd051268501392b4346b2975c837", "key": "references"}, {"hash": "89adcf5ca279415ef2b1e0a969dfb498", "key": "scanner"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "b00ba75855a947fb96de51078e35ddde", "key": "cvelist"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "71c1627f04a67ff0f32cfbcba38be8be", "key": "assessment"}, {"hash": "1597aa6953862ee33aed84b037d59e67", "key": "cvss"}, {"hash": "7f82fe13452e1c69a99be02760825d92", "key": "published"}, {"hash": "961144de8cdd7a909ffcfa6067c07a21", "key": "href"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2554", "id": "CVE-2010-2554", "lastseen": "2018-10-13T11:34:53", "modified": "2018-10-12T17:57:51", "objectVersion": "1.3", "published": "2010-08-11T14:47:50", "references": ["https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-059"], "reporter": "NVD", "scanner": [{"href": "http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:12082", "name": "oval:org.mitre.oval:def:12082", "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"}], "title": "CVE-2010-2554", "type": "cve", "viewCount": 1}, "differentElements": ["modified", "cpe"], "edition": 3, "lastseen": "2018-10-13T11:34:53"}, {"bulletin": {"assessment": {"href": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12082", "name": "oval:org.mitre.oval:def:12082", "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"}, "bulletinFamily": "NVD", "cpe": ["cpe:/o:microsoft:windows_7:-:-:x32", "cpe:/o:microsoft:windows_server_2008::sp2:x32", "cpe:/o:microsoft:windows_server_2008::sp2:x64", "cpe:/o:microsoft:windows_server_2008::r2:x64", "cpe:/o:microsoft:windows_server_2008::r2:itanium", "cpe:/o:microsoft:windows_server_2008:-:sp2:itanium", "cpe:/o:microsoft:windows_vista::sp1", "cpe:/o:microsoft:windows_vista::sp2:x64", "cpe:/o:microsoft:windows_7:-:-:x64", "cpe:/o:microsoft:windows_vista::sp1:x64", "cpe:/o:microsoft:windows_server_2008:::x64", "cpe:/o:microsoft:windows_vista:-:sp2", "cpe:/o:microsoft:windows_vista::sp2", "cpe:/o:microsoft:windows_server_2008:::itanium", "cpe:/o:microsoft:windows_server_2008:::x32", "cpe:/o:microsoft:windows_vista:-:sp1"], "cvelist": ["CVE-2010-2554"], "cvss": {"score": 6.8, "vector": "AV:LOCAL/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "The Tracing Feature for Services in Microsoft Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 has incorrect ACLs on its registry keys, which allows local users to gain privileges via vectors involving a named pipe and impersonation, aka \"Tracing Registry Key ACL Vulnerability.\"", "edition": 2, "enchantments": {"score": {"modified": "2017-09-19T13:37:00", "value": 7.2, "vector": "NONE"}}, "hash": "46b02a8b76e7e7c548fb0133ee5baa956586290e961141587e0ef143126ff273", "hashmap": [{"hash": "601892ece72be3be2f57266ca2354792", "key": "reporter"}, {"hash": "4d38c5d7ac8ac9bd450d2c180e42525e", "key": "title"}, {"hash": "2da084e3d4a2ac0072c7dd4cec9a8b39", "key": "cpe"}, {"hash": "d2b46ef4ea9c89617fec5a2ea9b64002", "key": "references"}, {"hash": "7c4eebdf83c7c41aba8ca503c4def7ce", "key": "description"}, {"hash": "89adcf5ca279415ef2b1e0a969dfb498", "key": "scanner"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "b00ba75855a947fb96de51078e35ddde", "key": "cvelist"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "909df95509c1ed6ddec4a74d5155b66e", "key": "modified"}, {"hash": "71c1627f04a67ff0f32cfbcba38be8be", "key": "assessment"}, {"hash": "1597aa6953862ee33aed84b037d59e67", "key": "cvss"}, {"hash": "7f82fe13452e1c69a99be02760825d92", "key": "published"}, {"hash": "961144de8cdd7a909ffcfa6067c07a21", "key": "href"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2554", "id": "CVE-2010-2554", "lastseen": "2017-09-19T13:37:00", "modified": "2017-09-18T21:31:02", "objectVersion": "1.3", "published": "2010-08-11T14:47:50", "references": ["http://www.microsoft.com/technet/security/Bulletin/MS10-059.mspx"], "reporter": "NVD", "scanner": [{"href": "http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:12082", "name": "oval:org.mitre.oval:def:12082", "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"}], "title": "CVE-2010-2554", "type": "cve", "viewCount": 1}, "differentElements": ["references", "modified"], "edition": 2, "lastseen": "2017-09-19T13:37:00"}, {"bulletin": {"assessment": {"href": "http://oval.mitre.org/repository/data/getDef?id=oval:org.mitre.oval:def:12082", "name": "oval:org.mitre.oval:def:12082", "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"}, "bulletinFamily": "NVD", "cpe": ["cpe:/o:microsoft:windows_7:-:-:x32", "cpe:/o:microsoft:windows_server_2008::sp2:x32", "cpe:/o:microsoft:windows_server_2008::sp2:x64", "cpe:/o:microsoft:windows_server_2008::r2:x64", "cpe:/o:microsoft:windows_server_2008::r2:itanium", "cpe:/o:microsoft:windows_server_2008:-:sp2:itanium", "cpe:/o:microsoft:windows_vista::sp1", "cpe:/o:microsoft:windows_vista::sp2:x64", "cpe:/o:microsoft:windows_7:-:-:x64", "cpe:/o:microsoft:windows_vista::sp1:x64", "cpe:/o:microsoft:windows_server_2008:::x64", "cpe:/o:microsoft:windows_vista:-:sp2", "cpe:/o:microsoft:windows_vista::sp2", "cpe:/o:microsoft:windows_server_2008:::itanium", "cpe:/o:microsoft:windows_server_2008:::x32", "cpe:/o:microsoft:windows_vista:-:sp1"], "cvelist": ["CVE-2010-2554"], "cvss": {"score": 6.8, "vector": "AV:LOCAL/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "description": "The Tracing Feature for Services in Microsoft Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 has incorrect ACLs on its registry keys, which allows local users to gain privileges via vectors involving a named pipe and impersonation, aka \"Tracing Registry Key ACL Vulnerability.