Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2011-2023 and is owned by Tenable, Inc. or an Affiliate thereof.SMB_NT_MS11-011.NASL
HistoryFeb 08, 2011 - 12:00 a.m.

MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802)

2011-02-0800:00:00
This script is Copyright (C) 2011-2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
31
JSON

The remote Windows host is running a version of the Windows kernel that is affected by one or more of the following vulnerabilities :

  • A buffer overflow in the β€˜GreEnableEUDC()’ function can be triggered using specially crafted end-user-defined characters (EUDC) registry key values. (CVE-2010-4398)

  • An integer truncation vulnerability exists due to the failure of the Windows kernel to validate user-supplied data before allocating memory. (CVE-2011-0045)

An attacker with local access to the affected system can exploit these issues to execute arbitrary code in kernel mode and take complete control of the affected system.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(51911);
  script_version("1.27");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/10/11");

  script_cve_id("CVE-2010-4398", "CVE-2011-0045");
  script_bugtraq_id(45045, 46136);
  script_xref(name:"CERT", value:"529673");
  script_xref(name:"EDB-ID", value:"15609");
  script_xref(name:"EDB-ID", value:"16262");
  script_xref(name:"IAVA", value:"2011-A-0022-S");
  script_xref(name:"MSFT", value:"MS11-011");
  script_xref(name:"MSKB", value:"2393802");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/04/21");

  script_name(english:"MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2393802)");

  script_set_attribute(attribute:"synopsis", value:
"The Windows kernel is affected by several vulnerabilities that could
allow escalation of privileges.");
  script_set_attribute(attribute:"description", value:
"The remote Windows host is running a version of the Windows kernel
that is affected by one or more of the following vulnerabilities :

  - A buffer overflow in the 'GreEnableEUDC()' function can
    be triggered using specially crafted end-user-defined
    characters (EUDC) registry key values. (CVE-2010-4398)

  - An integer truncation vulnerability exists due to the
    failure of the Windows kernel to validate user-supplied
    data before allocating memory. (CVE-2011-0045)

An attacker with local access to the affected system can exploit these
issues to execute arbitrary code in kernel mode and take complete
control of the affected system.");
  # https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2011/ms11-011
  script_set_attribute(attribute:"see_also", value:"https://www.nessus.org/u?a801cece");
  script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-11-064/");
  script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows XP, 2003, Vista,
2008, 7, and 2008 R2.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2011-0045");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:"CANVAS");

  script_set_attribute(attribute:"vuln_publication_date", value:"2010/11/24");
  script_set_attribute(attribute:"patch_publication_date", value:"2011/02/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2011/02/08");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2011-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, "Host/patch_management_checks");

  exit(0);
}


include("audit.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("misc_func.inc");


get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS11-011';
kb = "2393802";

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);


get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(xp:'3', win2003:'2', vista:'1,2', win7:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);


if (
  # Windows 7 / Server 2008 R2
  hotfix_is_vulnerable(os:"6.1", sp:0,             file:"Ntoskrnl.exe", version:"6.1.7600.20826", min_version:"6.1.7600.20000", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.1", sp:0,             file:"Ntoskrnl.exe", version:"6.1.7600.16695", min_version:"6.1.7600.16000", dir:"\system32", bulletin:bulletin, kb:kb) ||

  # Vista / Windows Server 2008
  hotfix_is_vulnerable(os:"6.0", sp:2,             file:"Ntoskrnl.exe", version:"6.0.6002.22505", min_version:"6.0.6002.22000", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.0", sp:2,             file:"Ntoskrnl.exe", version:"6.0.6002.18327", min_version:"6.0.6002.18000", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.0", sp:1,             file:"Ntoskrnl.exe", version:"6.0.6001.22777", min_version:"6.0.6001.22000", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"6.0", sp:1,             file:"Ntoskrnl.exe", version:"6.0.6001.18538", min_version:"6.0.6001.18000", dir:"\system32", bulletin:bulletin, kb:kb) ||

