7.2 High
CVSS2
Access Vector
Access Complexity
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
0.001 Low
EPSS
Percentile
34.0%
The remote Windows host contains a version of the Ancillary Function Driver (afd.sys) that does not properly validate input before passing it from user mode to the kernel.
An attacker with local access to the affected system could exploit this issue to execute arbitrary code in kernel mode and take complete control of the affected system.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(56454);
script_version("1.24");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/03/29");
script_cve_id("CVE-2011-2005");
script_bugtraq_id(49941);
script_xref(name:"MSFT", value:"MS11-080");
script_xref(name:"EDB-ID", value:"18176");
script_xref(name:"EDB-ID", value:"21844");
script_xref(name:"MSKB", value:"2592799");
script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/04/18");
script_name(english:"MS11-080: Vulnerability in Ancillary Function Driver Could Allow Elevation of Privilege (2592799)");
script_set_attribute(attribute:"synopsis", value:
"The remote Windows host contains a driver that allows privilege
escalation.");
script_set_attribute(attribute:"description", value:
"The remote Windows host contains a version of the Ancillary Function
Driver (afd.sys) that does not properly validate input before passing it
from user mode to the kernel.
An attacker with local access to the affected system could exploit this
issue to execute arbitrary code in kernel mode and take complete control
of the affected system.");
script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2011/ms11-080");
script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows XP and 2003.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2011-2005");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'MS11-080 AfdJoinLeaf Privilege Escalation');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
script_set_attribute(attribute:"canvas_package", value:"CANVAS");
script_set_attribute(attribute:"vuln_publication_date", value:"2011/10/11");
script_set_attribute(attribute:"patch_publication_date", value:"2011/10/11");
script_set_attribute(attribute:"plugin_publication_date", value:"2011/10/11");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows : Microsoft Bulletins");
script_copyright(english:"This script is Copyright (C) 2011-2022 Tenable Network Security, Inc.");
script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
script_require_keys("SMB/MS_Bulletin_Checks/Possible");
script_require_ports(139, 445, "Host/patch_management_checks");
exit(0);
}
include("audit.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");
include("misc_func.inc");
get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");
bulletin = 'MS11-080';
kb = "2592799";
kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);
get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);
if (hotfix_check_sp_range(xp:'3', win2003:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");
share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);
if (
# Windows 2003 / XP 64-bit
hotfix_is_vulnerable(os:"5.2", sp:2, file:"Afd.sys", version:"5.2.3790.4898", dir:"\system32\drivers", bulletin:bulletin, kb:kb) ||
# Windows XP 32-bit
hotfix_is_vulnerable(os:"5.1", sp:3, file:"Afd.sys", version:"5.1.2600.6142", dir:"\system32\drivers", bulletin:bulletin, kb:kb)
)
{
set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
hotfix_security_hole();
hotfix_check_fversion_end();
exit(0);
}
else
{
hotfix_check_fversion_end();
audit(AUDIT_HOST_NOT, 'affected');
}