CVE-2014-4971
published 2014-07-26CVE-2014-4971: Microsoft Windows XP SP3 does not validate addresses in certain IRP handler routines, which allows local users to write data to arbitrary memory locations, and…
PriorityP354high7.2CVSS 2.0
AVLACLAuNCCICAC
EXPLOIT
EPSS
23.05%
97.5th percentile
Microsoft Windows XP SP3 does not validate addresses in certain IRP handler routines, which allows local users to write data to arbitrary memory locations, and consequently gain privileges, via a crafted address in an IOCTL call, related to (1) the MQAC.sys driver in the MQ Access Control subsystem and (2) the BthPan.sys driver in the Bluetooth Personal Area Networking subsystem.
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Microsoft Bluetooth Personal Area Networking - 'BthPan.sys' Local Privilege Escalation (Metasploit)
exploitdb·2014-10-15
CVE-2014-4971 Microsoft Bluetooth Personal Area Networking - 'BthPan.sys' Local Privilege Escalation (Metasploit)
Microsoft Bluetooth Personal Area Networking - 'BthPan.sys' Local Privilege Escalation (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'msf/core/exploit/local/windows_kernel'
require 'rex'
class Metasploit3 'Microsoft Bluetooth Personal Area Networking (BthPan.sys) Privilege Escalation',
'Description' => %q{
A vulnerability within Microsoft Bluetooth Personal Area Networking module,
BthPan.sys, can allow an attacker to inject memory controlled by the attacker
into an arbitrary location. This can be used by an attacker to overwrite
HalDispatchTable+0x4 and execute arbitrary code by subsequently calling
NtQueryIntervalProfile.
},
'License' => MSF_LICENSE,
'A
Exploit-DB
Microsoft Windows XP SP3 - 'MQAC.sys' Arbitrary Write Privilege Escalation (Metasploit)
exploitdb·2014-07-25
CVE-2014-4971 Microsoft Windows XP SP3 - 'MQAC.sys' Arbitrary Write Privilege Escalation (Metasploit)
Microsoft Windows XP SP3 - 'MQAC.sys' Arbitrary Write Privilege Escalation (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rex'
class Metasploit3 'MQAC.sys Arbitrary Write Privilege Escalation',
'Description' => %q{
A vulnerability within the MQAC.sys module allows an attacker to
overwrite an arbitrary location in kernel memory.
This module will elevate itself to SYSTEM, then inject the payload
into another SYSTEM process.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Matt Bergin', # original exploit and all the hard work
'Spencer McIntyre' # MSF module
],
'Arch' => [ ARCH_X86 ],
'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter' ],
'DefaultOptions
Exploit-DB
Microsoft Windows XP SP3 - 'BthPan.sys' Arbitrary Write Privilege Escalation
exploitdb·2014-07-21·CVSS 7.2
CVE-2014-4971 [HIGH] Microsoft Windows XP SP3 - 'BthPan.sys' Arbitrary Write Privilege Escalation
Microsoft Windows XP SP3 - 'BthPan.sys' Arbitrary Write Privilege Escalation
---
"""
Title: Microsoft XP SP3 BthPan.sys Arbitrary Write Privilege Escalation
Advisory ID: KL-001-2014-002
Publication Date: 2014-07-18
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2014-002.txt
1. Vulnerability Details
Affected Vendor: Microsoft
Affected Product: Bluetooth Personal Area Networking
Affected Versions: 5.1.2600.5512
Platform: Microsoft Windows XP SP3
CWE Classification: CWE-123: Write-what-where Condition
Impact: Privilege Escalation
Attack vector: IOCTL
CVE ID: CVE-2014-4971
2. Vulnerability Description
A vulnerability within the BthPan module allows an attacker to
inject memory they control into an arbitrary location they
define. This can be used by an attacker to
Exploit-DB
Microsoft Windows XP SP3 - 'MQAC.sys' Arbitrary Write Privilege Escalation
exploitdb·2014-07-19·CVSS 7.2
CVE-2014-4971 [HIGH] Microsoft Windows XP SP3 - 'MQAC.sys' Arbitrary Write Privilege Escalation
Microsoft Windows XP SP3 - 'MQAC.sys' Arbitrary Write Privilege Escalation
---
Title: Microsoft XP SP3 MQAC.sys Arbitrary Write Privilege Escalation
Advisory ID: KL-001-2014-003
Publication Date: 2014.07.18
Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2014-003.txt
1. Vulnerability Details
Affected Vendor: Microsoft
Affected Product: MQ Access Control
Affected Versions: 5.1.0.1110
Platform: Microsoft Windows XP SP3
CWE Classification: CWE-123: Write-what-where Condition
Impact: Privilege Escalation
Attack vector: IOCTL
CVE ID: CVE-2014-4971
2. Vulnerability Description
A vulnerability within the MQAC module allows an attacker to
inject memory they control into an arbitrary location they
define. This can be used by an attacker to overwrite
HalDispatchTable+0x
Metasploit
MS14-062 Microsoft Bluetooth Personal Area Networking (BthPan.sys) Privilege Escalation
metasploit
MS14-062 Microsoft Bluetooth Personal Area Networking (BthPan.sys) Privilege Escalation
MS14-062 Microsoft Bluetooth Personal Area Networking (BthPan.sys) Privilege Escalation
A vulnerability within Microsoft Bluetooth Personal Area Networking module, BthPan.sys, can allow an attacker to inject memory controlled by the attacker into an arbitrary location. This can be used by an attacker to overwrite HalDispatchTable+0x4 and execute arbitrary code by subsequently calling NtQueryIntervalProfile.