  # Windows 2003 and XP x64
  hotfix_is_vulnerable(os:"5.2", sp:2,             file:"Ntoskrnl.exe", version:"5.2.3790.4789",  min_version:"5.2.0.0",        dir:"\system32", bulletin:bulletin, kb:kb) ||

  # Windows XP x86
  hotfix_is_vulnerable(os:"5.1", sp:3, arch:"x86", file:"Ntoskrnl.exe", version:"5.1.2600.6055",  min_version:"5.1.0.0",        dir:"\system32", bulletin:bulletin, kb:kb)
)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();

  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}
VendorProductVersionCPE
microsoftwindowscpe:/o:microsoft:windows

Related

openvas 2
canvas 1
attackerkb 1
cve 2
checkpoint_advisories 2
prion 2
cisa_kev 1
seebug 3
packetstorm 1
zdi 1
exploitpack 1
securityvulns 2
exploitdb 1
fireeye 1
openvas
openvas
Microsoft Windows Kernel Elevation of Privilege Vulnerability (2393802)
2011-02-09 00:00:00
Microsoft Windows Kernel Elevation of Privilege Vulnerability (2393802)
2011-02-09 00:00:00
canvas
canvas
Immunity Canvas: MS_ENABLEEUDC
2010-12-06 13:44:00
attackerkb
attackerkb
CVE-2010-4398
2010-12-06 00:00:00
cve
cve
CVE-2010-4398
2010-12-06 13:44:00
CVE-2011-0045
2011-02-09 01:00:00
checkpoint_advisories
checkpoint_advisories
Microsoft Windows Kernel win32k.sys Privilege Escalation (MS11-011; CVE-2010-4398)
2011-03-18 00:00:00
Microsoft Windows Kernel Integer Truncation Privilege Escalation (MS11-011; CVE-2011-0045)
2011-03-10 00:00:00
prion
prion
Stack overflow
2010-12-06 13:44:00
Integer overflow
2011-02-09 01:00:00
cisa_kev
cisa_kev
Microsoft Windows Kernel Stack-Based Buffer Overflow Vulnerability
2022-03-28 00:00:00
seebug
seebug
MS Windows XP - WmiTraceMessageVa Integer Truncation Vulnerability PoC (MS11-011)
2014-07-01 00:00:00
MS11-011(CVE-2011-0045): MS Windows XP WmiTraceMessageVa Integer Truncation Vulnerability PoC
2011-03-02 00:00:00
Microsoft Windows Kernelζ•΄ζ•°ζˆͺζ–­ζœ¬εœ°ζƒι™ζε‡ζΌζ΄ž
2011-03-03 00:00:00
packetstorm
packetstorm
Microsoft Windows XP WmiTraceMessageVa Integer Truncation
2011-03-01 00:00:00
zdi
zdi
Microsoft Windows WmiTraceMessageVa Local Kernel Vulnerability
2011-02-08 00:00:00
exploitpack
exploitpack
Microsoft Windows XP - WmiTraceMessageVa Integer Truncation (PoC) (MS11-011)
2011-03-01 00:00:00
securityvulns
securityvulns
ZDI-11-064: Microsoft Windows WmiTraceMessageVa Local Kernel Vulnerability
2011-02-09 00:00:00
Microsoft Windows multiple security vulnerabilities
2011-02-14 00:00:00
exploitdb
exploitdb
Microsoft Windows XP - WmiTraceMessageVa Integer Truncation (PoC) (MS11-011)
2011-03-01 00:00:00
fireeye
fireeye
CARBANAK Week Part Two: Continuing the CARBANAK Source Code Analysis
2019-04-23 17:45:00
JSON
Related for SMB_NT_MS11-011.NASL
openvas2canvas1attackerkb1cve2checkpoint_advisories2prion2cisa_kev1seebug3packetstorm1zdi1exploitpack1securityvulns2exploitdb1fireeye1