MS Windows Ancillary Function Driver Privilege Elevation Vulnerability (2592799)

MS Windows Ancillary Function Driver Privilege Elevation Vulnerability (2592799) impacting Microsoft Windows XP and 2K

Reporter	Title	Published	Views	Family All 26
0day.today	MS11-080 Afd.sys Privilege Escalation Exploit	30 Nov 201100:00	–	zdt
0day.today	MS11-080 AfdJoinLeaf Privilege Escalation	3 Oct 201200:00	–	zdt
ATTACKERKB	CVE-2011-2005	12 Oct 201100:00	–	attackerkb
Circl	CVE-2011-2005	30 Nov 201100:00	–	circl
CISA KEV Catalog	Microsoft Ancillary Function Driver (afd.sys) Improper Input Validation Vulnerability	28 Mar 202200:00	–	cisa_kev
CVE	CVE-2011-2005	12 Oct 201101:00	–	cve
Cvelist	CVE-2011-2005	12 Oct 201101:00	–	cvelist
Exploit DB	Microsoft Windows XP/2003 - 'afd.sys' Local Privilege Escalation (MS11-080)	30 Nov 201100:00	–	exploitdb
Exploit DB	Microsoft Windows - 'AfdJoinLeaf' Local Privilege Escalation (MS11-080) (Metasploit)	10 Oct 201200:00	–	exploitdb
exploitpack	Windows-XP-2003-Afd.sys-Escalation	5 Jan 201516:22	–	exploitpack

Source	Link
support	www.support.microsoft.com/kb/2592799
technet	www.technet.microsoft.com/en-us/security/bulletin/ms11-080

###############################################################################
# OpenVAS Vulnerability Test
# $Id: secpod_ms11-080.nasl 5362 2017-02-20 12:46:39Z cfi $
#
# MS Windows Ancillary Function Driver Privilege Elevation Vulnerability (2592799)
#
# Authors:
# Antu Sanadi <[email protected]>
#
# Copyright:
# Copyright (c) 2011 SecPod, http://www.secpod.com
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2
# (or any later version), as published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
###############################################################################

tag_impact = "Successful exploitation could allow elevation of privilege if an attacker
  logs on to a user's system and runs a specially crafted application.
  Impact Level: System";
tag_affected = "Microsoft Windows XP Service Pack 3 and prior
  Microsoft Windows 2K3 Service Pack 2 and prior";
tag_insight = "The flaw is caused by an error in Ancillary Function Driver (AFD) which does
  not properly validates input before passing the input from user mode to the
  Windows kernel.";
tag_solution = "Run Windows Update and update the listed hotfixes or download and
  update mentioned hotfixes in the advisory from the below link,
  http://technet.microsoft.com/en-us/security/bulletin/ms11-080";
tag_summary = "This host is missing an important security update according to
  Microsoft Bulletin MS11-080.";

if(description)
{
  script_id(902482);
  script_version("$Revision: 5362 $");
  script_tag(name:"last_modification", value:"$Date: 2017-02-20 13:46:39 +0100 (Mon, 20 Feb 2017) $");
  script_tag(name:"creation_date", value:"2011-10-12 16:01:32 +0200 (Wed, 12 Oct 2011)");
  script_cve_id("CVE-2011-2005");
  script_bugtraq_id(49941);
  script_tag(name:"cvss_base", value:"7.2");
  script_tag(name:"cvss_base_vector", value:"AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_name("MS Windows Ancillary Function Driver Privilege Elevation Vulnerability (2592799)");
  script_xref(name : "URL" , value : "http://support.microsoft.com/kb/2592799");
  script_xref(name : "URL" , value : "http://technet.microsoft.com/en-us/security/bulletin/ms11-080");

  script_category(ACT_GATHER_INFO);
  script_copyright("Copyright (C) 2011 SecPod");
  script_family("Windows : Microsoft Bulletins");
  script_dependencies("secpod_reg_enum.nasl");
  script_mandatory_keys("SMB/WindowsVersion");

  script_tag(name : "impact" , value : tag_impact);
  script_tag(name : "affected" , value : tag_affected);
  script_tag(name : "insight" , value : tag_insight);
  script_tag(name : "solution" , value : tag_solution);
  script_tag(name : "summary" , value : tag_summary);

  script_tag(name:"qod_type", value:"registry");
  script_tag(name:"solution_type", value:"VendorFix");

  exit(0);
}


include("smb_nt.inc");
include("secpod_reg.inc");
include("version_func.inc");
include("secpod_smb_func.inc");

## Check for OS and Service Pack
if(hotfix_check_sp(xp:4, win2003:3) <= 0){
  exit(0);
}

## MS11-080 Hotfix 2592799
if((hotfix_missing(name:"2592799") == 0)){
  exit(0);
}

## Get System Path
sysPath = smb_get_systemroot();
if(!sysPath ){
  exit(0);
}

## Get Version from afd.sys
sysVer = fetch_file_version(sysPath, file_name:"system32\drivers\afd.sys");
if(!sysVer){
  exit(0);
}

## Windows XP
if(hotfix_check_sp(xp:4) > 0)
{
  SP = get_kb_item("SMB/WinXP/ServicePack");
  if("Service Pack 3" >< SP)
  {
    ## Check for afd.sys version
    if(version_is_less(version:sysVer, test_version:"5.1.2600.6142")){
      security_message(0);
    }
    exit(0);
  }
  security_message(0);
}

## Windows 2003
else if(hotfix_check_sp(win2003:3) > 0)
{
  SP = get_kb_item("SMB/Win2003/ServicePack");
  if("Service Pack 2" >< SP)
  {
    ## Check for afd.sys version
    if(version_is_less(version:sysVer, test_version:"5.2.3790.4898")){
      security_message(0);
    }
   exit(0);
  }
  security_message(0);
}

20 Feb 2017 00:00Current

0.8Low risk

Vulners AI Score0.8

EPSS0.67089