CVE-2014-4971

Microsoft Windows XP SP3 does not validate addresses in certain IRP handler routines, which allows local users to write data to arbitrary memory locations, and consequently gain privileges, via a crafted address in an IOCTL call, related to (1) the MQAC.sys driver in the MQ Access Control subsystem and (2) the BthPan.sys driver in the Bluetooth Personal Area Networking subsystem.

CVSS v2.0 7.2 HIGH

7.2^/10

CVSS v2.0 : HIGH

Vector : AV:L/AC:L/Au:N/C:C/I:C/A:C

Exploitability : 3.9 / Impact : 10.0

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
http://seclists.org/fulldisclosure/2014/Jul/97	Exploit
https://www.korelogic.com/Resources/Advisories/KL-001-2014-003.txt	Exploit
https://www.korelogic.com/Resources/Advisories/KL-001-2014-002.txt	Exploit
http://seclists.org/fulldisclosure/2014/Jul/96	Exploit
http://www.osvdb.org/109387	Broken Link
http://www.exploit-db.com/exploits/34112	Exploit
http://blogs.technet.com/b/srd/archive/2014/10/14/accessing-risk-for-the-october-2014-security-updates.aspx	Vendor Advisory
http://packetstormsecurity.com/files/128674/Microsoft-Bluetooth-Personal-Area-Networking-BthPan.sys-Privilege-Escalation.html	Exploit VDB Entry
http://secunia.com/advisories/60974	Permissions Required
http://www.securitytracker.com/id/1031025	Third Party Advisory VDB Entry
http://www.exploit-db.com/exploits/34982	Exploit
http://www.securityfocus.com/bid/68764
http://www.exploit-db.com/exploits/34131
http://packetstormsecurity.com/files/127536/Microsoft-XP-SP3-MQAC.sys-Arbitrary-Write-Privilege-Escalation.html
http://packetstormsecurity.com/files/127535/Microsoft-XP-SP3-BthPan.sys-Arbitrary-Write-Privilege-Escalation.html
http://www.securityfocus.com/archive/1/532844/100/0/threaded
http://www.securityfocus.com/archive/1/532843/100/0/threaded
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-062

Advertisement

Configurations

Configuration 1 (hide)

cpe:2.3:o:microsoft:windows_xp:*:sp3:*:*:*:*:*:*

Information

Published : 2014-07-26 08:55

Updated : 2018-10-12 15:07

NVD link : CVE-2014-4971

Mitre link : CVE-2014-4971

JSON object : View

CWE

CWE-20

Improper Input Validation

Advertisement

Products Affected

microsoft

windows_xp

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "http://seclists.org/fulldisclosure/2014/Jul/97", "name": "20140718 KL-001-2014-003 : Microsoft XP SP3 MQAC.sys Arbitrary Write Privilege Escalation", "tags": ["Exploit"], "refsource": "FULLDISC"}, {"url": "https://www.korelogic.com/Resources/Advisories/KL-001-2014-003.txt", "name": "https://www.korelogic.com/Resources/Advisories/KL-001-2014-003.txt", "tags": ["Exploit"], "refsource": "MISC"}, {"url": "https://www.korelogic.com/Resources/Advisories/KL-001-2014-002.txt", "name": "https://www.korelogic.com/Resources/Advisories/KL-001-2014-002.txt", "tags": ["Exploit"], "refsource": "MISC"}, {"url": "http://seclists.org/fulldisclosure/2014/Jul/96", "name": "20140718 KL-001-2014-002 : Microsoft XP SP3 BthPan.sys Arbitrary Write Privilege Escalation", "tags": ["Exploit"], "refsource": "FULLDISC"}, {"url": "http://www.osvdb.org/109387", "name": "109387", "tags": ["Broken Link"], "refsource": "OSVDB"}, {"url": "http://www.exploit-db.com/exploits/34112", "name": "34112", "tags": ["Exploit"], "refsource": "EXPLOIT-DB"}, {"url": "http://blogs.technet.com/b/srd/archive/2014/10/14/accessing-risk-for-the-october-2014-security-updates.aspx", "name": "http://blogs.technet.com/b/srd/archive/2014/10/14/accessing-risk-for-the-october-2014-security-updates.aspx", "tags": ["Vendor Advisory"], "refsource": "CONFIRM"}, {"url": "http://packetstormsecurity.com/files/128674/Microsoft-Bluetooth-Personal-Area-Networking-BthPan.sys-Privilege-Escalation.html", "name": "http://packetstormsecurity.com/files/128674/Microsoft-Bluetooth-Personal-Area-Networking-BthPan.sys-Privilege-Escalation.html", "tags": ["Exploit", "VDB Entry"], "refsource": "MISC"}, {"url": "http://secunia.com/advisories/60974", "name": "60974", "tags": ["Permissions Required"], "refsource": "SECUNIA"}, {"url": "http://www.securitytracker.com/id/1031025", "name": "1031025", "tags": ["Third Party Advisory", "VDB Entry"], "refsource": "SECTRACK"}, {"url": "http://www.exploit-db.com/exploits/34982", "name": "34982", "tags": ["Exploit"], "refsource": "EXPLOIT-DB"}, {"url": "http://www.securityfocus.com/bid/68764", "name": "68764", "tags": [], "refsource": "BID"}, {"url": "http://www.exploit-db.com/exploits/34131", "name": "34131", "tags": [], "refsource": "EXPLOIT-DB"}, {"url": "http://packetstormsecurity.com/files/127536/Microsoft-XP-SP3-MQAC.sys-Arbitrary-Write-Privilege-Escalation.html", "name": "http://packetstormsecurity.com/files/127536/Microsoft-XP-SP3-MQAC.sys-Arbitrary-Write-Privilege-Escalation.html", "tags": [], "refsource": "MISC"}, {"url": "http://packetstormsecurity.com/files/127535/Microsoft-XP-SP3-BthPan.sys-Arbitrary-Write-Privilege-Escalation.html", "name": "http://packetstormsecurity.com/files/127535/Microsoft-XP-SP3-BthPan.sys-Arbitrary-Write-Privilege-Escalation.html", "tags": [], "refsource": "MISC"}, {"url": "http://www.securityfocus.com/archive/1/532844/100/0/threaded", "name": "20140718 KL-001-2014-003 : Microsoft XP SP3 MQAC.sys Arbitrary Write Privilege Escalation", "tags": [], "refsource": "BUGTRAQ"}, {"url": "http://www.securityfocus.com/archive/1/532843/100/0/threaded", "name": "20140718 KL-001-2014-002 : Microsoft XP SP3 BthPan.sys Arbitrary Write Privilege Escalation", "tags": [], "refsource": "BUGTRAQ"}, {"url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-062", "name": "MS14-062", "tags": [], "refsource": "MS"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "Microsoft Windows XP SP3 does not validate addresses in certain IRP handler routines, which allows local users to write data to arbitrary memory locations, and consequently gain privileges, via a crafted address in an IOCTL call, related to (1) the MQAC.sys driver in the MQ Access Control subsystem and (2) the BthPan.sys driver in the Bluetooth Personal Area Networking subsystem."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-20"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2014-4971", "ASSIGNER": "cve@mitre.org"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 7.2, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "severity": "HIGH", "impactScore": 10.0, "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}}, "publishedDate": "2014-07-26T15:55Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:microsoft:windows_xp:*:sp3:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2018-10-12T22:07Z"}