Vulnerability-Lookup

CVE-2008-3636 (GCVE-0-2008-3636)

Vulnerability from cvelistv5 – Published: 2008-09-10 16:00 – Updated: 2024-08-07 09:45

Summary

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

Tags

	http://www.securitytracker.com/id?1020999	vdb-entryx_refsource_SECTRACK
	http://lists.apple.com/archives/security-announce…	vendor-advisoryx_refsource_APPLE
	http://www.symantec.com/avcenter/security/Content…	x_refsource_CONFIRM
	http://www.vupen.com/english/advisories/2008/2770	vdb-entryx_refsource_VUPEN
	http://www.vupen.com/english/advisories/2008/2526	vdb-entryx_refsource_VUPEN
	http://www.securitytracker.com/id?1020998	vdb-entryx_refsource_SECTRACK
	http://securitytracker.com/id?1020839	vdb-entryx_refsource_SECTRACK
	http://www.gearsoftware.com/support/GEARAspi%20Se…	x_refsource_CONFIRM
	http://support.apple.com/kb/HT3025	x_refsource_CONFIRM
	http://www.securitytracker.com/id?1020997	vdb-entryx_refsource_SECTRACK
	http://www.vupen.com/english/advisories/2008/2769	vdb-entryx_refsource_VUPEN
	http://www.kb.cert.org/vuls/id/146896	third-party-advisoryx_refsource_CERT-VN
	http://www.wintercore.com/advisories/advisory_W02…	x_refsource_MISC
	https://oval.cisecurity.org/repository/search/def…	vdb-entrysignaturex_refsource_OVAL
	http://www.securityfocus.com/bid/31089	vdb-entryx_refsource_BID
	http://www.securityfocus.com/archive/1/497131/100…	mailing-listx_refsource_BUGTRAQ
	http://securityresponse.symantec.com/avcenter/sec…	x_refsource_CONFIRM

