CVE-2010-3888
published 2010-10-08CVE-2010-3888: Unspecified vulnerability in Microsoft Windows on 32-bit platforms allows local users to gain privileges via unknown vectors, as exploited in the wild in July…
PriorityP271high7.2CVSS 2.0
AVLACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
3.93%
89.1th percentile
Unspecified vulnerability in Microsoft Windows on 32-bit platforms allows local users to gain privileges via unknown vectors, as exploited in the wild in July 2010 by the Stuxnet worm, and identified by Kaspersky Lab researchers and other researchers.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2008 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect privilege escalation attempt: alert on schtasks.exe invocations that include /disable followed immediately by /enable and then /run on the same task name within a short time window — this is the CRC32 collision trigger sequence used by the exploit. ↗
- →Detect PoC-specific task name 'wDw00t' in scheduled task creation or task file path C:\windows\system32\tasks\wDw00t. ↗
- →Detect PoC payload drop: monitor creation of xpl.bat in the %TEMP% directory containing 'net user /add' and 'net localgroup administrators /add' commands. ↗
- →Detect LeastPrivilege-to-HighestAvailable substitution in task XML: file integrity monitoring on task XML files should flag replacement of 'LeastPrivilege' with 'HighestAvailable'. ↗
- →The exploit drops a random-named .exe payload into %TEMP% before scheduling it; monitor for schtasks /create referencing executables under %TEMP% with random alphanumeric names. ↗
- ·The exploit only works against Windows Vista, Windows 7, and Windows Server 2008; it returns Safe on other OS versions. ↗
- ·The Metasploit module does not support WOW64 sessions; a 64-bit meterpreter session is required when targeting 64-bit systems. ↗
- ·The vulnerability relies on the Task Scheduler using only a CRC32 checksum for integrity validation, allowing an attacker with write access to their own task file to forge a valid checksum after modifying privilege fields. ↗
CVSS provenance
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-p33r-82vp-ffm4: Unspecified vulnerability in Microsoft Windows on 32-bit platforms allows local users to gain privileges via unknown vectors, as exploited in the wild
ghsa_unreviewed·2022-05-17
CVE-2010-3888 [HIGH] GHSA-p33r-82vp-ffm4: Unspecified vulnerability in Microsoft Windows on 32-bit platforms allows local users to gain privileges via unknown vectors, as exploited in the wild
Unspecified vulnerability in Microsoft Windows on 32-bit platforms allows local users to gain privileges via unknown vectors, as exploited in the wild in July 2010 by the Stuxnet worm, and identified by Kaspersky Lab researchers and other researchers.
GHSA
GHSA-ggjq-qv33-pv47: The kernel-mode drivers in Microsoft Windows XP SP3 do not properly perform indexing of a function-pointer table during the loading of keyboard layout
ghsa_unreviewed·2022-05-14·CVSS 7.2
CVE-2010-2743 [HIGH] GHSA-ggjq-qv33-pv47: The kernel-mode drivers in Microsoft Windows XP SP3 do not properly perform indexing of a function-pointer table during the loading of keyboard layout
The kernel-mode drivers in Microsoft Windows XP SP3 do not properly perform indexing of a function-pointer table during the loading of keyboard layouts from disk, which allows local users to gain privileges via a crafted application, as demonstrated in the wild in July 2010 by the Stuxnet worm, aka "Win32k Keyboard Layout Vulnerability." NOTE: this might be a duplicate of CVE-2010-3888 or CVE-2010-3889.
GHSA
GHSA-mpmp-qx9g-mvg3: The Windows Task Scheduler in Microsoft Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not properly determine th
ghsa_unreviewed·2022-05-14·CVSS 7.2
CVE-2010-3338 [HIGH] CWE-20 GHSA-mpmp-qx9g-mvg3: The Windows Task Scheduler in Microsoft Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not properly determine th
The Windows Task Scheduler in Microsoft Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not properly determine the security context of scheduled tasks, which allows local users to gain privileges via a crafted application, aka "Task Scheduler Vulnerability." NOTE: this might overlap CVE-2010-3888.
VulnCheck
Microsoft Windows Improper Input Validation
vulncheck·2010·CVSS 7.2
CVE-2010-3338 [HIGH] Microsoft Windows Improper Input Validation
Microsoft Windows Improper Input Validation
The Windows Task Scheduler in Microsoft Windows Vista SP1 and SP2, Windows Server 2008 Gold, SP2, and R2, and Windows 7 does not properly determine the security context of scheduled tasks, which allows local users to gain privileges via a crafted application, aka "Task Scheduler Vulnerability." NOTE: this might overlap CVE-2010-3888.