\"", "edition": 1, "enchantments": {}, "hash": "5481c41fa1bb98d825b423c6a50ca4decbed06caeea6ceb2404f39c42d1395a4", "hashmap": [{"hash": "601892ece72be3be2f57266ca2354792", "key": "reporter"}, {"hash": "4d38c5d7ac8ac9bd450d2c180e42525e", "key": "title"}, {"hash": "2da084e3d4a2ac0072c7dd4cec9a8b39", "key": "cpe"}, {"hash": "d2b46ef4ea9c89617fec5a2ea9b64002", "key": "references"}, {"hash": "7c4eebdf83c7c41aba8ca503c4def7ce", "key": "description"}, {"hash": "66cea6f0155007a013679b9b93893a9a", "key": "assessment"}, {"hash": "89adcf5ca279415ef2b1e0a969dfb498", "key": "scanner"}, {"hash": "c452d840d35d55ba5519665ccbfa516f", "key": "modified"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "b00ba75855a947fb96de51078e35ddde", "key": "cvelist"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "1597aa6953862ee33aed84b037d59e67", "key": "cvss"}, {"hash": "7f82fe13452e1c69a99be02760825d92", "key": "published"}, {"hash": "961144de8cdd7a909ffcfa6067c07a21", "key": "href"}], "history": [], "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2554", "id": "CVE-2010-2554", "lastseen": "2016-09-03T14:06:17", "modified": "2010-08-21T01:43:02", "objectVersion": "1.2", "published": "2010-08-11T14:47:50", "references": ["http://www.microsoft.com/technet/security/Bulletin/MS10-059.mspx"], "reporter": "NVD", "scanner": [{"href": "http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:12082", "name": "oval:org.mitre.oval:def:12082", "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"}], "title": "CVE-2010-2554", "type": "cve", "viewCount": 0}, "differentElements": ["assessment", "modified"], "edition": 1, "lastseen": "2016-09-03T14:06:17"}], "edition": 4, "hashmap": [{"key": "assessment", "hash": "71c1627f04a67ff0f32cfbcba38be8be"}, {"key": "bulletinFamily", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "cpe", "hash": "1b23ced32afe6a879b9b9d5cd1bbdd18"}, {"key": "cvelist", "hash": "b00ba75855a947fb96de51078e35ddde"}, {"key": "cvss", "hash": "1597aa6953862ee33aed84b037d59e67"}, {"key": "description", "hash": "7c4eebdf83c7c41aba8ca503c4def7ce"}, {"key": "href", "hash": "961144de8cdd7a909ffcfa6067c07a21"}, {"key": "modified", "hash": "4345a4b6245da60f83bdfcd5ec7328f6"}, {"key": "published", "hash": "7f82fe13452e1c69a99be02760825d92"}, {"key": "references", "hash": "a432fd051268501392b4346b2975c837"}, {"key": "reporter", "hash": "601892ece72be3be2f57266ca2354792"}, {"key": "scanner", "hash": "89adcf5ca279415ef2b1e0a969dfb498"}, {"key": "title", "hash": "4d38c5d7ac8ac9bd450d2c180e42525e"}, {"key": "type", "hash": "1716b5fcbb7121af74efdc153d0166c5"}], "hash": "8d8da64104663f230b790cc76bd85bb81db87acf501f2911751d180d0df2b223", "viewCount": 1, "enchantments": {"score": {"value": 7.2, "vector": "NONE", "modified": "2018-11-01T05:12:48"}, "dependencies": {"references": [{"type": "seebug", "idList": ["SSV:20045", "SSV:69575"]}, {"type": "canvas", "idList": ["MS10_059"]}, {"type": "openvas", "idList": ["OPENVAS:902231", "OPENVAS:1361412562310902231"]}, {"type": "nessus", "idList": ["SMB_NT_MS10-059.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:24464", "SECURITYVULNS:VULN:11057"]}], "modified": "2018-11-01T05:12:48"}, "vulnersScore": 7.2}, "objectVersion": "1.3", "cpe": ["cpe:/o:microsoft:windows_server_2008::sp2:x32", "cpe:/o:microsoft:windows_server_2008::sp2:x64", "cpe:/o:microsoft:windows_server_2008::r2:x64", "cpe:/o:microsoft:windows_server_2008::r2:itanium", "cpe:/o:microsoft:windows_server_2008:-:sp2:itanium", "cpe:/o:microsoft:windows_vista::sp1", "cpe:/o:microsoft:windows_vista::sp2:x64", "cpe:/o:microsoft:windows_vista::sp1:x64", "cpe:/o:microsoft:windows_server_2008:::x64", "cpe:/o:microsoft:windows_vista:-:sp2", "cpe:/o:microsoft:windows_vista::sp2", "cpe:/o:microsoft:windows_server_2008:::itanium", "cpe:/o:microsoft:windows_server_2008:::x32", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_vista:-:sp1"], "assessment": {"href": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12082", "name": "oval:org.mitre.oval:def:12082", "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"}, "scanner": [{"href": "http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:12082", "name": "oval:org.mitre.oval:def:12082", "system": "http://oval.mitre.org/XMLSchema/oval-definitions-5"}]}
{"canvas": [{"lastseen": "2016-09-25T14:12:22", "bulletinFamily": "exploit", "description": "**Name**| ms10_059 \n---|--- \n**CVE**| CVE-2010-2554 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| ms10_059 \n**Notes**| References: http://www.microsoft.com/technet/security/bulletin/MS10-059.mspx \nCVE Name: CVE-2010-2554 \nVENDOR: Microsoft \nNotes: \nThis exploit gain SYSTEM from NETWORK_SERVICE or DefaultAppPool user by duplicating \na handle obtained from a tracing feature for services by writing on a key registry \nwith low access protection. \n \nThis is a port of Cesar Cerrudo's Chimichurri Token kidnapping for fitting in MOSDEF. \n \n \nShould work on Windows 2008 and 7 without patch ms10_059 aka KB982799. \n \nMSADV: MS10-059 \nDate Public: 08/10/2010 \nCVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2554 \nCVSS: 6.8 \n\n", "modified": "2010-08-11T14:47:50", "published": "2010-08-11T14:47:50", "id": "MS10_059", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/ms10_059", "type": "canvas", "title": "Immunity Canvas: MS10_059", "cvss": {"score": 6.8, "vector": "AV:LOCAL/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "seebug": [{"lastseen": "2017-11-19T18:08:56", "bulletinFamily": "exploit", "description": "BUGTRAQ ID: 42269\r\nCVE(CAN) ID: CVE-2010-2554\r\n\r\nMicrosoft