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-07T09:45:18.949Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "1020999",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id?1020999"
          },
          {
            "name": "APPLE-SA-2009-09-09",
            "tags": [
              "vendor-advisory",
              "x_refsource_APPLE",
              "x_transferred"
            ],
            "url": "http://lists.apple.com/archives/security-announce//2008/Sep/msg00001.html"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.symantec.com/avcenter/security/Content/2008.10.07a.html"
          },
          {
            "name": "ADV-2008-2770",
            "tags": [
              "vdb-entry",
              "x_refsource_VUPEN",
              "x_transferred"
            ],
            "url": "http://www.vupen.com/english/advisories/2008/2770"
          },
          {
            "name": "ADV-2008-2526",
            "tags": [
              "vdb-entry",
              "x_refsource_VUPEN",
              "x_transferred"
            ],
            "url": "http://www.vupen.com/english/advisories/2008/2526"
          },
          {
            "name": "1020998",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id?1020998"
          },
          {
            "name": "1020839",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://securitytracker.com/id?1020839"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.gearsoftware.com/support/GEARAspi%20Security%20Information.pdf"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://support.apple.com/kb/HT3025"
          },
          {
            "name": "1020997",
            "tags": [
              "vdb-entry",
              "x_refsource_SECTRACK",
              "x_transferred"
            ],
            "url": "http://www.securitytracker.com/id?1020997"
          },
          {
            "name": "ADV-2008-2769",
            "tags": [
              "vdb-entry",
              "x_refsource_VUPEN",
              "x_transferred"
            ],
            "url": "http://www.vupen.com/english/advisories/2008/2769"
          },
          {
            "name": "VU#146896",
            "tags": [
              "third-party-advisory",
              "x_refsource_CERT-VN",
              "x_transferred"
            ],
            "url": "http://www.kb.cert.org/vuls/id/146896"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://www.wintercore.com/advisories/advisory_W021008.html"
          },
          {
            "name": "oval:org.mitre.oval:def:6035",
            "tags": [
              "vdb-entry",
              "signature",
              "x_refsource_OVAL",
              "x_transferred"
            ],
            "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6035"
          },
          {
            "name": "31089",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/31089"
          },
          {
            "name": "20081007 [W02-1008] GearSoftware Powered Products Local Privilege Escalation (Microsoft Windows Kernel IopfCompleteRequest Integer Overflow)",
            "tags": [
              "mailing-list",
              "x_refsource_BUGTRAQ",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/archive/1/497131/100/0/threaded"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://securityresponse.symantec.com/avcenter/security/Content/2008.10.07a.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2008-09-09T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "Integer overflow in the IopfCompleteRequest API in the kernel in Microsoft Windows 2000, XP, Server 2003, and Vista allows context-dependent attackers to gain privileges. NOTE: this issue was originally reported for GEARAspiWDM.sys 2.0.7.5 in Gear Software CD DVD Filter driver before 4.001.7, as used in other products including Apple iTunes and multiple Symantec and Norton products, which allows local users to gain privileges via repeated IoAttachDevice IOCTL calls to \\\\.\\GEARAspiWDMDevice in this GEARAspiWDM.sys.  However, the root cause is the integer overflow in the API call itself."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2018-10-11T19:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "name": "1020999",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id?1020999"
        },
        {
          "name": "APPLE-SA-2009-09-09",
          "tags": [
            "vendor-advisory",
            "x_refsource_APPLE"
          ],
          "url": "http://lists.apple.com/archives/security-announce//2008/Sep/msg00001.html"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.symantec.com/avcenter/security/Content/2008.10.07a.html"
        },
        {
          "name": "ADV-2008-2770",
          "tags": [
            "vdb-entry",
            "x_refsource_VUPEN"
          ],
          "url": "http://www.vupen.com/english/advisories/2008/2770"
        },
        {
          "name": "ADV-2008-2526",
          "tags": [
            "vdb-entry",
            "x_refsource_VUPEN"
          ],
          "url": "http://www.vupen.com/english/advisories/2008/2526"
        },
        {
          "name": "1020998",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id?1020998"
        },
        {
          "name": "1020839",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://securitytracker.com/id?1020839"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.gearsoftware.com/support/GEARAspi%20Security%20Information.pdf"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://support.apple.com/kb/HT3025"
        },
        {
          "name": "1020997",
          "tags": [
            "vdb-entry",
            "x_refsource_SECTRACK"
          ],
          "url": "http://www.securitytracker.com/id?1020997"
        },
        {
          "name": "ADV-2008-2769",
          "tags": [
            "vdb-entry",
            "x_refsource_VUPEN"
          ],
          "url": "http://www.vupen.com/english/advisories/2008/2769"
        },
        {
          "name": "VU#146896",
          "tags": [
            "third-party-advisory",
            "x_refsource_CERT-VN"
          ],
          "url": "http://www.kb.cert.org/vuls/id/146896"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://www.wintercore.com/advisories/advisory_W021008.html"
        },
        {
          "name": "oval:org.mitre.oval:def:6035",
          "tags": [
            "vdb-entry",
            "signature",
            "x_refsource_OVAL"
          ],
          "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6035"
        },
        {
          "name": "31089",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/31089"
        },
        {
          "name": "20081007 [W02-1008] GearSoftware Powered Products Local Privilege Escalation (Microsoft Windows Kernel IopfCompleteRequest Integer Overflow)",
          "tags": [
            "mailing-list",
            "x_refsource_BUGTRAQ"
          ],
          "url": "http://www.securityfocus.com/archive/1/497131/100/0/threaded"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://securityresponse.symantec.com/avcenter/security/Content/2008.10.07a.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2008-3636",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Integer overflow in the IopfCompleteRequest API in the kernel in Microsoft Windows 2000, XP, Server 2003, and Vista allows context-dependent attackers to gain privileges. NOTE: this issue was originally reported for GEARAspiWDM.sys 2.0.7.5 in Gear Software CD DVD Filter driver before 4.001.7, as used in other products including Apple iTunes and multiple Symantec and Norton products, which allows local users to gain privileges via repeated IoAttachDevice IOCTL calls to \\\\.\\GEARAspiWDMDevice in this GEARAspiWDM.sys.  However, the root cause is the integer overflow in the API call itself."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "1020999",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id?1020999"
            },
            {
              "name": "APPLE-SA-2009-09-09",
              "refsource": "APPLE",
              "url": "http://lists.apple.com/archives/security-announce//2008/Sep/msg00001.html"
            },
            {
              "name": "http://www.symantec.com/avcenter/security/Content/2008.10.07a.html",
              "refsource": "CONFIRM",
              "url": "http://www.symantec.com/avcenter/security/Content/2008.10.07a.html"
            },
            {
              "name": "ADV-2008-2770",
              "refsource": "VUPEN",
              "url": "http://www.vupen.com/english/advisories/2008/2770"
            },
            {
              "name": "ADV-2008-2526",
              "refsource": "VUPEN",
              "url": "http://www.vupen.com/english/advisories/2008/2526"
            },
            {
              "name": "1020998",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id?1020998"
            },
            {
              "name": "1020839",
              "refsource": "SECTRACK",
              "url": "http://securitytracker.com/id?1020839"
            },
            {
              "name": "http://www.gearsoftware.com/support/GEARAspi%20Security%20Information.pdf",
              "refsource": "CONFIRM",
              "url": "http://www.gearsoftware.com/support/GEARAspi%20Security%20Information.pdf"
            },
            {
              "name": "http://support.apple.com/kb/HT3025",
              "refsource": "CONFIRM",
              "url": "http://support.apple.com/kb/HT3025"
            },
            {
              "name": "1020997",
              "refsource": "SECTRACK",
              "url": "http://www.securitytracker.com/id?1020997"
            },
            {
              "name": "ADV-2008-2769",
              "refsource": "VUPEN",
              "url": "http://www.vupen.com/english/advisories/2008/2769"
            },
            {
              "name": "VU#146896",
              "refsource": "CERT-VN",
              "url": "http://www.kb.cert.org/vuls/id/146896"
            },
            {
              "name": "http://www.wintercore.com/advisories/advisory_W021008.html",
              "refsource": "MISC",
              "url": "http://www.wintercore.com/advisories/advisory_W021008.html"
            },
            {
              "name": "oval:org.mitre.oval:def:6035",
              "refsource": "OVAL",
              "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6035"
            },
            {
              "name": "31089",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/31089"
            },
            {
              "name": "20081007 [W02-1008] GearSoftware Powered Products Local Privilege Escalation (Microsoft Windows Kernel IopfCompleteRequest Integer Overflow)",
              "refsource": "BUGTRAQ",
              "url": "http://www.securityfocus.com/archive/1/497131/100/0/threaded"
            },
            {
              "name": "http://securityresponse.symantec.com/avcenter/security/Content/2008.10.07a.html",
              "refsource": "CONFIRM",
              "url": "http://securityresponse.symantec.com/avcenter/security/Content/2008.10.07a.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2008-3636",
    "datePublished": "2008-09-10T16:00:00",
    "dateReserved": "2008-08-12T00:00:00",
    "dateUpdated": "2024-08-07T09:45:18.949Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2008-3636\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2008-09-11T01:13:10.023\",\"lastModified\":\"2025-04-09T00:30:58.490\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Integer overflow in the IopfCompleteRequest API in the kernel in Microsoft Windows 2000, XP, Server 2003, and Vista allows context-dependent attackers to gain privileges. NOTE: this issue was originally reported for GEARAspiWDM.sys 2.0.7.5 in Gear Software CD DVD Filter driver before 4.001.7, as used in other products including Apple iTunes and multiple Symantec and Norton products, which allows local users to gain privileges via repeated IoAttachDevice IOCTL calls to \\\\\\\\.\\\\GEARAspiWDMDevice in this GEARAspiWDM.sys.  However, the root cause is the integer overflow in the API call itself.\"},{\"lang\":\"es\",\"value\":\"Desbordamiento de entero en un driver de terceros no especificado incluido en Apple iTunes anterior a la 8.0 para Windows, permite a usuarios locales obtener privilegios a trav\u00e9s de vectores desconocidos.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:L/AC:L/Au:N/C:C/I:C/A:C\",\"baseScore\":7.2,\"accessVector\":\"LOCAL\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"COMPLETE\",\"integrityImpact\":\"COMPLETE\",\"availabilityImpact\":\"COMPLETE\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":3.9,\"impactScore\":10.0,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-189\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apple:itunes:*:*:windows:*:*:*:*:*\",\"versionEndIncluding\":\"7.6.1\",\"matchCriteriaId\":\"A57528B3-69F7-4B76-9B15-2CDA3220F4CC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apple:itunes:1.0:*:windows:*:*:*:*:*\",\"matchCriteriaId\":\"49DC3DDC-8758-4D28-B2D5-161994C0E669\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apple:itunes:1.1.1:*:windows:*:*:*:*:*\",\"matchCriteriaId\":\"0D0E3B53-AFAE-47F1-B7E3-395406819357\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apple:itunes:1.1.2:*:windows:*:*:*:*:*\",\"matchCriteriaId\":\"5CF3BB89-1AEF-4B00-AF87-C9BAF7E23EDD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apple:itunes:2.0:*:windows:*:*:*:*:*\",\"matchCriteriaId\":\"389B617F-29D2-4171-B4E0-9E65BBFAF369\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apple:itunes:2.0.1:*:windows:*:*:*:*:*\",\"matchCriteriaId\":\"696D5986-155D-446C-A5FE-49C0DF1868AF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apple:itunes:2.0.2:*:windows:*:*:*:*:*\",\"matchCriteriaId\":\"3370179D-5E8A-4036-AA23-252674C6D807\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apple:itunes:2.0.3:*:windows:*:*:*:*:*\",\"matchCriteriaId\":\"2B71E645-F15B-43FE-931B-819F9ABA89C0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apple:itunes:2.0.4:*:windows:*:*:*:*:*\",\"matchCriteriaId\":\"E90B5E1A-4D90-4252-8E34-649F33F1A088\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apple:itunes:3.0:*:windows:*:*:*:*:*\",\"matchCriteriaId\":\"1D0D1162-36F7-4F7E-94C0-ABB86B9FC4CD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apple:itunes:3.0.1:*:windows:*:*:*:*:*\",\"matchCriteriaId\":\"DF23791B-F73D-4CF4-BAC3-591FF0F0B0C6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apple:itunes:4.0:*:windows:*:*:*:*:*\",\"matchCriteriaId\":\"3E74DB1C-208B-42DE-9A5E-E9010140C5B6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apple:itunes:4.0.1:*:windows:*:*:*:*:*\",\"matchCriteriaId\":\"018AC033-ACF0-496D-96E1-A03CC4162CB3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apple:itunes:4.1:*:windows:*:*:*:*:*\",\"matchCriteriaId\":\"A698DDBE-B79B-4F59-AFBC-0A0682B1EF1D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apple:itunes:4.2:*:windows:*:*:*:*:*\",\"matchCriteriaId\":\"BC9B5471-F1B1-4E8B-B991-FDE231BA30EE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apple:itunes:4.2.72:*:windows:*:*:*:*:*\",\"matchCriteriaId\":\"F2899F21-F01F-4C95-93AA-40C528EE56DF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apple:itunes:4.5:*:windows:*:*:*:*:*\",\"matchCriteriaId\":\"BDD1695A-271B-4832-B4B1-E5A9D7DE4E24\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apple:itunes:4.6:*:windows:*:*:*:*:*\",\"matchCriteriaId\":\"9136E8D6-310D-4D4E-A6AC-2F89218B8666\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apple:itunes:4.7:*:windows:*:*:*:*:*\",\"matchCriteriaId\":\"78A3FEC0-F135-41F9-A260-52157B283B66\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apple:itunes:4.7.1:*:windows:*:*:*:*:*\",\"matchCriteriaId\":\"79591197-B671-46B2-9EB2-03A75A838CC1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apple:itunes:4.7.1.30:*:windows:*:*:*:*:*\",\"matchCriteriaId\":\"A2DD1A9D-4AF4-452A-99C2-AE93611C985D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apple:itunes:4.8:*:windows:*:*:*:*:*\",\"matchCriteriaId\":\"8DEABC06-3FF2-4B6A-AAFF-F38B00BA2967\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apple:itunes:4.9:*:windows:*:*:*:*:*\",\"matchCriteriaId\":\"6514E3F5-3B5D-43BE-A26D-5167B519F3EF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apple:itunes:5.0:*:windows:*:*:*:*:*\",\"matchCriteriaId\":\"23C49853-8616-4769-90BC-B6D85B24A36E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apple:itunes:5.0.1:*:windows:*:*:*:*:*\",\"matchCriteriaId\":\"7C1EC2F5-FBE8-4EC8-9D28-83C736F2DC01\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apple:itunes:6.0:*:windows:*:*:*:*:*\",\"matchCriteriaId\":\"8DDAAC1F-03CA-4DCC-9E9B-A68181261BAC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apple:itunes:6.0.1:*:windows:*:*:*:*:*\",\"matchCriteriaId\":\"D5AE8F59-2DF8-403B-BAB9-6465E618897C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apple:itunes:6.0.2:*:windows:*:*:*:*:*\",\"matchCriteriaId\":\"F37B39AB-2D5B-417E-BCEF-29C18D386C53\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apple:itunes:6.0.3:*:windows:*:*:*:*:*\",\"matchCriteriaId\":\"A1DCEED8-8174-4319-BAA2-E0A70A7EAFC0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apple:itunes:6.0.4:*:windows:*:*:*:*:*\",\"matchCriteriaId\":\"9730866D-DFE9-448F-9D4E-6B21B3942737\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apple:itunes:6.0.4.2:*:windows:*:*:*:*:*\",\"matchCriteriaId\":\"E20BC99A-13FC-446C-A27A-6C2D859C172B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apple:itunes:6.0.5:*:windows:*:*:*:*:*\",\"matchCriteriaId\":\"DD300F1B-EE8F-4606-B024-A14CA2EF4D78\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apple:itunes:7.0.2:*:windows:*:*:*:*:*\",\"matchCriteriaId\":\"2690D789-B1DC-40A5-8CC6-BBB499E9A550\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apple:itunes:7.3.2:*:windows:*:*:*:*:*\",\"matchCriteriaId\":\"BC37C091-02B8-4B39-9253-52C1008ADEC6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apple:itunes:7.4:*:windows:*:*:*:*:*\",\"matchCriteriaId\":\"70A4EEE2-1DD2-4936-8939-4683523670B9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apple:itunes:7.4.1:*:windows:*:*:*:*:*\",\"matchCriteriaId\":\"95B58CD1-03CB-4C35-A290-7157941D210D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apple:itunes:7.4.2:*:windows:*:*:*:*:*\",\"matchCriteriaId\":\"A27B736F-317F-4538-AA3B-72D6EF0D2D33\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apple:itunes:7.4.3:*:windows:*:*:*:*:*\",\"matchCriteriaId\":\"481E736B-0A83-4422-B1D3-4BD0F9565A18\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apple:itunes:7.5:*:windows:*:*:*:*:*\",\"matchCriteriaId\":\"3BB09ABD-C1F1-4101-BDC2-FC3E8C422631\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apple:itunes:7.6:*:windows:*:*:*:*:*\",\"matchCriteriaId\":\"A7448F89-CC4A-4B18-887F-B47C0B57404C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apple:itunes:7.6.2:*:windows:*:*:*:*:*\",\"matchCriteriaId\":\"B2943C2E-0DDD-498A-9439-E9394CB06081\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apple:itunes:7.7:*:windows:*:*:*:*:*\",\"matchCriteriaId\":\"D41DA19A-4403-40A8-A3DB-01A12FD4F267\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apple:itunes:7.7.1:*:windows:*:*:*:*:*\",\"matchCriteriaId\":\"25E7EF0A-D79E-44E3-B0D4-3C6E8F6FD666\"}]}]}],\"references\":[{\"url\":\"http://lists.apple.com/archives/security-announce//2008/Sep/msg00001.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://securityresponse.symantec.com/avcenter/security/Content/2008.10.07a.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://securitytracker.com/id?1020839\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://support.apple.com/kb/HT3025\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.gearsoftware.com/support/GEARAspi%20Security%20Information.pdf\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.kb.cert.org/vuls/id/146896\",\"source\":\"cve@mitre.org\",\"tags\":[\"US Government Resource\"]},{\"url\":\"http://www.securityfocus.com/archive/1/497131/100/0/threaded\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.securityfocus.com/bid/31089\",\"source\":\"cve@mitre.org\",\"tags\":[\"Patch\"]},{\"url\":\"http://www.securitytracker.com/id?1020997\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.securitytracker.com/id?1020998\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.securitytracker.com/id?1020999\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.symantec.com/avcenter/security/Content/2008.10.07a.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.vupen.com/english/advisories/2008/2526\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.vupen.com/english/advisories/2008/2769\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.vupen.com/english/advisories/2008/2770\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://www.wintercore.com/advisories/advisory_W021008.html\",\"source\":\"cve@mitre.org\"},{\"url\":\"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6035\",\"source\":\"cve@mitre.org\"},{\"url\":\"http://lists.apple.com/archives/security-announce//2008/Sep/msg00001.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://securityresponse.symantec.com/avcenter/security/Content/2008.10.07a.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://securitytracker.com/id?1020839\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://support.apple.com/kb/HT3025\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.gearsoftware.com/support/GEARAspi%20Security%20Information.pdf\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.kb.cert.org/vuls/id/146896\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"US Government Resource\"]},{\"url\":\"http://www.securityfocus.com/archive/1/497131/100/0/threaded\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/bid/31089\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"http://www.securitytracker.com/id?1020997\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securitytracker.com/id?1020998\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securitytracker.com/id?1020999\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.symantec.com/avcenter/security/Content/2008.10.07a.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.vupen.com/english/advisories/2008/2526\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.vupen.com/english/advisories/2008/2769\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.vupen.com/english/advisories/2008/2770\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.wintercore.com/advisories/advisory_W021008.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6035\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}

