Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2011-2022 Tenable Network Security, Inc.SMB_NT_MS11-080.NASL
HistoryOct 11, 2011 - 12:00 a.m.

MS11-080: Vulnerability in Ancillary Function Driver Could Allow Elevation of Privilege (2592799)

2011-10-1100:00:00
This script is Copyright (C) 2011-2022 Tenable Network Security, Inc.
www.tenable.com
25

7.2 High

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

0.001 Low

EPSS

Percentile

34.0%

JSON

The remote Windows host contains a version of the Ancillary Function Driver (afd.sys) that does not properly validate input before passing it from user mode to the kernel.

An attacker with local access to the affected system could exploit this issue to execute arbitrary code in kernel mode and take complete control of the affected system.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(56454);
  script_version("1.24");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/03/29");

  script_cve_id("CVE-2011-2005");
  script_bugtraq_id(49941);
  script_xref(name:"MSFT", value:"MS11-080");
  script_xref(name:"EDB-ID", value:"18176");
  script_xref(name:"EDB-ID", value:"21844");
  script_xref(name:"MSKB", value:"2592799");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/04/18");

  script_name(english:"MS11-080: Vulnerability in Ancillary Function Driver Could Allow Elevation of Privilege (2592799)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Windows host contains a driver that allows privilege
escalation.");
  script_set_attribute(attribute:"description", value:
"The remote Windows host contains a version of the Ancillary Function
Driver (afd.sys) that does not properly validate input before passing it
from user mode to the kernel.

An attacker with local access to the affected system could exploit this
issue to execute arbitrary code in kernel mode and take complete control
of the affected system.");
  script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2011/ms11-080");
  script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows XP and 2003.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2011-2005");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'MS11-080 AfdJoinLeaf Privilege Escalation');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:"CANVAS");

  script_set_attribute(attribute:"vuln_publication_date", value:"2011/10/11");
  script_set_attribute(attribute:"patch_publication_date", value:"2011/10/11");
  script_set_attribute(attribute:"plugin_publication_date", value:"2011/10/11");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2011-2022 Tenable Network Security, Inc.");

  script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, "Host/patch_management_checks");

  exit(0);
}


include("audit.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("misc_func.inc");


get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS11-080';
kb = "2592799";

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);


get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(xp:'3', win2003:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (
  # Windows 2003 / XP 64-bit
  hotfix_is_vulnerable(os:"5.2", sp:2, file:"Afd.sys", version:"5.2.3790.4898", dir:"\system32\drivers", bulletin:bulletin, kb:kb) ||

  # Windows XP 32-bit
  hotfix_is_vulnerable(os:"5.1", sp:3, file:"Afd.sys", version:"5.1.2600.6142", dir:"\system32\drivers", bulletin:bulletin, kb:kb)
)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();

  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}
VendorProductVersionCPE
microsoftwindowscpe:/o:microsoft:windows

Related

packetstorm 2
exploitpack 1
seebug 3
attackerkb 1
nvd 1
openvas 2
cvelist 1
prion 1
symantec 1
canvas 1
cve 1
cisa_kev 1
exploitdb 1
securityvulns 1
packetstorm
packetstorm
MS11-080 Afd.sys Privilege Escalation
2011-11-30 00:00:00
MS11-080 AfdJoinLeaf Privilege Escalation
2012-10-03 00:00:00
exploitpack
exploitpack
Microsoft Windows XP2003 - afd.sys Local Privilege Escalation (MS11-080)
2011-11-30 00:00:00
seebug
seebug
MS11-080 Afd.sys Privilege Escalation Exploit( CVE-2011-2005)
2011-12-01 00:00:00
Windows Afd.sys - Privilege Escalation Exploit (MS11-080)
2014-07-01 00:00:00
MS11-080 AfdJoinLeaf Privilege Escalation
2014-07-01 00:00:00
attackerkb
attackerkb
CVE-2011-2005
2011-10-12 00:00:00
nvd
nvd
CVE-2011-2005
2011-10-12 02:52:43
openvas
openvas
Microsoft Windows Ancillary Function Driver Privilege Elevation Vulnerability (2592799)
2011-10-12 00:00:00
MS Windows Ancillary Function Driver Privilege Elevation Vulnerability (2592799)
2011-10-12 00:00:00
cvelist
cvelist
CVE-2011-2005
2011-10-12 01:00:00
prion
prion
Privilege escalation
2011-10-12 02:52:00
symantec
symantec
Microsoft Windows AFD Driver CVE-2011-2005 Local Privilege Escalation Vulnerability
2011-10-11 00:00:00
canvas
canvas
Immunity Canvas: MS11_080
2011-10-12 02:52:00
cve
cve
CVE-2011-2005
2011-10-12 02:52:43
cisa_kev
cisa_kev
Microsoft Ancillary Function Driver (afd.sys) Improper Input Validation Vulnerability
2022-03-28 00:00:00
exploitdb
exploitdb
Microsoft Windows XP/2003 - &#039;afd.sys&#039; Local Privilege Escalation (MS11-080)
2011-11-30 00:00:00
securityvulns
securityvulns
Microsoft Windows multiple security vulnerabilities
2011-10-12 00:00:00

7.2 High

CVSS2

Access Vector

Access Complexity

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

0.001 Low

EPSS

Percentile

34.0%

JSON
Related for SMB_NT_MS11-080.NASL
packetstorm2exploitpack1seebug3attackerkb1nvd1openvas2cvelist1prion1symantec1canvas1cve1cisa_kev1exploitdb1securityvulns1