CVE-2009-0080
published 2009-04-15CVE-2009-0080: The ThreadPool class in Windows Vista Gold and SP1, and Server 2008, does not properly implement isolation among a set of distinct processes that (1) all run…
PriorityP278medium6.9CVSS 2.0
AVLACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
2.36%
81.6th percentile
The ThreadPool class in Windows Vista Gold and SP1, and Server 2008, does not properly implement isolation among a set of distinct processes that (1) all run under the NetworkService account or (2) all run under the LocalService account, which allows local users to gain privileges by leveraging incorrect thread ACLs to access the resources of one of the processes, aka "Windows Thread Pool ACL Weakness Vulnerability."
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for local processes running under NetworkService or LocalService accounts attempting to access resources (handles, threads) belonging to other processes under the same service account — this cross-process resource access is the core exploitation primitive. ↗
- →Alert on privilege escalation to LocalSystem originating from a process previously running as NetworkService or LocalService — successful exploitation results in full LocalSystem privileges. ↗
- ·Vulnerability is limited to Windows Vista (Gold and SP1) and Windows Server 2008 only; other Windows versions are not affected. ↗
- ·This is a local privilege escalation; an attacker must already have local code execution on the target system to exploit the ThreadPool ACL weakness. ↗
CVSS provenance
nvdv2.06.9MEDIUMAV:L/AC:M/Au:N/C:C/I:C/A:C
vulncheck6.9MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-x82p-3w9h-8xq7: The ThreadPool class in Windows Vista Gold and SP1, and Server 2008, does not properly implement isolation among a set of distinct processes that (1)
ghsa_unreviewed·2022-05-02
CVE-2009-0080 [MEDIUM] CWE-269 GHSA-x82p-3w9h-8xq7: The ThreadPool class in Windows Vista Gold and SP1, and Server 2008, does not properly implement isolation among a set of distinct processes that (1)
The ThreadPool class in Windows Vista Gold and SP1, and Server 2008, does not properly implement isolation among a set of distinct processes that (1) all run under the NetworkService account or (2) all run under the LocalService account, which allows local users to gain privileges by leveraging incorrect thread ACLs to access the resources of one of the processes, aka "Windows Thread Pool ACL Weakness Vulnerability."
VulnCheck
Microsoft Windows Improper Privilege Management
vulncheck·2009·CVSS 6.9
CVE-2009-0080 [MEDIUM] Microsoft Windows Improper Privilege Management
Microsoft Windows Improper Privilege Management
The ThreadPool class in Windows Vista Gold and SP1, and Server 2008, does not properly implement isolation among a set of distinct processes that (1) all run under the NetworkService account or (2) all run under the LocalService account, which allows local users to gain privileges by leveraging incorrect thread ACLs to access the resources of one of the processes, aka "Windows Thread Pool ACL Weakness Vulnerability."
Affected: Microsoft Windows
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://learn.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-012
No detection rules found.
No writeups or analysis indexed.
http://osvdb.org/53668http://www.securitytracker.com/id?1022044http://www.us-cert.gov/cas/techalerts/TA09-104A.htmlhttp://www.vupen.com/english/advisories/2009/1026https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-012https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6177http://osvdb.org/53668http://www.securitytracker.com/id?1022044http://www.us-cert.gov/cas/techalerts/TA09-104A.htmlhttp://www.vupen.com/english/advisories/2009/1026https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-012https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6177
2009-04-15
Published
Exploited in the wild