CVE-2010-0232
published 2010-01-21CVE-2010-0232: The kernel in Microsoft Windows NT 3.1 through Windows 7, including Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista Gold, SP1…
PriorityP182high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-03-24
Exploited in the wild
EPSS
29.25%
97.9th percentile
The kernel in Microsoft Windows NT 3.1 through Windows 7, including Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista Gold, SP1, and SP2, and Windows Server 2008 Gold and SP2, when access to 16-bit applications is enabled on a 32-bit x86 platform, does not properly validate certain BIOS calls, which allows local users to gain privileges by crafting a VDM_TIB data structure in the Thread Environment Block (TEB), and then calling the NtVdmControl function to start the Windows Virtual DOS Machine (aka NTVDM) subsystem, leading to improperly handled exceptions involving the #GP trap handler (nt!KiTrap0D), aka "Windows Kernel Exception Handler Vulnerability."
Detection & IOCsextracted from sources · hover to see the quote
- →The exploit triggers the #GP trap handler (nt!KiTrap0D) by crafting a VDM_TIB data structure in the Thread Environment Block (TEB) and calling NtVdmControl(). Monitor for unprivileged processes invoking NtVdmControl() with VdmStartExecution, especially when not originating from a known 16-bit application host. ↗
- →The exploit subverts VdmAllowed restrictions by using CreateRemoteThread() to execute within the NTVDM subsystem process (which already has VdmAllowed set), bypassing the SeTcbPrivilege requirement for NtVdmControl(). Monitor for unexpected CreateRemoteThread calls targeting the NTVDM process. ↗
- →The Uroburos dropper uses the module ms10_015_Win32 (resource number 2000) to exploit CVE-2010-0232. Presence of this resource in a PE binary is a strong indicator of malicious use of this exploit. ↗
- →The Uroburos dropper checks for privilege escalation success by attempting KEY_SET_VALUE access to HKLM\Software\Microsoft\Windows Nt\CurrentVersion\Windows. Monitor for low-privilege processes attempting to open this key with write access as a post-exploitation indicator. ↗
- →The Uroburos dropper installs a service named 'ultra3'. Presence of this service name should be treated as a high-confidence indicator of Uroburos/Turla infection. ↗
- →The exploit proof-of-concept requires running 'vdmallowed.exe' to set up the VDM context before triggering the vulnerability. Detection of this executable on disk or in process listings is a strong indicator of exploit staging. ↗
- →The Metasploit module ms10_015_kitrap0d is explicitly not supported on x64 Windows. Detections should focus on 32-bit x86 Windows systems where 16-bit application support (NTVDM) is enabled. ↗
- ·The exploit only works when access to 16-bit applications (NTVDM subsystem) is enabled on a 32-bit x86 platform. Disabling MSDOS/WOWEXEC subsystems via Group Policy ('Windows Components\Application Compatibility\Prevent access to 16-bit applications') fully mitigates the attack vector. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-xprh-x7hf-54qr: The kernel in Microsoft Windows NT 3
ghsa_unreviewed·2022-05-02
CVE-2010-0232 [HIGH] GHSA-xprh-x7hf-54qr: The kernel in Microsoft Windows NT 3
The kernel in Microsoft Windows NT 3.1 through Windows 7, including Windows 2000 SP4, Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista Gold, SP1, and SP2, and Windows Server 2008 Gold and SP2, when access to 16-bit applications is enabled on a 32-bit x86 platform, does not properly validate certain BIOS calls, which allows local users to gain privileges by crafting a VDM_TIB data structure in the Thread Environment Block (TEB), and then calling the NtVdmControl function to start the Windows Virtual DOS Machine (aka NTVDM) subsystem, leading to improperly handled exceptions involving the #GP trap handler (nt!KiTrap0D), aka "Windows Kernel Exception Handler Vulnerability."
VulnCheck
Microsoft Windows Kernel Exception Handler Vulnerability
vulncheck·2010·CVSS 7.8
CVE-2010-0232 [HIGH] CWE-264 Microsoft Windows Kernel Exception Handler Vulnerability
Microsoft Windows Kernel Exception Handler Vulnerability
The kernel in Microsoft Windows, when access to 16-bit applications is enabled on a 32-bit x86 platform, does not properly validate certain BIOS calls, which allows local users to gain privileges.
Affected: Microsoft Windows
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.recordedfuture.com/russian-apt-toolkits; https://dl.acm.org/doi/pdf/10.1145/3465481.3465758; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://go.group-ib.com/hubfs/report/protected/group-ib-opera1er-full-threat-research-2022-en.pdf
Exploit PoC: https://vulncheck.com/xdb/74da309f4d8d
Remediation Due: 2022-03-24
CISA
Microsoft Windows Kernel Exception Handler Vulnerability
cisa·2022-03-03·CVSS 7.8
CVE-2010-0232 [HIGH] CWE-264 Microsoft Windows Kernel Exception Handler Vulnerability
Vulnerability: Microsoft Windows Kernel Exception Handler Vulnerability
Affected: Microsoft Windows
The kernel in Microsoft Windows, when access to 16-bit applications is enabled on a 32-bit x86 platform, does not properly validate certain BIOS calls, which allows local users to gain privileges.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2010-0232
Remediation Due Date: 2022-03-24
No detection rules found.