Windows\u662f\u5fae\u8f6f\u53d1\u5e03\u7684\u975e\u5e38\u6d41\u884c\u7684\u64cd\u4f5c\u7cfb\u7edf\u3002\r\n\r\n\u4e00\u4e9bWindows\u5e94\u7528\u4e2d\u4f7f\u7528\u4e86Tracing\u529f\u80fd\u8bb0\u5f55\u8c03\u8bd5\u4fe1\u606f\u3002\u8be5\u529f\u80fd\u4e0d\u662f\u9ed8\u8ba4\u542f\u7528\u7684\uff0c\u5982\u679c\u8981\u542f\u7528\u5fc5\u987b\u7f16\u8f91 HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Tracing\u952e\u4e0b\u7684\u6ce8\u518c\u8868\u503c\u3002\u4f7f\u7528\u4e86\u8fd9\u4e2aTracing\u529f\u80fd\u7684 Windows\u8fdb\u7a0b\u4f1a\u6301\u7eed\u76d1\u63a7\u76f8\u5173\u5b50\u952e\u7684\u53d8\u5316\uff0c\u4e00\u65e6\u6ce8\u518c\u8868\u503c\u53d1\u751f\u4e86\u53d8\u5316\u5c31\u4f1a\u7acb\u5373\u8bfb\u53d6\u8be5\u503c\u3002\u5176\u4e2d\u7684\u4e00\u4e2a\u6ce8\u518c\u8868\u503c\u4e3aFileDirectory\uff0c\u5305\u542b\u6709 Windows\u76ee\u5f55\u540d\u3002\u5728Local System\u8d26\u53f7\u8fd0\u884c\u7684\u670d\u52a1\u8fde\u63a5\u5230\u7ba1\u9053\u65f6\u62e5\u6709\u626e\u6f14\u6743\u9650\u7684\u672c\u5730\u7528\u6237\u53ef\u4ee5\u901a\u8fc7\u626e\u6f14\u4e3aLocal System\u8d26\u53f7\uff08\u6216Administrator\u7b49\u7279\u6743\u8d26\u53f7\uff09\u63d0\u5347\u6743\u9650\u3002\u6ce8\u518c\u8868\u9879\u5bf9Users\u7ec4\u5f00\u653e\u4e86Set Value\u6743\u9650\uff0c\u56e0\u6b64\u4efb\u4f55\u901a\u8fc7\u8ba4\u8bc1\u7684\u7528\u6237\u90fd\u53ef\u4ee5\u8bbe\u7f6e\u4efb\u610f\u503c\u3002\n\nMicrosoft Windows Vista SP2\r\nMicrosoft Windows Vista SP1\r\nMicrosoft Windows Server 2008 SP2\r\nMicrosoft Windows Server 2008 R2\r\nMicrosoft Windows Server 2008\r\nMicrosoft Windows 7\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMicrosoft\r\n---------\r\nMicrosoft\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08MS10-059\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\nMS10-059\uff1aVulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799)\r\n\u94fe\u63a5\uff1ahttp://www.microsoft.com/technet/security/bulletin/MS10-059.mspx?pf=true", "modified": "2010-08-17T00:00:00", "published": "2010-08-17T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-20045", "id": "SSV:20045", "type": "seebug", "title": "Microsoft Windows Tracing\u529f\u80fd\u6ce8\u518c\u8868ACL\u4e0d\u5b89\u5168\u6743\u9650\u6f0f\u6d1e\uff08MS10-059\uff09", "sourceData": "\n Source: http://www.securityfocus.com/bid/42269/info\r\n\r\nMicrosoft Windows is prone to a local privilege-escalation vulnerability.\r\n\r\nAn attacker can exploit this issue to execute arbitrary code with SYSTEM-level privileges. Successful exploits will result in the complete compromise of affected computers. \r\n\r\nCode:\r\nhttp://www.exploit-db.com/sploits/Chimichurri-CVE-2010-2554.zip\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-20045", "cvss": {"score": 6.8, "vector": "AV:LOCAL/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T16:35:33", "bulletinFamily": "exploit", "description": "No description provided by source.", "modified": "2014-07-01T00:00:00", "published": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-69575", "id": "SSV:69575", "title": "Microsoft Windows Tracing Registry Key ACL Privilege Escalation Vulnerability", "type": "seebug", "sourceData": "\n Source: http://www.securityfocus.com/bid/42269/info\r\n\r\nMicrosoft Windows is prone to a local privilege-escalation vulnerability.\r\n\r\nAn attacker can exploit this issue to execute arbitrary code with SYSTEM-level privileges. Successful exploits will result in the complete compromise of affected computers. \r\n\r\nCode:\r\nhttp://www.exploit-db.com/sploits/Chimichurri-CVE-2010-2554.zip\n ", "cvss": {"score": 6.8, "vector": "AV:LOCAL/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-69575"}], "nessus": [{"lastseen": "2019-02-21T01:13:42", "bulletinFamily": "scanner", "description": "The version of Tracing Feature for Services on the remote host has the following vulnerabilities :\n\n - Windows places incorrect ACLs on registry keys, which could allow an attacker to execute code with elevated privileges. (CVE-2010-2554)\n\n - Memory is allocated in an unspecified, unsafe manner when processing specially crafted long strings. An attacker could exploit this to execute code with elevated privileges. (CVE-2010-2555)", "modified": "2018-11-15T00:00:00", "id": "SMB_NT_MS10-059.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=48296", "published": "2010-08-11T00:00:00", "title": "MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799)", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(48296);\n script_version(\"1.21\");\n script_cvs_date(\"Date: 2018/11/15 20:50:30\");\n\n script_cve_id(\"CVE-2010-2554\", \"CVE-2010-2555\");\n script_bugtraq_id(42259, 42269);\n script_xref(name:\"IAVB\", value:\"2010-B-0064\");\n script_xref(name:\"MSFT\", value:\"MS10-059\");\n script_xref(name:\"MSKB\", value:\"982799\");\n\n script_name(english:\"MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799)\");\n script_summary(english:\"Checks version of Rtutils.dll\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Windows host has multiple privilege escalation\nvulnerabilities.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The version of Tracing Feature for Services on the remote host has the\nfollowing vulnerabilities :\n\n - Windows places incorrect ACLs on registry keys, which\n could allow an attacker to execute code with elevated\n privileges. (CVE-2010-2554)\n\n - Memory is allocated in an unspecified, unsafe manner\n when processing specially crafted long strings. An\n attacker could exploit this to execute code with elevated\n privileges. (CVE-2010-2555)\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2010/ms10-059\");\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Microsoft has released a set of patches for Windows Vista, 2008, 7,\nand 2008 R2.