VAR-200809-0208

Vulnerability from variot - Updated: 2025-04-10 22:30

Integer overflow in the IopfCompleteRequest API in the kernel in Microsoft Windows 2000, XP, Server 2003, and Vista allows context-dependent attackers to gain privileges. NOTE: this issue was originally reported for GEARAspiWDM.sys 2.0.7.5 in Gear Software CD DVD Filter driver before 4.001.7, as used in other products including Apple iTunes and multiple Symantec and Norton products, which allows local users to gain privileges via repeated IoAttachDevice IOCTL calls to \.\GEARAspiWDMDevice in this GEARAspiWDM.sys. However, the root cause is the integer overflow in the API call itself. Windows upper Apple iTunes Contains an integer overflow vulnerability in the included third-party driver.Privilege may be elevated to a malicious local user. Local attackers can exploit this issue to execute arbitrary code with SYSTEM-level privileges. Successfully exploiting this issue will result in the complete compromise of affected computers. Failed exploit attempts will cause a denial-of-service condition. Windows is a very popular operating system of Microsoft Corporation. [ HTML FORMATED Advisory ] http://www.wintercore.com/advisories/advisory_W021008.html

[TEXT VERSION]

GearSoftware Powered Products Local Privilege Escalation + GEARASpiWDM.sys Insecure Method + Microsoft Windows Kernel IopfCompleteRequest Integer Overflow

:: Summary

Background
Non-technical description
Technical Description
Exploiting it
References
Affected Products
Credits
Disclosure Timeline
Contact
```
    1. GEAR develops solutions for
```
professional premastering, DVD editing and authoring, and is also a leading provider of development tools that enable software companies to integrate optical recording technology into their own products. GEAR technology is integrated into solutions from some of the world's most prominent technology organizations, including Apple, Symantec, Siemens, Kodak, Philips and Bosch, among many others"

www.gearsoftware.com

        2. However,

the attack vector needed for taking advantage of this weakness has not been identified on a out-of-box Windows installation. Therefore, a third-party application is, so far, the unique possible attack vector to exploit this issue.

This advisory covers the attack vector found in a widely extended licensed application, GearSoftware Recording SDK, which was exposing the kernel flaw to user-mode attackers through one of its filter drivers: GEARAspiWDM.sys

Since this driver is a licensed solution, it is bundled with several well-known products. To clarify as much as possible this vulnerability, we should distinguish three different elements which make up the problem.

The Attack Vector: GearAspiWDM.sys Insecure Method.
Vulnerable Products: Every GearSoftware powered product that is bundled with GEARAspiWDM.sys. (e.g Norton 360, Apple iTunes...)

Whilst the underlying vulnerability is, under our point of view, a real vulnerability, the Attack Vector may or may not be considered a vulnerability by itself. Note that if we supress the underlying vulnerability from the equation, then the attack vector turns out to be practically useless, however by patching only the attack vector we will always be facing the risk that another one comes to light.On the other hand, this fact is not impossible but seems very unlikely.

Microsoft, as the vendor affected by the underlying vulnerability, Apple and Symantec as Vulnerable Products were directly contacted . After verifying the details provided Microsoft did not consider this flaw elegible for a patch. Therefore,with the help of the US-CERT, Symantec, Apple, GearSoftware and Wintercore were coordinated during the process of resolving this issue by patching GEARAspiWDM.sys driver.

The final outcome is that the Attack Vector has been patched although the underlying vulnerability still remains unpatched.

        3.  Technical Description.

The problem lies in how the stack locations are traversed while trying to complete an IRP. Let's see

lkd> dt nt!_IRP

        [...]

+0x022 StackCount : Char signed

+0x023 CurrentLocation : Char signed

        [...]

Module: ntoskrnl.exe

Version: XP SP2

.text:0040CC01

.text:0040CC01 ; __fastcall IopfCompleteRequest(x, x)

.text:0040CC01 @IopfCompleteRequest@8 proc near ; CODE XREF: IoPerfCompleteRequest(x,x)+88p

.text:0040CC01 ; IoPerfCompleteRequest(x,x)+B8p ...

.text:0040CC01

.text:0040CC01 var_C = dword ptr -0Ch

.text:0040CC01 var_8 = dword ptr -8

.text:0040CC01 var_1 = byte ptr -1

.text:0040CC01

.text:0040CC01 mov edi, edi

.text:0040CC03 push ebp

.text:0040CC04 mov ebp, esp

.text:0040CC06 sub esp, 10h

.text:0040CC09 push ebx

.text:0040CC0A push esi

.text:0040CC0B mov esi, ecx

.text:0040CC0D mov cl, [esi+23h] ; Irp->CurrentLocation

.text:0040CC10 mov [ebp+var_8], edx

.text:0040CC13 mov dl, [esi+22h] ; Irp->StackCount

.text:0040CC16 xor ebx, ebx

.text:0040CC18 inc dl ; Irp->StackCount+1

.text:0040CC1A cmp cl, dl

.text:0040CC1C push edi

.text:0040CC1D mov [ebp+var_C], ebx

.text:0040CC20 jg sub_444F81

.text:0040CC26 cmp word ptr [esi], 6 ; Irp->Type == IO_TYPE_IRP

.text:0040CC2A jnz sub_444F81

.text:0040CC30 mov edi, [esi+60h] ; Irp->CurrentStackLocation

.text:0040CC33 inc cl

.text:0040CC35 cmp cl, dl

.text:0040CC37 lea eax, [edi+24h]

.text:0040CC3A mov [esi+23h], cl ; Irp->CurrentLocation++

.text:0040CC3D mov [esi+60h], eax ;Irp->Tail->Overlay.CurrentStackLocation++

.text:0040CC40 jg short loc_40CCA6

.text:0040CC42 add edi, 3

{...}

.text:0040CC8D

.text:0040CC8D loc_40CC8D: ; CODE XREF: IopfCompleteRequest(x,x)+13Cj

.text:0040CC8D add dword ptr [esi+60h], 24h ; StackLocation++

.text:0040CC91 mov eax, [esi+60h]

.text:0040CC94 add edi, 24h ;Irp->Tail.Overlay.CurrentStackLocation++

.text:0040CC97 inc byte ptr [esi+23h] ; Irp->CurrentLocation++

.text:0040CC9A mov dl, [esi+22h] ; Irp->StackCount

.text:0040CC9D mov cl, [esi+23h] ; Irp->CurrentLocation

.text:0040CCA0 inc dl

.text:0040CCA2 cmp cl, dl ; if CurrentLocation <= StackCount+1

.text:0040CCA4 jle short loc_40CC45 ; Signed comparison - FLAW -

pStack = IoGetCurrentIrpStackLocation( Irp )

for( pStack,

        Irp->Tail.Overlay.CurrentStackLocation++

        Irp->CurrentLocation++;



        Irp->CurrentLocation <= (CHAR) (Irp->StackCount + 1);



        pStack++,

        Irp->Tail.Overlay.CurrentStackLocation++

        Irp->CurrentLocation++ )

{

...

}

Well, let's imagine an IRP where the StackCount and CurrentLocation = = 0x7e (pretty unusual but possible indeed)

After the first iterate within the for(){...} , CurrentLocation will be 0x80 which is a negative value so Irp->CurrentLocation <= (CHAR) (Irp->StackCount+1) becomes TRUE.Hence, remaining iterations will be running out of allocated memory, traversing arbitrary and invalid stack locations.

        4. Exploiting it.

Digging into the for{} loop we found out the following:

Module: ntoskrnl.exe XP SP2 (32-bit)

.text:0040CD30 loc_40CD30: ; CODE XREF: IopfCompleteRequest(x,x)+4B47j

.text:0040CD30 push dword ptr [edi+1Dh]

.text:0040CD33 push esi

.text:0040CD34 push eax

.text:0040CD35 call dword ptr [edi+19h]

.text:0040CD38 cmp eax, 0C0000016h

.text:0040CD3D jnz loc_40CC8D ; StackLocation++

pStack->CompletionRoutine(...)

We must note that once the flaw has been triggered the for{} is traversing invalid stack locations where *(edi+19h) points to undetermined memory. We also have to take into account the internals of the IO Manager where the memory allocated for the IRPs is zeroed. Therefore, it has been proven that by allocating user-mode memory at 0x0 we can control the function pointer dereferenced.

However, that's not always true since we may be traversing uninitialized memory that holds random values. For that cases, it is also possible to seed the memory by issuing FSCTL/IOCTL requests before triggering the flaw,thus we can assure a high reliability exploiting this flaw.

Anyway, the hardest task is to discover a suitable attack vector since you need to force a huge driver stack. The patched driver was found implementing an insecure method by which, an unlimited number of calls to IoAttachDevice (TargetDevice is also user-controlled) were available from user-land, simply by issuing an IOCTL request.Since GearspiWDM.sys is signed in Vista 64-bit, it is possible to bypass certain kernel restrictions by exploiting this issue sucessfully.

