The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Microsoft DebugView Privilege Escalation Vulnerability
------------------------------------------------------------------------
SUMMARY
<http://www.microsoft.com/technet/sysinternals/utilities/debugview.mspx>
DebugView is "a system analysis tool designed to display debug messages
being generated on the system". Local exploitation of a design error
vulnerability in Microsoft's DebugView could allow attackers to execute
arbitrary kernel code.
DETAILS
Vulnerable Systems:
* Microsoft DebugView version 4.64. The specific file version of Dbgv.sys
is 4.60.0.0. This file is deleted automatically after being loaded and
will not be found on disk.
* Previous versions are suspected to be vulnerable as well.
As part of its design, DebugView loads a kernel module Dbgv.sys. This
module includes functionality that can be abused to copy user supplied
data into the kernel, to controlled addresses. This allows malicious users
to inject arbitrary code into the running kernel.
Exploitation allows attackers to modify the kernel, resulting in the
arbitrary execution of code in kernel context.
In order to exploit this vulnerability, an administrator must launch the
DebugView application, which will load the Dbgv.sys driver into the
kernel. Once loaded, the vulnerable kernel module will be accessible by
all users, and will remain loaded until the system is rebooted.
Vendor Status:
Microsoft Sysinternals has addressed this vulnerability by releasing
version 4.72 of DebugView.
<http://www.microsoft.com/technet/sysinternals/utilities/debugview.mspx>
http://www.microsoft.com/technet/sysinternals/utilities/debugview.mspx
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4223>
CVE-2007-4223
Disclosure Timeline:
* 08/21/2007 - Initial vendor notification
* 08/21/2007 - Initial vendor response
* 11/06/2007 - Public disclosure
ADDITIONAL INFORMATION
The information has been provided by iDefense.
The original article can be found at:
<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=621>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=621
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