Metasploit
MQAC.sys Arbitrary Write Privilege Escalation
metasploit
MQAC.sys Arbitrary Write Privilege Escalation
MQAC.sys Arbitrary Write Privilege Escalation
A vulnerability within the MQAC.sys module allows an attacker to overwrite an arbitrary location in kernel memory. This module will elevate itself to SYSTEM, then inject the payload into another SYSTEM process.
Talos
Microsoft Update Tuesday October 2014: Fixes for 4 0-day Vulnerabilities
blogs_talos·2014-10-14·CVSS 7.8
[HIGH] Microsoft Update Tuesday October 2014: Fixes for 4 0-day Vulnerabilities
## Microsoft Update Tuesday October 2014: Fixes for 4 0-day Vulnerabilities
This post was authored by Yves Younan
Microsoft Tuesday is here once again and this month they are releasing a total of eight bulletins. Three of which are rated as critical, while the remaining five are rated as important. There’s a total of 24 CVEs this month, 20 of which were privately disclosed to Microsoft and four which are either publicly known or under active attack, making them 0-day vulnerabilities. Of those four, two are being actively attacked, while two have been publicly disclosed but do not seem to be under attack for supported software. Of the 24 CVEs, 15 are categorized as allowing remote code execution, four as elevation of privilege and three as security feature bypasses.
The first bulletin is
Talos
Microsoft Update Tuesday October 2014: Fixes for 4 0-day Vulnerabilities
blogs_talos·2014-10-14·CVSS 4.3
[MEDIUM] Microsoft Update Tuesday October 2014: Fixes for 4 0-day Vulnerabilities
This post was authored by Yves Younan
Microsoft Tuesday is here once again and this month they are releasing a total of eight bulletins. Three of which are rated as critical, while the remaining five are rated as important. There’s a total of 24 CVEs this month, 20 of which were privately disclosed to Microsoft and four which are either publicly known or under active attack, making them 0-day vulnerabilities. Of those four, two are being actively attacked, while two have been publicly disclosed but do not seem to be under attack for supported software. Of the 24 CVEs, 15 are categorized as allowing remote code execution, four as elevation of privilege and three as security feature bypasses.
The first bulletin is MS14-056 and is the IE bulletin. There’s a total of 14 CVEs and it is rated
http://blogs.technet.com/b/srd/archive/2014/10/14/accessing-risk-for-the-october-2014-security-updates.aspxhttp://packetstormsecurity.com/files/127535/Microsoft-XP-SP3-BthPan.sys-Arbitrary-Write-Privilege-Escalation.htmlhttp://packetstormsecurity.com/files/127536/Microsoft-XP-SP3-MQAC.sys-Arbitrary-Write-Privilege-Escalation.htmlhttp://packetstormsecurity.com/files/128674/Microsoft-Bluetooth-Personal-Area-Networking-BthPan.sys-Privilege-Escalation.htmlhttp://seclists.org/fulldisclosure/2014/Jul/96http://seclists.org/fulldisclosure/2014/Jul/97http://secunia.com/advisories/60974http://www.exploit-db.com/exploits/34112http://www.exploit-db.com/exploits/34131http://www.exploit-db.com/exploits/34982http://www.osvdb.org/109387http://www.securityfocus.com/archive/1/532843/100/0/threadedhttp://www.securityfocus.com/archive/1/532844/100/0/threadedhttp://www.securityfocus.com/bid/68764http://www.securitytracker.com/id/1031025https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-062https://www.korelogic.com/Resources/Advisories/KL-001-2014-002.txthttps://www.korelogic.com/Resources/Advisories/KL-001-2014-003.txthttp://blogs.technet.com/b/srd/archive/2014/10/14/accessing-risk-for-the-october-2014-security-updates.aspxhttp://packetstormsecurity.com/files/127535/Microsoft-XP-SP3-BthPan.sys-Arbitrary-Write-Privilege-Escalation.htmlhttp://packetstormsecurity.com/files/127536/Microsoft-XP-SP3-MQAC.sys-Arbitrary-Write-Privilege-Escalation.htmlhttp://packetstormsecurity.com/files/128674/Microsoft-Bluetooth-Personal-Area-Networking-BthPan.sys-Privilege-Escalation.htmlhttp://seclists.org/fulldisclosure/2014/Jul/96http://seclists.org/fulldisclosure/2014/Jul/97http://secunia.com/advisories/60974http://www.exploit-db.com/exploits/34112http://www.exploit-db.com/exploits/34131http://www.exploit-db.com/exploits/34982http://www.osvdb.org/109387http://www.securityfocus.com/archive/1/532843/100/0/threadedhttp://www.securityfocus.com/archive/1/532844/100/0/threadedhttp://www.securityfocus.com/bid/68764http://www.securitytracker.com/id/1031025https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-062https://www.korelogic.com/Resources/Advisories/KL-001-2014-002.txthttps://www.korelogic.com/Resources/Advisories/KL-001-2014-003.txt
2014-07-26
Published