The driver's insecure method is exposed via the following "free-for-all" device:

"\.\GEARAspiWDMDevice"

The flaw lies within the handler for the IOCTL = = 0x222020

Module: GEARspiWDM.sys (32-bit)

.text:000114B2 loc_114B2: ; CODE XREF: sub_1137E+7Bj

.text:000114B2 cmp [ebp+var_1], 0

.text:000114B6 jz short loc_114CC

.text:000114B8 cmp [edi+54h], ecx

.text:000114BB jz short loc_114CC

.text:000114BD push ebx

.text:000114BE mov ecx, edi

.text:000114C0 call sub_11CA2 ; IRP_MJ_DEVICE_CONTROL Dispatch Routine

{...}

.text:00011CA2 mov eax, [esp+arg_0]

.text:00011CA6 mov edx, [eax+60h]

.text:00011CA9 mov edx, [edx+0Ch]

.text:00011CAC push esi

.text:00011CAD mov esi, 222010h

.text:00011CB2 cmp edx, esi

.text:00011CB4 ja short loc_11CF7

.text:00011CB6 jz short loc_11CEF

.text:00011CB8 sub edx, 222000h

.text:00011CBE jz short loc_11CE7

{...}

.text:00011D10 loc_11D10: ; CODE XREF: sub_11CA2+65j

.text:00011D10 push eax ; DeviceObject

.text:00011D11 call sub_11B90

            ||
            \/

Module: GEARspiWDM.sys (32-bit)

.text:00011B90 ; int __stdcall sub_11B90(PDEVICE_OBJECT DeviceObject)

.text:00011B90 sub_11B90 proc near ; CODE XREF: sub_11CA2+6Fp

.text:00011B90

.text:00011B90 TargetDevice = UNICODE_STRING ptr -10h

.text:00011B90 var_8 = dword ptr -8

.text:00011B90 var_4 = dword ptr -4

.text:00011B90 DeviceObject = dword ptr 8

.text:00011B90

.text:00011B90 push ebp

.text:00011B91 mov ebp, esp

.text:00011B93 sub esp, 10h

.text:00011B96 mov eax, [ebp+DeviceObject]

.text:00011B99 mov eax, [eax+3Ch]

.text:00011B9C push ebx

.text:00011B9D xor ebx, ebx

.text:00011B9F cmp eax, ebx

.text:00011BA1 push edi

.text:00011BA2 mov edi, ecx

.text:00011BA4 mov [ebp+var_8], eax

.text:00011BA7 mov [ebp+DeviceObject], ebx

.text:00011BAA jnz short loc_11BB6

.text:00011BAC mov eax, 0C000000Dh

.text:00011BB1 jmp loc_11C9C

.text:00011BB6 ;

.text:00011BB6

.text:00011BB6 loc_11BB6: ; CODE XREF: sub_11B90+1Aj

.text:00011BB6 push eax ; SourceString

.text:00011BB7 lea eax, [ebp+TargetDevice]

.text:00011BBA push eax ; DestinationString

.text:00011BBB call ds:RtlInitUnicodeString

{...}

.text:00011C3E lea edi, [esi+10h]

.text:00011C41 push edi ; AttachedDevice

.text:00011C42 lea eax, [ebp+TargetDevice]

.text:00011C45 push eax ; TargetDevice ; user-controlled

.text:00011C46 push [ebp+DeviceObject] ; SourceDevice

.text:00011C49 call ds:IoAttachDevice

        5.  References



        GearSoftware Updated Drivers:

http://www.gearsoftware.com/support/drivers.cfm

        KB-CERT:  http://www.kb.cert.org/vuls/id/146896

        Symantec:

http://www.symantec.com/avcenter/security/Content/2008.10.07a.html

        Apple:  http://support.apple.com/kb/HT3025



        6. Affected Products

Product/File

Vulnerable Version

GearAspiWDM.sys < 2.011.2 (32-bit) < 2.008.2.1 (64-bit)

Microsoft Windows Kernel All versions 32/64-bit + 2000 + 2003 + XP + Vista

Apple iTunes 7.x

Symantec Norton 360 2.0 and earlier

Symantec Norton Ghost 14.0 and earlier

Symantec Norton Save and Restore 2.0 and earlier

Symantec Backup Exec System Recovery 6.x, 7.x and 8.x

        7.  Credits



        Vulnerability discovered and researched by Ruben Santamarta,

Wintercore.

        8.  Disclosure Timeline

11/14/2007 - Microsoft Contacted

12/26/2007 - Symantec Contacted

12/26/2007 - Apple Contacted

10/07/2008 - Coordinated Disclosure

        9.  Contact

Wintercore Agustin de Betancourt, 21. 8th Floor. 28003 Madrid.

Spain.

Phone: +(34) 91 395 63 40

contact (at) wintercore (dot) com [email concealed] www.wintercore.com

Wintercore Agustin de Betancourt, 21. 8th Floor. 28003 Madrid. Spain. Phone: +(34) 91 395 63 40 www.wintercore.com