Affected: Microsoft Windows
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf; https://go.group-ib.com/hubfs/report/protected/group-ib-opera1er-full-threat-research-2022-en.pdf
Exploit PoC: http
VulnCheck
Microsoft Windows Win32k Keyboard Layout Privilege Escalation
vulncheck·2010·CVSS 7.2
CVE-2010-2743 [HIGH] Microsoft Windows Win32k Keyboard Layout Privilege Escalation
Microsoft Windows Win32k Keyboard Layout Privilege Escalation
The kernel-mode drivers in Microsoft Windows XP SP3 do not properly perform indexing of a function-pointer table during the loading of keyboard layouts from disk, which allows local users to gain privileges via a crafted application, as demonstrated in the wild in July 2010 by the Stuxnet worm, aka "Win32k Keyboard Layout Vulnerability." NOTE: this might be a duplicate of CVE-2010-3888 or CVE-2010-3889.
Affected: Microsoft Windows
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air_gap_wp.pdf
VulnCheck
Microsoft Windows 32-bit Privilege Escalation
vulncheck·2010·CVSS 7.2
CVE-2010-3888 [HIGH] Microsoft Windows 32-bit Privilege Escalation
Microsoft Windows 32-bit Privilege Escalation
Unspecified vulnerability in Microsoft Windows on 32-bit platforms allows local users to gain privileges via unknown vectors, as exploited in the wild in July 2010 by the Stuxnet worm, and identified by Kaspersky Lab researchers and other researchers.
Affected: Microsoft Windows
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.cve.org/CVERecord?id=CVE-2010-3888; https://go.group-ib.com/hubfs/report/protected/group-ib-opera1er-full-threat-research-2022-en.pdf
No detection rules found.
Exploit-DB
Microsoft Windows - Task Scheduler '.XML' Local Privilege Escalation (MS10-092) (Metasploit)
exploitdb·2012-07-19
CVE-2010-3888 Microsoft Windows - Task Scheduler '.XML' Local Privilege Escalation (MS10-092) (Metasploit)
Microsoft Windows - Task Scheduler '.XML' Local Privilege Escalation (MS10-092) (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'msf/core/post/common'
require 'rex'
require 'zlib'
class Metasploit3 'Windows Escalate Task Scheduler XML Privilege Escalation',
'Description' => %q{
This module exploits the Task Scheduler 2.0 XML 0day exploited by Stuxnet.
When processing task files, the Windows Task Scheduler only uses a CRC32
checksum to validate that the file has not been tampered with. Also, In a default
configuration, normal users can read and write the tas
Exploit-DB
Microsoft Windows - Task Scheduler Privilege Escalation
exploitdb·2010-11-20
CVE-2010-3888 Microsoft Windows - Task Scheduler Privilege Escalation
Microsoft Windows - Task Scheduler Privilege Escalation
---
# Exploit Title: Windows Task Scheduler Privilege Escalation 0day
# Date: 20-11-2010
# Author: webDEViL
# Tested on: Windows 7/2008 x86/x64
crc_table = new Array(
0x00000000, 0x77073096, 0xEE0E612C, 0x990951BA, 0x076DC419,
0x706AF48F, 0xE963A535, 0x9E6495A3, 0x0EDB8832, 0x79DCB8A4,
0xE0D5E91E, 0x97D2D988, 0x09B64C2B, 0x7EB17CBD, 0xE7B82D07,
0x90BF1D91, 0x1DB71064, 0x6AB020F2, 0xF3B97148, 0x84BE41DE,
0x1ADAD47D, 0x6DDDE4EB, 0xF4D4B551, 0x83D385C7, 0x136C9856,
0x646BA8C0, 0xFD62F97A, 0x8A65C9EC, 0x14015C4F, 0x63066CD9,
0xFA0F3D63, 0x8D080DF5, 0x3B6E20C8, 0x4C69105E, 0xD56041E4,
0xA2677172, 0x3C03E4D1, 0x4B04D447, 0xD20D85FD, 0xA50AB56B,
0x35B5A8FA, 0x42B2986C, 0xDBBBC9D6, 0xACBCF940, 0x32D86CE3,
0x45DF5C75, 0xDCD60DCF, 0xABD13D5
No writeups or analysis indexed.
http://www.computerworld.com/s/article/9185919/Is_Stuxnet_the_best_malware_ever_http://www.eeye.com/Resources/Security-Center/Research/Zero-Day-Tracker/2010/20100716http://www.securelist.com/en/blog/2291/Myrtus_and_Guava_Episode_MS10_061http://www.symantec.com/connect/blogs/stuxnet-using-three-additional-zero-day-vulnerabilitieshttp://www.virusbtn.com/conference/vb2010/abstracts/LastMinute7.xmlhttp://www.virusbtn.com/conference/vb2010/abstracts/LastMinute8.xmlhttp://www.computerworld.com/s/article/9185919/Is_Stuxnet_the_best_malware_ever_http://www.eeye.com/Resources/Security-Center/Research/Zero-Day-Tracker/2010/20100716http://www.securelist.com/en/blog/2291/Myrtus_and_Guava_Episode_MS10_061http://www.symantec.com/connect/blogs/stuxnet-using-three-additional-zero-day-vulnerabilitieshttp://www.virusbtn.com/conference/vb2010/abstracts/LastMinute7.xmlhttp://www.virusbtn.com/conference/vb2010/abstracts/LastMinute8.xml
2010-10-08
Published
Exploited in the wild