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/08/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/08/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/08/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, 'Host/patch_management_checks');\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS10-059';\nkbs = make_list(\"982799\");\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(vista:'1,2', win7:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nrootfile = hotfix_get_systemroot();\nif (!rootfile) exit(1, \"Failed to get the system root.\");\n\nshare = hotfix_path2share(path:rootfile);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nkb = '982799';\nif (\n # Windows 7 and Windows Server 2008 R2\n hotfix_is_vulnerable(os:\"6.1\", file:\"Rtutils.dll\", version:\"6.1.7600.20738\", min_version:\"6.1.7600.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.1\", file:\"Rtutils.dll\", version:\"6.1.7600.16617\", min_version:\"6.1.7600.16000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Vista / Windows 2008\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Rtutils.dll\", version:\"6.0.6002.22427\", min_version:\"6.0.6002.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Rtutils.dll\", version:\"6.0.6002.18274\", min_version:\"6.0.6002.18000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:1, file:\"Rtutils.dll\", version:\"6.0.6001.22715\", min_version:\"6.0.6001.22000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:1, file:\"Rtutils.dll\", version:\"6.0.6001.18495\", min_version:\"6.0.6000.16000\", dir:\"\\system32\", bulletin:bulletin, kb:kb)\n)\n{\n set_kb_item(name:'SMB/Missing/MS10-059', value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 6.8, "vector": "AV:LOCAL/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2017-07-02T21:09:49", "bulletinFamily": "scanner", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS10-059.", "modified": "2017-02-20T00:00:00", "published": "2010-08-26T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=902231", "id": "OPENVAS:902231", "title": "Microsoft Windows Tracing Feature Privilege Elevation Vulnerabilities (982799)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_ms10-059.nasl 5361 2017-02-20 11:57:13Z cfi $\n#\n# Microsoft Windows Tracing Feature Privilege Elevation Vulnerabilities (982799)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2010 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation could allow remote attackers to execute arbitrary code\n with elevated privileges.\n Impact Level: System\";\ntag_affected = \"Micorsoft Windows 7\n Microsoft Windows Vista Service Pack 1/2 and prior.\n Microsoft Windows Server 2008 Service Pack 1/2 and prior.\";\ntag_insight = \"The multiple flaws are due to,\n - Windows placing incorrect access control lists (ACLs) on registry keys for\n the Tracing Feature for Services.\n - A memory corruption error in the Tracing Feature for Services when handling\n certain strings read from the registry.\";\ntag_solution = \"Run Windows Update and update the listed hotfixes or download and\n update mentioned hotfixes in the advisory from the below link,\n http://www.microsoft.com/technet/security/Bulletin/MS10-059.mspx\";\ntag_summary = \"This host is missing a critical security update according to\n Microsoft Bulletin MS10-059.\";\n\nif(description)\n{\n script_id(902231);\n script_version(\"$Revision: 5361 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-02-20 12:57:13 +0100 (Mon, 20 Feb 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-08-26 14:31:12 +0200 (Thu, 26 Aug 2010)\");\n script_cve_id(\"CVE-2010-2555\", \"CVE-2010-2554\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:S/C:C/I:C/A:C\");\n script_name(\"Microsoft Windows Tracing Feature Privilege Elevation Vulnerabilities (982799)\");\n script_xref(name : \"URL\" , value : \"http://support.microsoft.com/kb/982799\");\n script_xref(name : \"URL\" , value : \"http://xforce.iss.net/xforce/xfdb/60681\");\n script_xref(name : \"URL\" , value : \"http://www.vupen.com/english/advisories/2010/2056\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2010 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_reg_enum.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\n\nif(hotfix_check_sp(winVista:3, win2008:3, win7:1) <= 0){\n exit(0);\n}\n\n# Check for MS10-059 Hotfix\nif(hotfix_missing(name:\"982799\") == 0){\n exit(0);\n}\n\nsysPath = registry_get_sz(key:\"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\",\n item:\"PathName\");\nif(!sysPath){\n exit(0);\n}\n\nshare = ereg_replace(pattern:\"([A-Z]):.*\", replace:\"\\1$\", string:sysPath);\nfile = ereg_replace(pattern:\"[A-Z]:(.*)\", replace:\"\\1\",\n string:sysPath + \"\\system32\\Rtutils.dll\");\n\nsysVer = GetVer(file:file, share:share);\nif(!sysVer){\n exit(0);\n}\n\n# Windows Vista\nif(hotfix_check_sp(winVista:2) > 0)\n{\n SP = get_kb_item(\"SMB/WinVista/ServicePack\");\n if(\"Service Pack 1\" >< SP)\n {\n # Grep for Rtutils.dll version < 6.0.6001.18495\n if(version_is_less(version:sysVer, test_version:\"6.0.6001.18495\")){\n security_message(0);\n }\n exit(0);\n }\n\n if(\"Service Pack 2\" >< SP)\n {\n # Grep for Rtutils.dll version < 6.0.6002.18274\n if(version_is_less(version:sysVer, test_version:\"6.0.6002.18274\")){\n security_message(0);\n }\n exit(0);\n }\n security_message(0);\n}\n\n# Windows Server 2008\nelse if(hotfix_check_sp(win2008:2) > 0)\n{\n SP = get_kb_item(\"SMB/Win2008/ServicePack\");\n if(\"Service Pack 1\" >< SP)\n {\n # Grep for Rtutils.dll version < 6.0.6001.18495\n if(version_is_less(version:sysVer, test_version:\"6.0.6001.18495\")){\n security_message(0);\n }\n exit(0);\n }\n\n if(\"Service Pack 2\" >< SP)\n {\n # Grep for