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-200809-0208",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "itunes",
        "scope": "eq",
        "trust": 1.9,
        "vendor": "apple",
        "version": "6.0.4"
      },
      {
        "model": "itunes",
        "scope": "eq",
        "trust": 1.9,
        "vendor": "apple",
        "version": "6.0.3"
      },
      {
        "model": "itunes",
        "scope": "eq",
        "trust": 1.9,
        "vendor": "apple",
        "version": "6.0.1"
      },
      {
        "model": "itunes",
        "scope": "eq",
        "trust": 1.9,
        "vendor": "apple",
        "version": "6.0"
      },
      {
        "model": "itunes",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "apple",
        "version": "5.0.1"
      },
      {
        "model": "itunes",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "apple",
        "version": "5.0"
      },
      {
        "model": "itunes",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "apple",
        "version": "4.8"
      },
      {
        "model": "itunes",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "apple",
        "version": "1.0"
      },
      {
        "model": "itunes",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "apple",
        "version": "6.0.2"
      },
      {
        "model": "itunes",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "apple",
        "version": "4.9"
      },
      {
        "model": "itunes",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "apple",
        "version": "7.3.2"
      },
      {
        "model": "itunes",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "apple",
        "version": "7.0.2"
      },
      {
        "model": "itunes",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "apple",
        "version": "6.0.5"
      },
      {
        "model": "itunes",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "apple",
        "version": "7.4"
      },
      {
        "model": "itunes",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "apple",
        "version": "7.5"
      },
      {
        "model": "itunes",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "apple",
        "version": "4.7"
      },
      {
        "model": "itunes",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "apple",
        "version": "7.6"
      },
      {
        "model": "itunes",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "apple",
        "version": "4.7.1"
      },
      {
        "model": "itunes",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "apple",
        "version": "2.0.4"
      },
      {
        "model": "itunes",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "apple",
        "version": "7.4.2"
      },
      {
        "model": "itunes",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "apple",
        "version": "7.6.1"
      },
      {
        "model": "itunes",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "apple",
        "version": "7.7"
      },
      {
        "model": "itunes",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "apple",
        "version": "4.1"
      },
      {
        "model": "itunes",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "apple",
        "version": "2.0"
      },
      {
        "model": "itunes",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "apple",
        "version": "3.0"
      },
      {
        "model": "itunes",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "apple",
        "version": "2.0.2"
      },
      {
        "model": "itunes",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "apple",
        "version": "2.0.1"
      },
      {
        "model": "itunes",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "apple",
        "version": "4.6"
      },
      {
        "model": "itunes",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "apple",
        "version": "3.0.1"
      },
      {
        "model": "itunes",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "apple",
        "version": "2.0.3"
      },
      {
        "model": "itunes",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "apple",
        "version": "7.6.2"
      },
      {
        "model": "itunes",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "apple",
        "version": "4.0"
      },
      {
        "model": "itunes",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "apple",
        "version": "4.2.72"
      },
      {
        "model": "itunes",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "apple",
        "version": "6.0.4.2"
      },
      {
        "model": "itunes",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "apple",
        "version": "4.7.1.30"
      },
      {
        "model": "itunes",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "apple",
        "version": "4.5"
      },
      {
        "model": "itunes",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "apple",
        "version": "7.4.1"
      },
      {
        "model": "itunes",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "apple",
        "version": "1.1.1"
      },
      {
        "model": "itunes",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "apple",
        "version": "1.1.2"
      },
      {
        "model": "itunes",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "apple",
        "version": "7.4.3"
      },
      {
        "model": "itunes",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "apple",
        "version": "7.7.1"
      },
      {
        "model": "itunes",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "apple",
        "version": "4.0.1"
      },
      {
        "model": "itunes",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "apple",
        "version": "4.2"
      },
      {
        "model": null,
        "scope": null,
        "trust": 0.8,
        "vendor": "apple computer",
        "version": null
      },
      {
        "model": null,
        "scope": null,
        "trust": 0.8,
        "vendor": "gear",
        "version": null
      },
      {
        "model": null,
        "scope": null,
        "trust": 0.8,
        "vendor": "symantec",
        "version": null
      },
      {
        "model": "itunes",
        "scope": "lt",
        "trust": 0.8,
        "vendor": "apple",
        "version": "8.0"
      },
      {
        "model": "norton save and restore",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "symantec",
        "version": "2.0"
      },
      {
        "model": "norton ghost",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "symantec",
        "version": "14.0"
      },
      {
        "model": "norton ghost",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "symantec",
        "version": "13.0"
      },
      {
        "model": "norton ghost",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "symantec",
        "version": "12.0"
      },
      {
        "model": "norton ghost",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "symantec",
        "version": "10.1"
      },
      {
        "model": "norton ghost",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "symantec",
        "version": "10.0"
      },
      {
        "model": "norton",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "symantec",
        "version": "3602.0"
      },
      {
        "model": "norton",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "symantec",
        "version": "3601.0"
      },
      {
        "model": "livestate recovery",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "symantec",
        "version": "6.02"
      },
      {
        "model": "livestate recovery",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "symantec",
        "version": "6.01"
      },
      {
        "model": "livestate recovery",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "symantec",
        "version": "6.0"
      },
      {
        "model": "backup exec system recovery manager",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "symantec",
        "version": "8.0.2"
      },
      {
        "model": "backup exec system recovery manager",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "symantec",
        "version": "8.0.1"
      },
      {
        "model": "backup exec system recovery manager",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "symantec",
        "version": "8.0"
      },
      {
        "model": "backup exec system recovery manager",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "symantec",
        "version": "7.0.4"
      },
      {
        "model": "backup exec system recovery manager",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "symantec",
        "version": "7.0.3"
      },
      {
        "model": "backup exec system recovery manager",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "symantec",
        "version": "7.0.2"
      },
      {
        "model": "backup exec system recovery manager",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "symantec",
        "version": "7.0.1"
      },
      {
        "model": "backup exec system recovery manager",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "symantec",
        "version": "7.0"
      },
      {
        "model": "backup exec system recovery manager",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "symantec",
        "version": "6.0"
      },
      {
        "model": "software gear driver",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "gear",
        "version": "0"
      },
      {
        "model": "esignal",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "esignal",
        "version": "6.0.2"
      },
      {
        "model": "itunes",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "7.3.1"
      },
      {
        "model": "itunes",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "apple",
        "version": "7.3"
      },
      {
        "model": "software gear driver",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "gear",
        "version": "4.1.7"
      },
      {
        "model": "itunes",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "apple",
        "version": "8.0"
      }
    ],
    "sources": [
      {
        "db": "CERT/CC",
        "id": "VU#146896"
      },
      {
        "db": "BID",
        "id": "31089"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2008-001679"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200809-130"
      },
      {
        "db": "NVD",
        "id": "CVE-2008-3636"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "cpe_match": [
              {
                "cpe22Uri": "cpe:/a:apple:itunes",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2008-001679"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Ruben Santamarta\u203b ruben@reversemode.com",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-200809-130"
      }
    ],
    "trust": 0.6
  },
  "cve": "CVE-2008-3636",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "accessComplexity": "LOW",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "author": "nvd@nist.gov",
            "availabilityImpact": "COMPLETE",
            "baseScore": 7.2,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 3.9,
            "id": "CVE-2008-3636",
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "severity": "HIGH",
            "trust": 1.0,
            "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          {
            "acInsufInfo": null,
            "accessComplexity": "Low",
            "accessVector": "Local",
            "authentication": "None",
            "author": "NVD",
            "availabilityImpact": "Complete",
            "baseScore": 7.2,
            "confidentialityImpact": "Partial",
            "exploitabilityScore": null,
            "id": "CVE-2008-3636",
            "impactScore": null,
            "integrityImpact": "Partial",
            "obtainAllPrivilege": null,
            "obtainOtherPrivilege": null,
            "obtainUserPrivilege": null,
            "severity": "High",
            "trust": 0.8,
            "userInteractionRequired": null,
            "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:C",
            "version": "2.0"
          },
          {
            "accessComplexity": "LOW",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "author": "VULHUB",
            "availabilityImpact": "COMPLETE",
            "baseScore": 7.2,
            "confidentialityImpact": "COMPLETE",
            "exploitabilityScore": 3.9,
            "id": "VHN-33761",
            "impactScore": 10.0,
            "integrityImpact": "COMPLETE",
            "severity": "HIGH",
            "trust": 0.1,
            "vectorString": "AV:L/AC:L/AU:N/C:C/I:C/A:C",
            "version": "2.0"
          }
        ],
        "cvssV3": [],
        "severity": [
          {
            "author": "nvd@nist.gov",
            "id": "CVE-2008-3636",
            "trust": 1.0,
            "value": "HIGH"
          },
          {
            "author": "CARNEGIE MELLON",
            "id": "VU#146896",
            "trust": 0.8,
            "value": "5.67"
          },
          {
            "author": "NVD",
            "id": "CVE-2008-3636",
            "trust": 0.8,
            "value": "High"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-200809-130",
            "trust": 0.6,
            "value": "HIGH"
          },
          {
            "author": "VULHUB",
            "id": "VHN-33761",
            "trust": 0.1,
            "value": "HIGH"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "CERT/CC",
        "id": "VU#146896"
      },
      {
        "db": "VULHUB",
        "id": "VHN-33761"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2008-001679"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200809-130"
      },
      {
        "db": "NVD",
        "id": "CVE-2008-3636"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Integer overflow in the IopfCompleteRequest API in the kernel in Microsoft Windows 2000, XP, Server 2003, and Vista allows context-dependent attackers to gain privileges. NOTE: this issue was originally reported for GEARAspiWDM.sys 2.0.7.5 in Gear Software CD DVD Filter driver before 4.001.7, as used in other products including Apple iTunes and multiple Symantec and Norton products, which allows local users to gain privileges via repeated IoAttachDevice IOCTL calls to \\\\.\\GEARAspiWDMDevice in this GEARAspiWDM.sys.  However, the root cause is the integer overflow in the API call itself. Windows upper Apple iTunes Contains an integer overflow vulnerability in the included third-party driver.Privilege may be elevated to a malicious local user. \nLocal attackers can exploit this issue to execute arbitrary code with SYSTEM-level privileges. Successfully exploiting this issue will result in the complete compromise of affected computers. Failed exploit attempts will cause a denial-of-service condition. Windows is a very popular operating system of Microsoft Corporation. [ HTML FORMATED Advisory ]\nhttp://www.wintercore.com/advisories/advisory_W021008.html\n\n[TEXT VERSION]\n\n GearSoftware Powered Products Local Privilege Escalation\n+ GEARASpiWDM.sys Insecure Method\n+ Microsoft Windows Kernel IopfCompleteRequest Integer Overflow\n\n\n\n:: Summary\n\n\n\n   1. Background\n   2. Non-technical description\n   3. Technical Description\n   4. Exploiting it\n   5. References\n   6. Affected Products\n   7. Credits\n   8. Disclosure Timeline\n   9. Contact\n\n\n\n\n\n            1. GEAR develops solutions for\nprofessional premastering, DVD editing and authoring, and is also a\nleading provider of development tools that enable software companies to\nintegrate optical recording technology into their own products. GEAR\ntechnology is integrated into solutions from some of the world\u0027s most\nprominent technology organizations, including Apple, Symantec, Siemens,\nKodak, Philips and Bosch, among many others\"\n\nwww.gearsoftware.com\n\n\n\n            2. However,\nthe attack vector needed for taking advantage of this weakness has not\nbeen identified on a out-of-box Windows installation. Therefore, a\nthird-party application is, so far, the unique possible attack vector\nto exploit this issue. \n\nThis advisory covers the attack vector found in a widely extended\nlicensed application, GearSoftware Recording SDK, which was exposing the\nkernel flaw to user-mode attackers through one of its filter drivers:\nGEARAspiWDM.sys\n\n\nSince this driver is a licensed solution, it is bundled with several\nwell-known products. To clarify as much as possible this vulnerability,\nwe should distinguish three different elements which make up the problem. \n\n   1. \n   2. The Attack Vector: GearAspiWDM.sys Insecure Method. \n   3. Vulnerable Products: Every GearSoftware powered product that is\nbundled with GEARAspiWDM.sys. (e.g Norton 360, Apple iTunes...)\n\n\nWhilst the underlying vulnerability is, under our point of view, a real\nvulnerability, the Attack Vector may or may not be considered a\nvulnerability by itself. Note that if we supress the underlying\nvulnerability from the equation, then the attack vector turns out to be\npractically useless, however by patching only the attack vector we will\nalways be facing the risk that another one comes to light.On the other\nhand, this fact is not impossible but seems very unlikely. \n\n\n\nMicrosoft, as the vendor affected by the underlying vulnerability, Apple\nand Symantec as Vulnerable Products were directly contacted . After\nverifying the details provided Microsoft did not consider this flaw\nelegible for a patch. Therefore,with the help of the US-CERT, Symantec,\nApple, GearSoftware and Wintercore were coordinated during the process\nof resolving this issue by patching GEARAspiWDM.sys driver. \n\n\t\n\nThe final outcome is that the Attack Vector has been patched although\nthe underlying vulnerability still remains unpatched. \n\n\n\n            3.  Technical Description. \n\n\n\nThe problem lies in how the stack locations are traversed while  trying\nto complete an IRP. Let\u0027s see\n\n\n\nlkd\u003e dt nt!_IRP\n\n            [...]\n\n   +0x022 StackCount       : Char                   *signed*\n\n   +0x023 CurrentLocation  : Char                *signed*\n\n            [...]