Windows 2000
SP 4
Windows XP SP 2
Windows XP SP 3
Windows XP Professional x64 Edition SP 2
Windows Server 2003 SP 2
Windows Server 2003 x64 Edition SP 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista SP 1
Windows Vista SP 2
Windows Vista x64 Edition SP 1
Windows Vista x64 Edition SP 2
Windows Server 2008 for 32-bit Systems
Windows Server 2008 for 32-bit Systems SP 2
Windows Server 2008 for x64-based Systems
Windows Server 2008 for x64-based Systems SP 2
Windows Server 2008 for Itanium-based Systems
Windows Server 2008 for Itanium-based Systems SP 2
Windows 7 for 32-bit Systems
Windows 7 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems
Windows Server 2008 R2 for Itanium-based Systems
Identifiers:
CVE-2010-0485
Synopsis
Microsoft
Windows Kernel-Mode Drivers could allow elevation of
privilege due to insufficient validation in
certain kernel objects. Successfull exploitation of this vulnerability
can lead attackers to execute arbitrary code in kernel
mode.
There is a vulnerability in
Windows which could allow a non-admin user to either cause a blue
screen, DoSing the system, or run arbitrary code with system privileges.
The root cause is in a function in Win32k.sys which assumes that
windows in a parent chain all have the same parent. This is
normally true, but a process without administrator rights can hook the
CBTProc function and trap calls where the nCode is
HCBT_CREATEWND. The hooking function can then alter
hWndInsertAfter to be the hwnd of some other window, violating the
assumption in Win32k.sys.
A a result, any call to ValidateParentDepth() will trigger an access
violation. This is the function which makes the assumption
that all windows in the chain have the same parent. This
function can be triggered by pressing WindowsKey+D to minimize all
windows.
