Microsoft Windows Apple Safari win32k.sys IFRAME input validation
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 6.6 | $0-$5k | 0.00 |
A vulnerability, which was classified as critical, was found in Microsoft Windows (Operating System) (version now known). Affected is some unknown processing in the library win32k.sys of the component Apple Safari. The manipulation of the argument IFRAME with the input value height='18082563' leads to a input validation vulnerability. CWE is classifying the issue as CWE-20. The product receives input or data, but it does
not validate or incorrectly validates that the input has the
properties that are required to process the data safely and
correctly. This is going to have an impact on confidentiality, integrity, and availability. CVE summarizes:
The Graphics Device Interface (GDI) in win32k.sys in the kernel-mode drivers in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 does not properly validate user-mode input, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via crafted data, as demonstrated by a large height attribute of an IFRAME element rendered by Safari, aka "GDI Access Violation Vulnerability."
The weakness was presented 12/18/2011 by w3bd3vil as confirmed tweet (Twitter). The advisory is available at twitter.com. This vulnerability is traded as CVE-2011-5046 since 12/30/2011. It is possible to launch the attack remotely. The exploitation doesn't require any form of authentication. Technical details and a public exploit are known.
A public exploit has been developed by w3bd3vil in HTML and been published immediately after the advisory. The exploit is shared for download at twitter.com. It is declared as proof-of-concept. As 0-day the estimated underground price was around $25k-$100k. The vulnerability scanner Nessus provides a plugin with the ID 57942 (MS12-008: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2660465)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Windows : Microsoft Bulletins and running in the context l. The commercial vulnerability scanner Qualys is able to test this issue with plugin 90775 (Microsoft Windows Kernel-Mode Drivers Remote Code Execution Vulnerability (MS12-008)).
Applying a patch is able to eliminate this problem. A possible mitigation has been published 3 months after the disclosure of the vulnerability. Furthermore it is possible to detect and prevent this kind of attack with TippingPoint and the filter 11983.
The vulnerability is also documented in the databases at X-Force (71873), Tenable (57942) and Exploit-DB (18275). See 4633 for similar entry.
Product
Type
Vendor
Name
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB CVSS-B Score: 🔍VulDB CVSS-BT Score: 🔍
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 7.3VulDB Meta Temp Score: 6.6
VulDB Base Score: 7.3
VulDB Temp Score: 6.6
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| unlock | unlock | unlock | unlock | unlock | unlock |
| unlock | unlock | unlock | unlock | unlock | unlock |
| unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Input validationCWE: CWE-20
ATT&CK: Unknown
Local: No
Remote: Yes
Availability: 🔍
Access: Public
Status: Proof-of-Concept
Author: w3bd3vil
Reliability: 🔍
Programming Language: 🔍
Download: 🔍
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | unlock | unlock | unlock | unlock |
|---|---|---|---|---|
| Today | unlock | unlock | unlock | unlock |
Nessus ID: 57942
Nessus Name: MS12-008: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2660465)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Context: 🔍
OpenVAS ID: 802379
OpenVAS Name: Microsoft Windows Kernel win32k.sys Memory Corruption Vulnerability
OpenVAS File: 🔍
OpenVAS Family: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Exploit-DB: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: PatchStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Exploit Delay Time: 🔍
TippingPoint: 🔍
McAfee IPS: 🔍
McAfee IPS Version: 🔍
ISS Proventia IPS: 🔍
PaloAlto IPS: 🔍
Fortigate IPS: 🔍
Timeline
12/18/2011 🔍12/18/2011 🔍
12/18/2011 🔍
12/18/2011 🔍
12/19/2011 🔍
12/19/2011 🔍
12/19/2011 🔍
12/22/2011 🔍
12/30/2011 🔍
12/30/2011 🔍
01/21/2012 🔍
02/14/2012 🔍
02/14/2012 🔍
02/15/2012 🔍
03/19/2021 🔍
Sources
Vendor: microsoft.comProduct: microsoft.com
Advisory: twitter.com
Researcher: w3bd3vil
Status: Confirmed
CVE: CVE-2011-5046 (🔍)
OVAL: 🔍
X-Force: 71873 - Microsoft Windows win32k.sys code execution, High Risk
SecurityTracker: 1026450 - Windows Win32k.sys GDI Memory Corruption Error Lets Remote Users Execute Arbitrary Code
Vulnerability Center: 34463 - [MS12-008] Microsoft Windows 7 64-bit with Apple Safari Allows Remote DoS Vulnerability, High
SecurityFocus: 51122 - Microsoft Windows 'win32k.sys' Remote Memory Corruption Vulnerability
Secunia: 47237 - Microsoft Windows Win32k.sys Two Vulnerabilities, Highly Critical
OSVDB: 77908
scip Labs: https://www.scip.ch/en/?labs.20161013
See also: 🔍
Entry
Created: 01/21/2012 01:00Updated: 03/19/2021 18:27
Changes: 01/21/2012 01:00 (104), 04/09/2017 14:45 (9), 03/19/2021 18:27 (3)
Complete: 🔍
No comments yet. Languages: en.
Please log in to comment.