\n\n\n\nModule: ntoskrnl.exe\n\nVersion: XP SP2\n\n\n\n.text:0040CC01\n\n.text:0040CC01 ; __fastcall IopfCompleteRequest(x, x)\n\n.text:0040CC01 @IopfCompleteRequest@8 proc near        ; CODE XREF:\nIoPerfCompleteRequest(x,x)+88p\n\n.text:0040CC01                             ;\nIoPerfCompleteRequest(x,x)+B8p ... \n\n.text:0040CC01\n\n.text:0040CC01 var_C           = dword ptr -0Ch\n\n.text:0040CC01 var_8           = dword ptr -8\n\n.text:0040CC01 var_1           = byte ptr -1\n\n.text:0040CC01\n\n.text:0040CC01\n\n.text:0040CC01      mov     edi, edi\n\n.text:0040CC03      push    ebp\n\n.text:0040CC04      mov     ebp, esp\n\n.text:0040CC06      sub     esp, 10h\n\n.text:0040CC09      push    ebx\n\n.text:0040CC0A      push    esi\n\n.text:0040CC0B      mov     esi, ecx\n\n.text:0040CC0D      mov     cl, [esi+23h]   ; Irp-\u003eCurrentLocation\n\n.text:0040CC10      mov     [ebp+var_8], edx\n\n.text:0040CC13      mov     dl, [esi+22h]   ; Irp-\u003eStackCount\n\n.text:0040CC16      xor     ebx, ebx\n\n.text:0040CC18      inc     dl              ; Irp-\u003eStackCount+1\n\n.text:0040CC1A      cmp     cl, dl\n\n.text:0040CC1C      push    edi\n\n.text:0040CC1D      mov     [ebp+var_C], ebx\n\n.text:0040CC20      jg      sub_444F81\n\n.text:0040CC26      cmp     word ptr [esi], 6 ; Irp-\u003eType == IO_TYPE_IRP\n\n.text:0040CC2A      jnz     sub_444F81\n\n.text:0040CC30      mov     edi, [esi+60h]  ; Irp-\u003eCurrentStackLocation\n\n.text:0040CC33      inc     cl\n\n.text:0040CC35      cmp     cl, dl\n\n.text:0040CC37      lea     eax, [edi+24h]\n\n.text:0040CC3A      mov     [esi+23h], cl  ; Irp-\u003eCurrentLocation++\n\n.text:0040CC3D      mov     [esi+60h], eax\n;Irp-\u003eTail-\u003eOverlay.CurrentStackLocation++\n\n.text:0040CC40      jg      short loc_40CCA6\n\n.text:0040CC42      add     edi, 3\n\n\n\n{...}\n\n\n\n.text:0040CC8D\n\n.text:0040CC8D loc_40CC8D:    ; CODE XREF: IopfCompleteRequest(x,x)+13Cj\n\n.text:0040CC8D      add     dword ptr [esi+60h], 24h ; StackLocation++\n\n.text:0040CC91      mov     eax, [esi+60h]\n\n.text:0040CC94      add     edi, 24h\n  ;Irp-\u003eTail.Overlay.CurrentStackLocation++\n\n.text:0040CC97      inc     byte ptr [esi+23h] ; Irp-\u003eCurrentLocation++\n\n.text:0040CC9A      mov     dl, [esi+22h]   ; Irp-\u003eStackCount\n\n.text:0040CC9D      mov     cl, [esi+23h]   ; Irp-\u003eCurrentLocation\n\n.text:0040CCA0      inc     dl\n\n.text:0040CCA2      cmp     cl, dl   ; if CurrentLocation \u003c= StackCount+1\n\n.text:0040CCA4      jle     short loc_40CC45  ; Signed comparison  - FLAW -\n\n\n\n\npStack = IoGetCurrentIrpStackLocation( Irp )\n\n\n\nfor(     pStack,\n\n            Irp-\u003eTail.Overlay.CurrentStackLocation++\n\n            Irp-\u003eCurrentLocation++;\n\n\n\n            Irp-\u003eCurrentLocation \u003c= (CHAR) (Irp-\u003eStackCount + 1);\n\n\n\n            pStack++,\n\n            Irp-\u003eTail.Overlay.CurrentStackLocation++\n\n            Irp-\u003eCurrentLocation++ )\n\n{\n\n... \n\n}\n\n\n\nWell, let\u0027s imagine an IRP where the StackCount and CurrentLocation = =\n0x7e (pretty unusual but possible indeed)\n\n\n\nAfter the first iterate within the for(){...} , CurrentLocation  will be\n0x80 which is a negative value so Irp-\u003eCurrentLocation \u003c= (CHAR)\n(Irp-\u003eStackCount+1) becomes TRUE.Hence, remaining iterations will be\nrunning out of allocated memory, traversing arbitrary and invalid stack\nlocations. \n\n\n\n            4. Exploiting it. \n\n\n\nDigging into the for{} loop we found out the following:\n\n\n\nModule: ntoskrnl.exe\n                                        XP SP2 (32-bit)\n\n\n\n.text:0040CD30 loc_40CD30:                             ; CODE XREF:\nIopfCompleteRequest(x,x)+4B47j\n\n.text:0040CD30                 push    dword ptr [edi+1Dh]\n\n.text:0040CD33                 push    esi\n\n.text:0040CD34                 push    eax\n\n.text:0040CD35                 call    dword ptr [edi+19h]\n\n.text:0040CD38                 cmp     eax, 0C0000016h\n\n.text:0040CD3D                 jnz     loc_40CC8D      ; StackLocation++\n\npStack-\u003eCompletionRoutine(...)\n\n\n\nWe must note that once the flaw has been triggered the for{} is\ntraversing invalid stack locations where *(edi+19h) points to\nundetermined memory. We also have to take into account the internals of\nthe IO Manager where the memory allocated for the IRPs is zeroed. \nTherefore, it has been proven that by allocating user-mode memory at 0x0\nwe can control the function pointer dereferenced. \n\nHowever, that\u0027s not always true since we may be traversing uninitialized\nmemory that holds random values. For that cases, it is also possible to\nseed the memory by issuing FSCTL/IOCTL requests before triggering the\nflaw,thus we can assure a high reliability exploiting this flaw. \n\n\n\nAnyway, the hardest task is to discover a suitable attack vector since\nyou need to force a huge driver stack. The patched driver was found\nimplementing an insecure method by which, an unlimited number of calls\nto IoAttachDevice (TargetDevice is also user-controlled) were available\nfrom user-land, simply by issuing an IOCTL request.Since GearspiWDM.sys\nis signed in Vista 64-bit, it is possible to bypass certain kernel\nrestrictions by exploiting this issue sucessfully. \n\n\n\nThe driver\u0027s insecure method is exposed via the following \"free-for-all\"\ndevice:\n\n+         \"\\\\.\\GEARAspiWDMDevice\"\n\n\n\nThe flaw lies within the handler for the IOCTL = = 0x222020\n\n\n\nModule: GEARspiWDM.sys\n                                          (32-bit)\n\n.text:000114B2 loc_114B2:                        ; CODE XREF: sub_1137E+7Bj\n\n.text:000114B2    cmp     [ebp+var_1], 0\n\n.text:000114B6    jz      short loc_114CC\n\n.text:000114B8    cmp     [edi+54h], ecx\n\n.text:000114BB    jz      short loc_114CC\n\n.text:000114BD    push    ebx\n\n.text:000114BE    mov     ecx, edi\n\n.text:000114C0    call    sub_11CA2 ; IRP_MJ_DEVICE_CONTROL Dispatch Routine\n\n\n\n{...}\n\n\n\n.text:00011CA2                 mov     eax, [esp+arg_0]\n\n.text:00011CA6                 mov     edx, [eax+60h]\n\n.text:00011CA9                 mov     edx, [edx+0Ch]\n\n.text:00011CAC                 push    esi\n\n.text:00011CAD                 mov     esi, 222010h\n\n.text:00011CB2                 cmp     edx, esi\n\n.text:00011CB4                 ja      short loc_11CF7\n\n.text:00011CB6                 jz      short loc_11CEF\n\n.text:00011CB8                 sub     edx, 222000h\n\n.text:00011CBE                 jz      short loc_11CE7\n\n{...}\n\n.text:00011D10 loc_11D10:                              ; CODE XREF:\nsub_11CA2+65j\n\n.text:00011D10                 push    eax             ; DeviceObject\n\n.text:00011D11                 call    sub_11B90\n\n\n\t\t\t\t||\n\t\t\t\t\\/\n\nModule: GEARspiWDM.sys\n                                          (32-bit)\n\n.text:00011B90 ; int __stdcall sub_11B90(PDEVICE_OBJECT DeviceObject)\n\n.text:00011B90 sub_11B90       proc near               ; CODE XREF:\nsub_11CA2+6Fp\n\n.text:00011B90\n\n.text:00011B90 TargetDevice    = UNICODE_STRING ptr -10h\n\n.text:00011B90 var_8           = dword ptr -8\n\n.text:00011B90 var_4           = dword ptr -4\n\n.text:00011B90 DeviceObject    = dword ptr  8\n\n.text:00011B90\n\n.text:00011B90                 push    ebp\n\n.text:00011B91                 mov     ebp, esp\n\n.text:00011B93                 sub     esp, 10h\n\n.text:00011B96                 mov     eax, [ebp+DeviceObject]\n\n.text:00011B99                 mov     eax, [eax+3Ch]\n\n.text:00011B9C                 push    ebx\n\n.text:00011B9D                 xor     ebx, ebx\n\n.text:00011B9F                 cmp     eax, ebx\n\n.text:00011BA1                 push    edi\n\n.text:00011BA2                 mov     edi, ecx\n\n.text:00011BA4                 mov     [ebp+var_8], eax\n\n.text:00011BA7                 mov     [ebp+DeviceObject], ebx\n\n.text:00011BAA                 jnz     short loc_11BB6\n\n.text:00011BAC                 mov     eax, 0C000000Dh\n\n.text:00011BB1                 jmp     loc_11C9C\n\n.text:00011BB6 ;\n---------------------------------------------------------------------------\n\n.text:00011BB6\n\n.text:00011BB6 loc_11BB6:                              ; CODE XREF:\nsub_11B90+1Aj\n\n.text:00011BB6                 push    eax             ; SourceString\n\n.text:00011BB7                 lea     eax, [ebp+TargetDevice]\n\n.text:00011BBA                 push    eax             ; DestinationString\n\n.text:00011BBB                 call    ds:RtlInitUnicodeString\n\n{...}\n\n\n\n.text:00011C3E                 lea     edi, [esi+10h]\n\n.text:00011C41                 push    edi             ; AttachedDevice\n\n.text:00011C42                 lea     eax, [ebp+TargetDevice]\n\n.text:00011C45                 push    eax     ; TargetDevice ;\nuser-controlled\n\n.text:00011C46                 push    [ebp+DeviceObject] ; SourceDevice\n\n.text:00011C49                 call    ds:IoAttachDevice\n\n\n\n\n\n\n\n            5.  References\n\n\n\n            GearSoftware Updated Drivers:\nhttp://www.gearsoftware.com/support/drivers.cfm\n\n            KB-CERT:  http://www.kb.cert.org/vuls/id/146896\n\n            Symantec:\nhttp://www.symantec.com/avcenter/security/Content/2008.10.07a.html\n\n            Apple:  http://support.apple.com/kb/HT3025\n\n\n\n            6. Affected Products\n\n\n\nProduct/File\n\t\nVulnerable Version\n\nGearAspiWDM.sys\n \u003c 2.011.2  (32-bit)      \u003c 2.008.2.1  (64-bit)\n\nMicrosoft Windows Kernel All versions 32/64-bit + 2000 + 2003 + XP + Vista\n\nApple iTunes 7.x\n\nSymantec Norton 360  2.0 and earlier\n\nSymantec Norton Ghost 14.0 and earlier\n\nSymantec Norton Save and Restore 2.0 and earlier\n\nSymantec Backup Exec System Recovery 6.x, 7.x and 8.x\n\n\n            7.  Credits\n\n\n\n            Vulnerability discovered and researched by Ruben Santamarta,\nWintercore. \n\n\n\n            8.  Disclosure Timeline\n\n\n\n11/14/2007 - Microsoft Contacted\n\n12/26/2007 - Symantec Contacted\n\n12/26/2007 - Apple Contacted\n\n10/07/2008 - Coordinated Disclosure\n\n\n\n            9.  Contact\n\n\n\nWintercore\nAgustin de Betancourt, 21. 8th Floor. \n28003 Madrid. \n\nSpain. \n\nPhone: +(34) 91 395 63 40\n\ncontact (at) wintercore (dot) com   [email concealed]\nwww.wintercore.com\n\n-- \n\nWintercore\nAgustin de Betancourt, 21. 8th Floor. \n28003 Madrid. Spain. \nPhone: +(34) 91 395 63 40\nwww.wintercore.com\n\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2008-3636"
      },
      {
        "db": "CERT/CC",
        "id": "VU#146896"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2008-001679"
      },
      {
        "db": "BID",
        "id": "31089"
      },
      {
        "db": "VULHUB",
        "id": "VHN-33761"
      },
      {
        "db": "PACKETSTORM",
        "id": "70706"
      }
    ],
    "trust": 2.79
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "CERT/CC",
        "id": "VU#146896",
        "trust": 2.9
      },
      {
        "db": "NVD",
        "id": "CVE-2008-3636",
        "trust": 2.8
      },
      {
        "db": "BID",
        "id": "31089",
        "trust": 2.8
      },
      {
        "db": "SECTRACK",
        "id": "1020839",
        "trust": 2.5
      },
      {
        "db": "VUPEN",
        "id": "ADV-2008-2769",
        "trust": 1.7
      },
      {
        "db": "VUPEN",
        "id": "ADV-2008-2526",
        "trust": 1.7
      },
      {
        "db": "VUPEN",
        "id": "ADV-2008-2770",
        "trust": 1.7
      },
      {
        "db": "SECTRACK",
        "id": "1020997",
        "trust": 1.7
      },
      {
        "db": "SECTRACK",
        "id": "1020998",
        "trust": 1.7
      },
      {
        "db": "SECTRACK",
        "id": "1020999",
        "trust": 1.7
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2008-001679",
        "trust": 0.8
      },
      {
        "db": "BUGTRAQ",
        "id": "20081007 [W02-1008] GEARSOFTWARE POWERED PRODUCTS LOCAL PRIVILEGE ESCALATION (MICROSOFT WINDOWS KERNEL IOPFCOMPLETEREQUEST INTEGER OVERFLOW)",
        "trust": 0.6
      },
      {
        "db": "OVAL",
        "id": "OVAL:ORG.MITRE.OVAL:DEF:6035",
        "trust": 0.6
      },
      {
        "db": "APPLE",
        "id": "APPLE-SA-2009-09-09",
        "trust": 0.6
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200809-130",
        "trust": 0.6
      },
      {
        "db": "VULHUB",
        "id": "VHN-33761",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "70706",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "CERT/CC",
        "id": "VU#146896"
      },
      {
        "db": "VULHUB",
        "id": "VHN-33761"
      },
      {
        "db": "BID",
        "id": "31089"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2008-001679"
      },
      {
        "db": "PACKETSTORM",
        "id": "70706"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200809-130"
      },
      {
        "db": "NVD",
        "id": "CVE-2008-3636"
      }
    ]
  },
  "id": "VAR-200809-0208",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-33761"
      }
    ],
    "trust": 0.01
  },
  "last_update_date": "2025-04-10T22:30:38.975000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "iTunes 8.0",
        "trust": 0.8,
        "url": "http://support.apple.com/kb/HT3025"
      },
      {
        "title": "iTunes 8.0",
        "trust": 0.8,
        "url": "http://support.apple.com/kb/HT3025?viewlocale=ja_JP"
      },
      {
        "title": "Microsoft Windows Security vulnerabilities",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=156703"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2008-001679"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200809-130"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-189",
        "trust": 1.9
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-33761"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2008-001679"
      },
      {
        "db": "NVD",
        "id": "CVE-2008-3636"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.8,
        "url": "http://securityresponse.symantec.com/avcenter/security/content/2008.10.07a.html"
      },
      {
        "trust": 2.6,
        "url": "http://www.wintercore.com/advisories/advisory_w021008.html"
      },
      {
        "trust": 2.6,
        "url": "http://support.apple.com/kb/ht3025"
      },
      {
        "trust": 2.5,
        "url": "http://lists.apple.com/archives/security-announce//2008/sep/msg00001.html"
      },
      {
        "trust": 2.5,
        "url": "http://www.securityfocus.com/bid/31089"
      },
      {
        "trust": 2.5,
        "url": "http://securitytracker.com/id?1020839"
      },
      {
        "trust": 2.1,
        "url": "http://www.kb.cert.org/vuls/id/146896"
      },
      {
        "trust": 2.0,
        "url": "http://www.gearsoftware.com/support/gearaspi%20security%20information.pdf"
      },
      {
        "trust": 1.8,
        "url": "http://www.symantec.com/avcenter/security/content/2008.10.07a.html"
      },
      {
        "trust": 1.7,
        "url": "http://www.securitytracker.com/id?1020997"
      },
      {
        "trust": 1.7,
        "url": "http://www.securitytracker.com/id?1020998"
      },
      {
        "trust": 1.7,
        "url": "http://www.securitytracker.com/id?1020999"
      },
      {
        "trust": 1.7,
        "url": "http://www.vupen.com/english/advisories/2008/2770"
      },
      {
        "trust": 1.1,
        "url": "http://www.securityfocus.com/archive/1/497131/100/0/threaded"
      },
      {
        "trust": 1.1,
        "url": "https://oval.cisecurity.org/repository/search/definition/oval%3aorg.mitre.oval%3adef%3a6035"
      },
      {
        "trust": 1.1,
        "url": "http://www.vupen.com/english/advisories/2008/2526"
      },
      {
        "trust": 1.1,
        "url": "http://www.vupen.com/english/advisories/2008/2769"
      },
      {
        "trust": 0.8,
        "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-3636"
      },
      {
        "trust": 0.8,
        "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2008-3636"
      },
      {
        "trust": 0.6,
        "url": "http://www.securityfocus.com/archive/1/archive/1/497131/100/0/threaded"
      },
      {
        "trust": 0.6,
        "url": "http://www.frsirt.com/english/advisories/2008/2769"
      },
      {
        "trust": 0.6,
        "url": "http://www.frsirt.com/english/advisories/2008/2526"
      },
      {
        "trust": 0.6,
        "url": "http://oval.mitre.org/repository/data/getdef?id=oval:org.mitre.oval:def:6035"
      },
      {
        "trust": 0.3,
        "url": "http://www.apple.com/itunes/"
      },
      {
        "trust": 0.3,
        "url": "/archive/1/497131"
      },
      {
        "trust": 0.3,
        "url": "http://www.wintercore.com/advisories/advisory_w021008.html\u003e"
      },
      {
        "trust": 0.1,
        "url": "http://www.gearsoftware.com/support/drivers.cfm"
      }
    ],
    "sources": [
      {
        "db": "CERT/CC",
        "id": "VU#146896"
      },
      {
        "db": "VULHUB",
        "id": "VHN-33761"
      },
      {
        "db": "BID",
        "id": "31089"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2008-001679"
      },
      {
        "db": "PACKETSTORM",
        "id": "70706"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200809-130"
      },
      {
        "db": "NVD",
        "id": "CVE-2008-3636"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "CERT/CC",
        "id": "VU#146896"
      },
      {
        "db": "VULHUB",
        "id": "VHN-33761"
      },
      {
        "db": "BID",
        "id": "31089"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2008-001679"
      },
      {
        "db": "PACKETSTORM",
        "id": "70706"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200809-130"
      },
      {
        "db": "NVD",
        "id": "CVE-2008-3636"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2008-10-07T00:00:00",
        "db": "CERT/CC",
        "id": "VU#146896"
      },
      {
        "date": "2008-09-11T00:00:00",
        "db": "VULHUB",
        "id": "VHN-33761"
      },
      {
        "date": "2008-09-09T00:00:00",
        "db": "BID",
        "id": "31089"
      },
      {
        "date": "2008-09-29T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2008-001679"
      },
      {
        "date": "2008-10-09T05:33:00",
        "db": "PACKETSTORM",
        "id": "70706"
      },
      {
        "date": "2008-09-11T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-200809-130"
      },
      {
        "date": "2008-09-11T01:13:10.023000",
        "db": "NVD",
        "id": "CVE-2008-3636"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2008-10-07T00:00:00",
        "db": "CERT/CC",
        "id": "VU#146896"
      },
      {
        "date": "2018-10-11T00:00:00",
        "db": "VULHUB",
        "id": "VHN-33761"
      },
      {
        "date": "2008-10-08T18:08:00",
        "db": "BID",
        "id": "31089"
      },
      {
        "date": "2008-09-29T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2008-001679"
      },
      {
        "date": "2021-07-14T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-200809-130"
      },
      {
        "date": "2025-04-09T00:30:58.490000",
        "db": "NVD",
        "id": "CVE-2008-3636"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "local",
    "sources": [
      {
        "db": "BID",
        "id": "31089"
      },
      {
        "db": "PACKETSTORM",
        "id": "70706"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200809-130"
      }
    ],
    "trust": 1.0
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Gear Software CD DVD Filter driver privilege escalation vulnerability",
    "sources": [
      {
        "db": "CERT/CC",
        "id": "VU#146896"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "other",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-200809-130"
      }
    ],
    "trust": 0.6
  }
}