Rtutils.dll version < 6.0.6002.18274\n if(version_is_less(version:sysVer, test_version:\"6.0.6002.18274\")){\n security_message(0);\n }\n exit(0);\n }\n security_message(0);\n}\n\n# Windows 7\nelse if(hotfix_check_sp(win7:1) > 0)\n{\n # Grep for Tcpip.sys version < 6.1.7600.16617\t\n if(version_is_less(version:sysVer, test_version:\"6.1.7600.16617\")){\n security_message(0);\n }\n}\n", "cvss": {"score": 6.8, "vector": "AV:LOCAL/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-06T14:40:56", "bulletinFamily": "scanner", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS10-059.", "modified": "2019-05-03T00:00:00", "published": "2010-08-26T00:00:00", "id": "OPENVAS:1361412562310902231", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310902231", "title": "Microsoft Windows Tracing Feature Privilege Elevation Vulnerabilities (982799)", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Tracing Feature Privilege Elevation Vulnerabilities (982799)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2010 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.902231\");\n script_version(\"2019-05-03T10:54:50+0000\");\n script_tag(name:\"last_modification\", value:\"2019-05-03 10:54:50 +0000 (Fri, 03 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2010-08-26 14:31:12 +0200 (Thu, 26 Aug 2010)\");\n script_cve_id(\"CVE-2010-2555\", \"CVE-2010-2554\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:S/C:C/I:C/A:C\");\n script_name(\"Microsoft Windows Tracing Feature Privilege Elevation Vulnerabilities (982799)\");\n script_xref(name:\"URL\", value:\"http://support.microsoft.com/kb/982799\");\n script_xref(name:\"URL\", value:\"http://xforce.iss.net/xforce/xfdb/60681\");\n script_xref(name:\"URL\", value:\"http://www.vupen.com/english/advisories/2010/2056\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2010 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_reg_enum.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/registry_enumerated\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation could allow remote attackers to execute arbitrary code\n with elevated privileges.\");\n script_tag(name:\"affected\", value:\"Microsoft Windows 7\n\n Microsoft Windows Vista Service Pack 1/2 and prior.\n\n Microsoft Windows Server 2008 Service Pack 1/2 and prior.\");\n script_tag(name:\"insight\", value:\"The multiple flaws are due to,\n\n - Windows placing incorrect access control lists (ACLs) on registry keys for\n the Tracing Feature for Services.\n\n - A memory corruption error in the Tracing Feature for Services when handling\n certain strings read from the registry.\");\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n script_tag(name:\"summary\", value:\"This host is missing a critical security update according to\n Microsoft Bulletin MS10-059.\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"http://www.microsoft.com/technet/security/Bulletin/MS10-059.mspx\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\n\nif(hotfix_check_sp(winVista:3, win2008:3, win7:1) <= 0){\n exit(0);\n}\n\nif(hotfix_missing(name:\"982799\") == 0){\n exit(0);\n}\n\nsysPath = registry_get_sz(key:\"SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\",\n item:\"PathName\");\nif(!sysPath){\n exit(0);\n}\n\nshare = ereg_replace(pattern:\"([A-Z]):.*\", replace:\"\\1$\", string:sysPath);\nfile = ereg_replace(pattern:\"[A-Z]:(.*)\", replace:\"\\1\",\n string:sysPath + \"\\system32\\Rtutils.dll\");\n\nsysVer = GetVer(file:file, share:share);\nif(!sysVer){\n exit(0);\n}\n\nif(hotfix_check_sp(winVista:2) > 0)\n{\n SP = get_kb_item(\"SMB/WinVista/ServicePack\");\n if(\"Service Pack 1\" >< SP)\n {\n if(version_is_less(version:sysVer, test_version:\"6.0.6001.18495\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n }\n\n if(\"Service Pack 2\" >< SP)\n {\n if(version_is_less(version:sysVer, test_version:\"6.0.6002.18274\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n }\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n}\n\nelse if(hotfix_check_sp(win2008:2) > 0)\n{\n SP = get_kb_item(\"SMB/Win2008/ServicePack\");\n if(\"Service Pack 1\" >< SP)\n {\n if(version_is_less(version:sysVer, test_version:\"6.0.6001.18495\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n }\n\n if(\"Service Pack 2\" >< SP)\n {\n if(version_is_less(version:sysVer, test_version:\"6.0.6002.18274\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n exit(0);\n }\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n}\n\nelse if(hotfix_check_sp(win7:1) > 0)\n{\n if(version_is_less(version:sysVer, test_version:\"6.1.7600.16617\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n}\n", "cvss": {"score": 6.8, "vector": "AV:LOCAL/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:38", "bulletinFamily": "software", "description": "Weak permissions on registry keys, buffer overflow on registry keys reading.", "modified": "2010-08-11T00:00:00", "published": "2010-08-11T00:00:00", "id": "SECURITYVULNS:VULN:11057", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:11057", "title": "Microsoft Windows Tracing Feature for Services security vulnerabilities", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:LOCAL/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:36", "bulletinFamily": "software", "description": "Microsoft Security Bulletin MS10-059 - Important\r\nVulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799)\r\nPublished: August 10, 2010\r\n\r\nVersion: 1.0\r\nGeneral Information\r\nExecutive Summary\r\n\r\nThis security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in the Tracing Feature for Services. The vulnerabilities could allow elevation of privilege if an attacker runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.