cbcvebase.
CVE-2009-1123
published 2009-06-10

CVE-2009-1123: The kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 SP2 does not properly validate changes to…

PriorityP274high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-03-24
Exploited in the wild
EPSS
4.92%
91.0th percentile
The kernel in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP2, Vista Gold, SP1, and SP2, and Server 2008 SP2 does not properly validate changes to unspecified kernel objects, which allows local users to gain privileges via a crafted application, aka "Windows Kernel Desktop Vulnerability."

Detection & IOCsextracted from sources · hover to see the quote

hasha86ac0ad1f8928e8d4e1b728448f54f9
mutex{E9B1E207-B513-4cfc-86BE-6D6004E5CB9C}
mutexshell.{F21EDC09-85D3-4eb9-915F-1AFA2FF28153}
path%systemroot%\$NtUninstallQxxxxxx$
filenamefdisk.sys
filenamefdisk_mon.exe
filenamefixdata.dat
filenamepxinsi64.exe
registryHKCR\Ultra3
other\\.\Par1
other\\.\VBoxDrv
otherultra3
  • The Uroburos dropper exploits CVE-2009-1123 via an embedded module named ms09_025_Win32 (resource number 1000) to execute kernel-mode code and escalate privileges; detect processes loading this resource or spawning kernel-mode execution from user-mode unexpectedly.
  • Alert on presence of all three Uroburos mutexes simultaneously or individually: {E9B1E207-B513-4cfc-86BE-6D6004E5CB9C}, {B93DFED5-9A3B-459b-A617-59FD9FAD693E}, and shell.{F21EDC09-85D3-4eb9-915F-1AFA2FF28153}.
  • Monitor for a service named 'ultra3' being installed or started, as this is the persistence mechanism used by the Uroburos dropper (fdisk_mon.exe).
  • Detect KEY_SET_VALUE access attempts on HKLM\Software\Microsoft\Windows Nt\CurrentVersion\Windows from non-administrative processes, used by Uroburos to verify successful privilege escalation.
  • ·The Uroburos installation directory and its files (fdisk.sys, fdisk_mon.exe, fixdata.dat) are hidden by the kernel-mode driver, making filesystem-level detection unreliable without a clean-boot or offline scan.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.