GHSA-4Q27-W7JF-V3MH

Vulnerability from github – Published: 2022-05-02 00:02 – Updated: 2022-05-02 00:02

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2008-3636"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2008-09-11T01:13:00Z",
    "severity": "HIGH"
  },
  "details": "Integer overflow in the IopfCompleteRequest API in the kernel in Microsoft Windows 2000, XP, Server 2003, and Vista allows context-dependent attackers to gain privileges. NOTE: this issue was originally reported for GEARAspiWDM.sys 2.0.7.5 in Gear Software CD DVD Filter driver before 4.001.7, as used in other products including Apple iTunes and multiple Symantec and Norton products, which allows local users to gain privileges via repeated IoAttachDevice IOCTL calls to \\\\.\\GEARAspiWDMDevice in this GEARAspiWDM.sys.  However, the root cause is the integer overflow in the API call itself.",
  "id": "GHSA-4q27-w7jf-v3mh",
  "modified": "2022-05-02T00:02:09Z",
  "published": "2022-05-02T00:02:09Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-3636"
    },
    {
      "type": "WEB",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6035"
    },
    {
      "type": "WEB",
      "url": "http://lists.apple.com/archives/security-announce//2008/Sep/msg00001.html"
    },
    {
      "type": "WEB",
      "url": "http://securityresponse.symantec.com/avcenter/security/Content/2008.10.07a.html"
    },
    {
      "type": "WEB",
      "url": "http://securitytracker.com/id?1020839"
    },
    {
      "type": "WEB",
      "url": "http://support.apple.com/kb/HT3025"
    },
    {
      "type": "WEB",
      "url": "http://www.gearsoftware.com/support/GEARAspi%20Security%20Information.pdf"
    },
    {
      "type": "WEB",
      "url": "http://www.kb.cert.org/vuls/id/146896"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/497131/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/31089"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id?1020997"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id?1020998"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id?1020999"
    },
    {
      "type": "WEB",
      "url": "http://www.symantec.com/avcenter/security/Content/2008.10.07a.html"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2008/2526"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2008/2769"
    },
    {
      "type": "WEB",
      "url": "http://www.vupen.com/english/advisories/2008/2770"
    },
    {
      "type": "WEB",
      "url": "http://www.wintercore.com/advisories/advisory_W021008.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

FKIE_CVE-2008-3636

Vulnerability from fkie_nvd - Published: 2008-09-11 01:13 - Updated: 2025-04-09 00:30

Severity ?