\r\n\r\nThis security update is rated Important for all supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. For more information, see the subsection, Affected and Non-Affected Software, in this section.\r\n\r\nThe security update addresses the vulnerabilities by correcting the manner in which tokens are obtained and the length of a string read from the registry is calculated. For more information about the vulnerabilities, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.\r\n\r\nRecommendation. The majority of customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.\r\n\r\nFor administrators and enterprise installations, or end users who want to install this security update manually, Microsoft recommends that customers apply the update at the earliest opportunity using update management software, or by checking for updates using the Microsoft Update service.\r\n\r\nSee also the section, Detection and Deployment Tools and Guidance, later in this bulletin.\r\n\r\nKnown Issues. None\r\nTop of sectionTop of section\r\nAffected and Non-Affected Software\r\n\r\nThe following software have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.\r\n\r\nAffected Software\r\nOperating System\tMaximum Security Impact\tAggregate Severity Rating\tBulletins Replaced by this Update\r\n\r\nWindows Vista Service Pack 1 and Windows Vista Service Pack 2\r\n\t\r\n\r\nElevation of Privilege\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nNone\r\n\r\nWindows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2\r\n\t\r\n\r\nElevation of Privilege\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nNone\r\n\r\nWindows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2*\r\n\t\r\n\r\nElevation of Privilege\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nNone\r\n\r\nWindows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2*\r\n\t\r\n\r\nElevation of Privilege\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nNone\r\n\r\nWindows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2\r\n\t\r\n\r\nElevation of Privilege\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nNone\r\n\r\nWindows 7 for 32-bit Systems\r\n\t\r\n\r\nElevation of Privilege\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nNone\r\n\r\nWindows 7 for x64-based Systems\r\n\t\r\n\r\nElevation of Privilege\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nNone\r\n\r\nWindows Server 2008 R2 for x64-based Systems*\r\n\t\r\n\r\nElevation of Privilege\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nNone\r\n\r\nWindows Server 2008 R2 for Itanium-based Systems\r\n\t\r\n\r\nElevation of Privilege\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nNone\r\n\r\n*Server Core installation affected. This update applies, with the same severity rating, to supported editions of Windows Server 2008 or Windows Server 2008 R2 as indicated, whether or not installed using the Server Core installation option. For more information on this installation option, see the TechNet articles, Managing a Server Core Installation and Servicing a Server Core Installation. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008 and Windows Server 2008 R2; see Compare Server Core Installation Options.\r\n\r\nNon-Affected Software\r\nOperating System\r\n\r\nWindows XP Service Pack 3\r\n\r\nWindows XP Professional x64 Edition Service Pack 2\r\n\r\nWindows Server 2003 Service Pack 2\r\n\r\nWindows Server 2003 x64 Edition Service Pack 2\r\n\r\nWindows Server 2003 with SP2 for Itanium-based Systems\r\nTop of sectionTop of section\r\n\t\r\nFrequently Asked Questions (FAQ) Related to This Security Update\r\n\r\nWhere are the file information details? \r\nRefer to the reference tables in the Security Update Deployment section for the location of the file information details.\r\n\r\nWhy does this update address several reported security vulnerabilities? \r\nThis update contains support for several vulnerabilities because the modifications that are required to address these issues are located in related files. Instead of having to install several updates that are almost the same, customers need to install this update only.\r\n\r\nI am using an older release of the software discussed in this security bulletin. What should I do? \r\nThe affected software listed in this bulletin have been tested to determine which releases are affected. Other releases are past their support life cycle. For more information about the product lifecycle, visit the Microsoft Support Lifecycle Web site.\r\n\r\nIt should be a priority for customers who have older releases of the software to migrate to supported releases to prevent potential exposure to vulnerabilities. To determine the support lifecycle for your software release, see Select a Product for Lifecycle Information. For more information about service packs for these software releases, see Lifecycle Supported Service Packs.\r\n\r\nCustomers who require custom support for older software must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit the Microsoft Worldwide Information Web site, select the country in the Contact Information list, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Microsoft Support Lifecycle Policy FAQ.\r\nTop of sectionTop of section\r\nVulnerability Information\r\n\t\r\nSeverity Ratings and Vulnerability Identifiers\r\n\r\nThe following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the August bulletin summary. For more information, see Microsoft Exploitability Index.