Exploit-DB
Microsoft Windows NT/2000/2003/2008/XP/Vista/7 - 'KiTrap0D' User Mode to Ring Escalation (MS10-015)
exploitdb·2010-01-19·CVSS 7.8
CVE-2010-0232 [HIGH] Microsoft Windows NT/2000/2003/2008/XP/Vista/7 - 'KiTrap0D' User Mode to Ring Escalation (MS10-015)
Microsoft Windows NT/2000/2003/2008/XP/Vista/7 - 'KiTrap0D' User Mode to Ring Escalation (MS10-015)
---
Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/11199.zip (KiTrap0D.zip)
E-DB Note: Make sure to run "vdmallowed.exe" (pre-compiled) inside the subfolder.
Microsoft Windows NT #GP Trap Handler Allows Users to Switch Kernel Stack
CVE-2010-0232
In order to support BIOS service routines in legacy 16bit applications, the
Windows NT Kernel supports the concept of BIOS calls in the Virtual-8086 mode
monitor code. These are implemented in two stages, the kernel transitions to
the second stage when the #GP trap handler (nt!KiTrap0D) detects that the
faulting cs:eip matches specific magic values.
Transitioning to the second stage involves
Metasploit
Windows SYSTEM Escalation via KiTrap0D
metasploit
Windows SYSTEM Escalation via KiTrap0D
Windows SYSTEM Escalation via KiTrap0D
This module will create a new session with SYSTEM privileges via the KiTrap0D exploit by Tavis Ormandy. If the session in use is already elevated then the exploit will not run. The module relies on kitrap0d.x86.dll, and is not supported on x64 editions of Windows.
Talos
Snake Campaign: A few words about the Uroburos Rootkit
blogs_talos·2014-04-22
Snake Campaign: A few words about the Uroburos Rootkit
Over the past few days, analyzing the new Uroburos (aka Turla) rootkit has been exciting. That's because the sample dropper (MD5: a86ac0ad1f8928e8d4e1b728448f54f9) includes a lot of clever features. We don’t want to rehash research already publicly available, but we will expand on some features that have not been covered in previous publications (like the driver loading strategy and the main dropper architecture).
The dropper is compressed with a simple packer that uses integer math, such a bit shifting, unsigned multiplication, and so on, to perform data decryption. At the end of the decryption routine, we end up with a jmp ebxopcode. The jump leads to a copy stub routine that replaces the original bytes of the executable:
Figure 1. The simple Uroburos packer and data copy routine
The
Talos
Snake Campaign: A few words about the Uroburos Rootkit
blogs_talos·2014-04-22
Snake Campaign: A few words about the Uroburos Rootkit
## Snake Campaign: A few words about the Uroburos Rootkit
Over the past few days, analyzing the new Uroburos (aka Turla) rootkit has been exciting. That's because the sample dropper (MD5: a86ac0ad1f8928e8d4e1b728448f54f9) includes a lot of clever features. We don’t want to rehash research already publicly available, but we will expand on some features that have not been covered in previous publications (like the driver loading strategy and the main dropper architecture).
The dropper is compressed with a simple packer that uses integer math, such a bit shifting, unsigned multiplication, and so on, to perform data decryption. At the end of the decryption routine, we end up with a jmp ebx opcode. The jump leads to a copy stub routine that replaces the original bytes of the executable:
Figu
http://blogs.technet.com/msrc/archive/2010/01/20/security-advisory-979682-released.aspxhttp://lists.immunitysec.com/pipermail/dailydave/2010-January/006000.htmlhttp://lock.cmpxchg8b.com/c0af0967d904cef2ad4db766a00bc6af/KiTrap0D.ziphttp://seclists.org/fulldisclosure/2010/Jan/341http://secunia.com/advisories/38265http://securitytracker.com/id?1023471http://www.microsoft.com/technet/security/advisory/979682.mspxhttp://www.securityfocus.com/archive/1/509106/100/0/threadedhttp://www.securityfocus.com/bid/37864http://www.us-cert.gov/cas/techalerts/TA10-040A.htmlhttp://www.vupen.com/english/advisories/2010/0179https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-015https://exchange.xforce.ibmcloud.com/vulnerabilities/55742https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8344http://blogs.technet.com/msrc/archive/2010/01/20/security-advisory-979682-released.aspxhttp://lists.immunitysec.com/pipermail/dailydave/2010-January/006000.htmlhttp://lock.cmpxchg8b.com/c0af0967d904cef2ad4db766a00bc6af/KiTrap0D.ziphttp://seclists.org/fulldisclosure/2010/Jan/341http://secunia.com/advisories/38265http://securitytracker.com/id?1023471http://www.microsoft.com/technet/security/advisory/979682.mspxhttp://www.securityfocus.com/archive/1/509106/100/0/threadedhttp://www.securityfocus.com/bid/37864http://www.us-cert.gov/cas/techalerts/TA10-040A.htmlhttp://www.vupen.com/english/advisories/2010/0179https://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-015https://exchange.xforce.ibmcloud.com/vulnerabilities/55742https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A8344https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2010-0232
2010-01-21
Published
2022-03-03
Added to CISA KEV
Exploited in the wild