CVE-2009-1123
published 2009-06-10CVE-2009-1123: The kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 SP2 does not properly validate changes to…
PriorityP274high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-03-24
Exploited in the wild
EPSS
4.92%
91.0th percentile
The kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 SP2 does not properly validate changes to unspecified kernel objects, which allows local users to gain privileges via a crafted application, aka "Windows Kernel Desktop Vulnerability."
Detection & IOCsextracted from sources · hover to see the quote
- →The Uroburos dropper exploits CVE-2009-1123 via an embedded module named ms09_025_Win32 (resource number 1000) to execute kernel-mode code and escalate privileges; detect processes loading this resource or spawning kernel-mode execution from user-mode unexpectedly. ↗
- →Alert on presence of all three Uroburos mutexes simultaneously or individually: {E9B1E207-B513-4cfc-86BE-6D6004E5CB9C}, {B93DFED5-9A3B-459b-A617-59FD9FAD693E}, and shell.{F21EDC09-85D3-4eb9-915F-1AFA2FF28153}. ↗
- →Monitor for a service named 'ultra3' being installed or started, as this is the persistence mechanism used by the Uroburos dropper (fdisk_mon.exe). ↗
- →Detect KEY_SET_VALUE access attempts on HKLM\Software\Microsoft\Windows Nt\CurrentVersion\Windows from non-administrative processes, used by Uroburos to verify successful privilege escalation. ↗
- ·The Uroburos installation directory and its files (fdisk.sys, fdisk_mon.exe, fixdata.dat) are hidden by the kernel-mode driver, making filesystem-level detection unreliable without a clean-boot or offline scan. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-gwqf-cc2p-xjrw: The kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 SP2 does not properly validate ch
ghsa_unreviewed·2022-05-02
CVE-2009-1123 [HIGH] CWE-20 GHSA-gwqf-cc2p-xjrw: The kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 SP2 does not properly validate ch
The kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 SP2 does not properly validate changes to unspecified kernel objects, which allows local users to gain privileges via a crafted application, aka "Windows Kernel Desktop Vulnerability."
VulnCheck
Microsoft Windows Improper Input Validation Vulnerability
vulncheck·2009·CVSS 7.8
CVE-2009-1123 [HIGH] CWE-20 Microsoft Windows Improper Input Validation Vulnerability
Microsoft Windows Improper Input Validation Vulnerability
The kernel in Microsoft Windows does not properly validate changes to unspecified kernel objects, which allows local users to gain privileges via a crafted application.
Affected: Microsoft Windows
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.recordedfuture.com/russian-apt-toolkits; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2022-03-24
CISA
Microsoft Windows Improper Input Validation Vulnerability
cisa·2022-03-03·CVSS 7.8
CVE-2009-1123 [HIGH] CWE-20 Microsoft Windows Improper Input Validation Vulnerability
Vulnerability: Microsoft Windows Improper Input Validation Vulnerability
Affected: Microsoft Windows
The kernel in Microsoft Windows does not properly validate changes to unspecified kernel objects, which allows local users to gain privileges via a crafted application.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2009-1123
Remediation Due Date: 2022-03-24
No detection rules found.
No public exploits indexed.
Talos
Snake Campaign: A few words about the Uroburos Rootkit
blogs_talos·2014-04-22
Snake Campaign: A few words about the Uroburos Rootkit
Over the past few days, analyzing the new Uroburos (aka Turla) rootkit has been exciting. That's because the sample dropper (MD5: a86ac0ad1f8928e8d4e1b728448f54f9) includes a lot of clever features. We don’t want to rehash research already publicly available, but we will expand on some features that have not been covered in previous publications (like the driver loading strategy and the main dropper architecture).
The dropper is compressed with a simple packer that uses integer math, such a bit shifting, unsigned multiplication, and so on, to perform data decryption. At the end of the decryption routine, we end up with a jmp ebxopcode. The jump leads to a copy stub routine that replaces the original bytes of the executable:
Figure 1. The simple Uroburos packer and data copy routine
The
Talos
Snake Campaign: A few words about the Uroburos Rootkit
blogs_talos·2014-04-22
Snake Campaign: A few words about the Uroburos Rootkit
## Snake Campaign: A few words about the Uroburos Rootkit
Over the past few days, analyzing the new Uroburos (aka Turla) rootkit has been exciting. That's because the sample dropper (MD5: a86ac0ad1f8928e8d4e1b728448f54f9) includes a lot of clever features. We don’t want to rehash research already publicly available, but we will expand on some features that have not been covered in previous publications (like the driver loading strategy and the main dropper architecture).
The dropper is compressed with a simple packer that uses integer math, such a bit shifting, unsigned multiplication, and so on, to perform data decryption. At the end of the decryption routine, we end up with a jmp ebx opcode. The jump leads to a copy stub routine that replaces the original bytes of the executable:
Figu
Bugzilla
CVE-2009-1932 gstreamer-plugins-good: PNG decoder integer overflow
bugzilla·2009-06-04·CVSS 6.8
CVE-2009-1932 [MEDIUM] CVE-2009-1932 gstreamer-plugins-good: PNG decoder integer overflow
CVE-2009-1932 gstreamer-plugins-good: PNG decoder integer overflow
Secunia reported an integer overflow in gstreamer-plugins-good PNG decoding handler. If something uses gstreamer-plugins-good to decode a PNG image, it may be possible to execute arbitrary code as the user.
The Debian bug report is here:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=531631
Discussion:
In the research we've done, neither totem or rhythmbox will use this plugin to parse PNG images.
A PNG image can be displayed using this command:
gst-launch filesrc location=/usr/share/pixmaps/apple-green.png ! decodebin ! ffmpegcolorspace ! freeze ! autovideosink
---
Created attachment 346576
Upstream patch
---
This issue has been addressed in following products:
Red Hat Enterprise Linux 5
Via RHSA-2009:1123 htt
http://osvdb.org/54940http://secunia.com/advisories/35372http://www.securitytracker.com/id?1022359http://www.us-cert.gov/cas/techalerts/TA09-160A.htmlhttp://www.vupen.com/english/advisories/2009/1544https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-025https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6206http://osvdb.org/54940http://secunia.com/advisories/35372http://www.securitytracker.com/id?1022359http://www.us-cert.gov/cas/techalerts/TA09-160A.htmlhttp://www.vupen.com/english/advisories/2009/1544https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-025https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6206https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2009-1123
2009-06-10
Published
2022-03-03
Added to CISA KEV
Exploited in the wild