cbcvebase.
CVE-2010-1225
published 2010-04-01

CVE-2010-1225: The memory-management implementation in the Virtual Machine Monitor (aka VMM or hypervisor) in Microsoft Virtual PC 2007 Gold and SP1, Virtual Server 2005 Gold…

PriorityP262critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
28.16%
97.9th percentile
The memory-management implementation in the Virtual Machine Monitor (aka VMM or hypervisor) in Microsoft Virtual PC 2007 Gold and SP1, Virtual Server 2005 Gold and R2 SP1, and Windows Virtual PC does not properly restrict access from the guest OS to memory locations in the VMM work area, which allows context-dependent attackers to bypass certain anti-exploitation protection mechanisms on the guest OS via crafted input to a vulnerable application. NOTE: the vendor reportedly found that only systems with an otherwise vulnerable application are affected, because "the memory areas accessible from the guest cannot be leveraged to achieve either remote code execution or elevation of privilege and ... no data from the host is exposed to the guest OS."

Affected

2 ranges
VendorProductVersion rangeFixed in
microsoftvirtual_pc
microsoftvirtual_server

Detection & IOCsextracted from sources · hover to see the quote

filenamevpdumper.exe
filenamevp_abo2_launcher
filenameabo2.exe
commandmemset ( buffer , '\x90' , 0x124 )
bytes
\xe8\xff\xff\xff\xff\xf0\x58\x58\xeb\x0a
bytes
\x90\x90\xeb\x04
  • Scan guest OS user-space processes for memory reads/writes to virtual addresses above the 2GB boundary (0x80000000+), which should be inaccessible to user-mode code under normal conditions.
  • Detect exploitation attempts by monitoring for user-mode access to memory addresses >= 0x80000000 inside Virtual PC / Windows Virtual PC guest VMs.
  • Look for the PoC tool 'vpdumper.exe' executing inside guest VMs; it searches and dumps VMM worker memory leaked into guest user-space.
  • Detect the characteristic 'call $-1' shellcode prologue byte sequence (\xe8\xff\xff\xff\xff\xf0) used in the PoC exploit to locate its own code address via the leaked VMM memory.
  • Monitor for pop-pop-ret gadget searches in high memory (above 0x80000000) within guest OS processes, as the exploit searches leaked VMM pages for such gadgets to bypass SafeSEH.
  • ·The vulnerability only increases risk when a separately vulnerable application is also present in the guest OS; the VMM memory exposure alone does not enable RCE or EoP without a co-located buggy application.
  • ·Microsoft virtualization products based on Hyper-V technology are NOT affected; only Virtual PC 2007 (Gold/SP1), Windows Virtual PC, Virtual Server 2005, and Virtual Server 2005 R2 SP1 are vulnerable.
  • ·The vulnerability cannot be used to escape the guest VM and execute code on the host OS; its scope is limited to within the guest.
  • ·The exploit is local-only within the guest VM; remote exploitation requires chaining with an unpatched or dismissed-as-unexploitable client-side bug.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.