\r\nVulnerability Severity Rating and Maximum Security Impact by Affected Software\r\nAffected Software\tTracing Registry Key ACL Vulnerability - CVE-2010-2554\tTracing Memory Corruption Vulnerability - CVE-2010-2555\tAggregate Severity Rating\r\n\r\nWindows Vista Service Pack 1 and Windows Vista Service Pack 2\r\n\t\r\n\r\nModerate \r\nElevation of Privilege\r\n\t\r\n\r\nImportant \r\nElevation of Privilege\r\n\t\r\n\r\nImportant\r\n\r\nWindows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2\r\n\t\r\n\r\nModerate \r\nElevation of Privilege\r\n\t\r\n\r\nImportant \r\nElevation of Privilege\r\n\t\r\n\r\nImportant\r\n\r\nWindows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2*\r\n\t\r\n\r\nModerate \r\nElevation of Privilege\r\n\t\r\n\r\nImportant \r\nElevation of Privilege\r\n\t\r\n\r\nImportant\r\n\r\nWindows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2*\r\n\t\r\n\r\nModerate \r\nElevation of Privilege\r\n\t\r\n\r\nImportant \r\nElevation of Privilege\r\n\t\r\n\r\nImportant\r\n\r\nWindows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2\r\n\t\r\n\r\nModerate \r\nElevation of Privilege\r\n\t\r\n\r\nImportant \r\nElevation of Privilege\r\n\t\r\n\r\nImportant\r\n\r\nWindows 7 for 32-bit Systems\r\n\t\r\n\r\nModerate \r\nElevation of Privilege\r\n\t\r\n\r\nImportant \r\nElevation of Privilege\r\n\t\r\n\r\nImportant\r\n\r\nWindows 7 for x64-based Systems\r\n\t\r\n\r\nModerate \r\nElevation of Privilege\r\n\t\r\n\r\nImportant \r\nElevation of Privilege\r\n\t\r\n\r\nImportant\r\n\r\nWindows Server 2008 R2 for x64-based Systems*\r\n\t\r\n\r\nModerate \r\nElevation of Privilege\r\n\t\r\n\r\nImportant \r\nElevation of Privilege\r\n\t\r\n\r\nImportant\r\n\r\nWindows Server 2008 R2 for Itanium-based Systems\r\n\t\r\n\r\nModerate \r\nElevation of Privilege\r\n\t\r\n\r\nImportant \r\nElevation of Privilege\r\n\t\r\n\r\nImportant\r\n\r\n*Server Core installation affected. This update applies, with the same severity rating, to supported editions of Windows Server 2008 or Windows Server 2008 R2 as indicated, whether or not installed using the Server Core installation option. For more information on this installation option, see the TechNet articles, Managing a Server Core Installation and Servicing a Server Core Installation. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008 and Windows Server 2008 R2; see Compare Server Core Installation Options.\r\nTop of sectionTop of section\r\n\t\r\nTracing Registry Key ACL Vulnerability - CVE-2010-2554\r\n\r\nAn elevation of privilege vulnerability exists when Windows places incorrect access control lists (ACLs) on the registry keys for the Tracing Feature for Services. The vulnerability could allow an attacker to run code with elevated privileges. An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\r\n\r\nTo view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2010-2554.\r\n\t\r\nMitigating Factors for Tracing Registry Key ACL Vulnerability - CVE-2010-2554\r\n\r\nMitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:\r\n\u2022\t\r\n\r\nAn attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for Tracing Registry Key ACL Vulnerability - CVE-2010-2554\r\n\r\nMicrosoft has not identified any workarounds for this vulnerability.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for Tracing Registry Key ACL Vulnerability - CVE-2010-2554\r\n\r\nWhat is the scope of the vulnerability? \r\nThis is an elevation of privilege vulnerability. An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\r\n\r\nWhat causes the vulnerability? \r\nThe vulnerability is caused when Windows places incorrect access control lists (ACLs) on registry keys for the Tracing Feature for Services. This makes it possible for an attacker to modify the tracing directory to a named pipe and create a named pipe listener on it. Once the named pipe is created, the attacker can impersonate it to obtain the tokens of the service creating the named pipe. If the creator is running in Local System context (for example, IpHlpSvc service), then the attacker can obtain and use the tokens of the Local System.\r\n\r\nWhat is an Access Control List (ACL)? \r\nAn access control list (ACL) is a list of security protections that applies to an object. An object can be a file, process, event, or any entity having a security descriptor. An entry in an ACL is an access control entry (ACE). There are two types of access control list: discretionary and system. Each ACE in an ACL identifies access rights allowed, denied, or audited for that trustee. For additional information, see the MSDN article, Access Control Lists.\r\n\r\nWhat is a named pipe? \r\nA named pipe is a named, one-way or duplex pipe for communication between the pipe server and one or more pipe clients. All instances of a named pipe share the same pipe name, but each instance has its own buffers and handles, and provides a separate conduit for client/server communication. The use of instances enables multiple pipe clients to use the same named pipe simultaneously. Any process can access named pipes, subject to security checks, making named pipes an easy form of communication between related or unrelated processes. For more information, see MSDN article, Named Pipes.\r\n\r\nWhat is the Routing Utilities Component (rtutils.dll)? \r\nThe routing utilities component (rtutils.dll) is a module that contains functions used for tracing, providing a uniform mechanism for generating diagnostic output for the various service components. When a component uses the Rtutils tracing mechanism, component specific tracing settings stored at the registry under the HKLM\Software\Microsoft\Tracing\ key will be used for storing the tracing data.\r\n\r\nWhat might an attacker use the vulnerability to do? \r\nAn attacker who successfully exploited this vulnerability could run arbitrary code with system-level privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\r\n\r\nHow could an attacker exploit the vulnerability? \r\nTo exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take complete control over the affected system.\r\n\r\nWhat systems are primarily at risk from the vulnerability? \r\nWorkstations and terminal servers are primarily at risk. Servers could be at more risk if administrators allow users to log on to servers and to run programs. However, best practices strongly discourage allowing this.\r\n\r\nWhat does the update do? \r\nThe update addresses the vulnerability by correcting the manner in which tokens are obtained via impersonation.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed? \r\nYes. This vulnerability has been publicly disclosed. It has been assigned Common Vulnerability and Exposure number CVE-2010-2554.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? \r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security bulletin was originally issued.\r\nTop of sectionTop of section\r\nTop of sectionTop of section\r\n\t\r\nTracing Memory Corruption Vulnerability - CVE-2010-2555\r\n\r\nAn elevation of privilege vulnerability exists due to the way that the Tracing Feature for Services allocates memory when processing specially crafted long strings from the registry. An attacker who successfully exploited this vulnerability could run arbitrary code with system-level privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\r\n\r\nTo view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2010-2555.\r\n\t\r\nMitigating Factors for Tracing Memory Corruption Vulnerability - CVE-2010-2555\r\n\r\nMitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:\r\n\u2022\t\r\n\r\nAn attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for Tracing Memory Corruption Vulnerability - CVE-2010-2555\r\n\r\nMicrosoft has not identified any workarounds for this vulnerability.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for Tracing Memory Corruption Vulnerability - CVE-2010-2555\r\n\r\nWhat is the scope of the vulnerability? \r\nThis is an elevation of privilege vulnerability. An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\r\n\r\nWhat causes the vulnerability? \r\nThe vulnerability is caused when the Tracing Feature for Services incorrectly calculates the length of certain strings read from the registry.\r\n\r\nWhat is the Routing Utilities Component (rtutils.dll)? \r\nThe routing utilities component (rtutils.dll) is a module that contains functions used for tracing, providing a uniform mechanism for generating diagnostic output for the various service components. When a component uses the Rtutils tracing mechanism, component-specific tracing settings stored in the registry under the HKLM\Software\Microsoft\Tracing\ key will be used for storing the tracing data.\r\n\r\nWhat might an attacker use the vulnerability to do? \r\nAn attacker who successfully exploited this vulnerability could run arbitrary code with system-level privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\r\n\r\nHow could an attacker exploit the vulnerability? \r\nTo exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take complete control over the affected system.\r\n\r\nWhat systems are primarily at risk from the vulnerability? \r\nWorkstations and terminal servers are primarily at risk. Servers could be at more risk if administrators allow users to log on to servers and to run programs. However, best practices strongly discourage allowing this.\r\n\r\nWhat does the update do? \r\nThe update addresses the vulnerability by correcting the manner in which the Tracing Features for Services calculates the length of a string read from the registry.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed? \r\nNo. Microsoft received information about this vulnerability through coordinated vulnerability disclosure.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? \r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security bulletin was originally issued.\r\n\r\nOther Information\r\nAcknowledgments\r\n\r\nMicrosoft thanks the following for working with us to help protect customers:\r\n\u2022\t\r\n\r\nCesar Cerrudo of Argeniss for working with us on the Tracing Registry Key ACL Vulnerability (CVE-2010-2554)\r\n\u2022\t\r\n\r\nCesar Cerrudo of Argeniss for working with us on the Tracing Memory Corruption Vulnerability (CVE-2010-2555)\r\nTop of sectionTop of section\r\nMicrosoft Active Protections Program (MAPP)\r\n\r\nTo improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections Web sites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners.\r\n\r\nSupport\r\n\u2022\t\r\n\r\nCustomers in the U.S. and Canada can receive technical support from Security Support or 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates. For more information about available support options, see Microsoft Help and Support.\r\n\u2022\t\r\n\r\nInternational customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.\r\n\r\nDisclaimer\r\n\r\nThe information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.\r\n\r\nRevisions\r\n\u2022\t\r\n\r\nV1.0 (August 10, 2010): Bulletin published.", "modified": "2010-08-11T00:00:00", "published": "2010-08-11T00:00:00", "id": "SECURITYVULNS:DOC:24464", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:24464", "title": "Microsoft Security Bulletin MS10-059 - Important Vulnerabilities in the Tracing Feature for Services Could Allow Elevation of Privilege (982799)", "type": "securityvulns", "cvss": {"score": 6.8, "vector": "AV:LOCAL/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