Summary

References

URL	Tags
cve@mitre.org	http://lists.apple.com/archives/security-announce//2008/Sep/msg00001.html
cve@mitre.org	http://securityresponse.symantec.com/avcenter/security/Content/2008.10.07a.html
cve@mitre.org	http://securitytracker.com/id?1020839
cve@mitre.org	http://support.apple.com/kb/HT3025
cve@mitre.org	http://www.gearsoftware.com/support/GEARAspi%20Security%20Information.pdf
cve@mitre.org	http://www.kb.cert.org/vuls/id/146896	US Government Resource
cve@mitre.org	http://www.securityfocus.com/archive/1/497131/100/0/threaded
cve@mitre.org	http://www.securityfocus.com/bid/31089	Patch
cve@mitre.org	http://www.securitytracker.com/id?1020997
cve@mitre.org	http://www.securitytracker.com/id?1020998
cve@mitre.org	http://www.securitytracker.com/id?1020999
cve@mitre.org	http://www.symantec.com/avcenter/security/Content/2008.10.07a.html
cve@mitre.org	http://www.vupen.com/english/advisories/2008/2526
cve@mitre.org	http://www.vupen.com/english/advisories/2008/2769
cve@mitre.org	http://www.vupen.com/english/advisories/2008/2770
cve@mitre.org	http://www.wintercore.com/advisories/advisory_W021008.html
cve@mitre.org	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6035
af854a3a-2127-422b-91ae-364da2661108	http://lists.apple.com/archives/security-announce//2008/Sep/msg00001.html
af854a3a-2127-422b-91ae-364da2661108	http://securityresponse.symantec.com/avcenter/security/Content/2008.10.07a.html
af854a3a-2127-422b-91ae-364da2661108	http://securitytracker.com/id?1020839
af854a3a-2127-422b-91ae-364da2661108	http://support.apple.com/kb/HT3025
af854a3a-2127-422b-91ae-364da2661108	http://www.gearsoftware.com/support/GEARAspi%20Security%20Information.pdf
af854a3a-2127-422b-91ae-364da2661108	http://www.kb.cert.org/vuls/id/146896	US Government Resource
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/archive/1/497131/100/0/threaded
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/31089	Patch
af854a3a-2127-422b-91ae-364da2661108	http://www.securitytracker.com/id?1020997
af854a3a-2127-422b-91ae-364da2661108	http://www.securitytracker.com/id?1020998
af854a3a-2127-422b-91ae-364da2661108	http://www.securitytracker.com/id?1020999
af854a3a-2127-422b-91ae-364da2661108	http://www.symantec.com/avcenter/security/Content/2008.10.07a.html
af854a3a-2127-422b-91ae-364da2661108	http://www.vupen.com/english/advisories/2008/2526
af854a3a-2127-422b-91ae-364da2661108	http://www.vupen.com/english/advisories/2008/2769
af854a3a-2127-422b-91ae-364da2661108	http://www.vupen.com/english/advisories/2008/2770
af854a3a-2127-422b-91ae-364da2661108	http://www.wintercore.com/advisories/advisory_W021008.html
af854a3a-2127-422b-91ae-364da2661108	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6035

Impacted products

Vendor	Product	Version
apple	itunes	*
apple	itunes	1.0
apple	itunes	1.1.1
apple	itunes	1.1.2
apple	itunes	2.0
apple	itunes	2.0.1
apple	itunes	2.0.2
apple	itunes	2.0.3
apple	itunes	2.0.4
apple	itunes	3.0
apple	itunes	3.0.1
apple	itunes	4.0
apple	itunes	4.0.1
apple	itunes	4.1
apple	itunes	4.2
apple	itunes	4.2.72
apple	itunes	4.5
apple	itunes	4.6
apple	itunes	4.7
apple	itunes	4.7.1
apple	itunes	4.7.1.30
apple	itunes	4.8
apple	itunes	4.9
apple	itunes	5.0
apple	itunes	5.0.1
apple	itunes	6.0
apple	itunes	6.0.1
apple	itunes	6.0.2
apple	itunes	6.0.3
apple	itunes	6.0.4
apple	itunes	6.0.4.2
apple	itunes	6.0.5
apple	itunes	7.0.2
apple	itunes	7.3.2
apple	itunes	7.4
apple	itunes	7.4.1
apple	itunes	7.4.2
apple	itunes	7.4.3
apple	itunes	7.5
apple	itunes	7.6
apple	itunes	7.6.2
apple	itunes	7.7
apple	itunes	7.7.1

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:apple:itunes:*:*:windows:*:*:*:*:*",
              "matchCriteriaId": "A57528B3-69F7-4B76-9B15-2CDA3220F4CC",
              "versionEndIncluding": "7.6.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apple:itunes:1.0:*:windows:*:*:*:*:*",
              "matchCriteriaId": "49DC3DDC-8758-4D28-B2D5-161994C0E669",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apple:itunes:1.1.1:*:windows:*:*:*:*:*",
              "matchCriteriaId": "0D0E3B53-AFAE-47F1-B7E3-395406819357",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apple:itunes:1.1.2:*:windows:*:*:*:*:*",
              "matchCriteriaId": "5CF3BB89-1AEF-4B00-AF87-C9BAF7E23EDD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apple:itunes:2.0:*:windows:*:*:*:*:*",
              "matchCriteriaId": "389B617F-29D2-4171-B4E0-9E65BBFAF369",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apple:itunes:2.0.1:*:windows:*:*:*:*:*",
              "matchCriteriaId": "696D5986-155D-446C-A5FE-49C0DF1868AF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apple:itunes:2.0.2:*:windows:*:*:*:*:*",
              "matchCriteriaId": "3370179D-5E8A-4036-AA23-252674C6D807",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apple:itunes:2.0.3:*:windows:*:*:*:*:*",
              "matchCriteriaId": "2B71E645-F15B-43FE-931B-819F9ABA89C0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apple:itunes:2.0.4:*:windows:*:*:*:*:*",
              "matchCriteriaId": "E90B5E1A-4D90-4252-8E34-649F33F1A088",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apple:itunes:3.0:*:windows:*:*:*:*:*",
              "matchCriteriaId": "1D0D1162-36F7-4F7E-94C0-ABB86B9FC4CD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apple:itunes:3.0.1:*:windows:*:*:*:*:*",
              "matchCriteriaId": "DF23791B-F73D-4CF4-BAC3-591FF0F0B0C6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apple:itunes:4.0:*:windows:*:*:*:*:*",
              "matchCriteriaId": "3E74DB1C-208B-42DE-9A5E-E9010140C5B6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apple:itunes:4.0.1:*:windows:*:*:*:*:*",
              "matchCriteriaId": "018AC033-ACF0-496D-96E1-A03CC4162CB3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apple:itunes:4.1:*:windows:*:*:*:*:*",
              "matchCriteriaId": "A698DDBE-B79B-4F59-AFBC-0A0682B1EF1D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apple:itunes:4.2:*:windows:*:*:*:*:*",
              "matchCriteriaId": "BC9B5471-F1B1-4E8B-B991-FDE231BA30EE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apple:itunes:4.2.72:*:windows:*:*:*:*:*",
              "matchCriteriaId": "F2899F21-F01F-4C95-93AA-40C528EE56DF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apple:itunes:4.5:*:windows:*:*:*:*:*",
              "matchCriteriaId": "BDD1695A-271B-4832-B4B1-E5A9D7DE4E24",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apple:itunes:4.6:*:windows:*:*:*:*:*",
              "matchCriteriaId": "9136E8D6-310D-4D4E-A6AC-2F89218B8666",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apple:itunes:4.7:*:windows:*:*:*:*:*",
              "matchCriteriaId": "78A3FEC0-F135-41F9-A260-52157B283B66",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apple:itunes:4.7.1:*:windows:*:*:*:*:*",
              "matchCriteriaId": "79591197-B671-46B2-9EB2-03A75A838CC1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apple:itunes:4.7.1.30:*:windows:*:*:*:*:*",
              "matchCriteriaId": "A2DD1A9D-4AF4-452A-99C2-AE93611C985D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apple:itunes:4.8:*:windows:*:*:*:*:*",
              "matchCriteriaId": "8DEABC06-3FF2-4B6A-AAFF-F38B00BA2967",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apple:itunes:4.9:*:windows:*:*:*:*:*",
              "matchCriteriaId": "6514E3F5-3B5D-43BE-A26D-5167B519F3EF",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apple:itunes:5.0:*:windows:*:*:*:*:*",
              "matchCriteriaId": "23C49853-8616-4769-90BC-B6D85B24A36E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apple:itunes:5.0.1:*:windows:*:*:*:*:*",
              "matchCriteriaId": "7C1EC2F5-FBE8-4EC8-9D28-83C736F2DC01",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apple:itunes:6.0:*:windows:*:*:*:*:*",
              "matchCriteriaId": "8DDAAC1F-03CA-4DCC-9E9B-A68181261BAC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apple:itunes:6.0.1:*:windows:*:*:*:*:*",
              "matchCriteriaId": "D5AE8F59-2DF8-403B-BAB9-6465E618897C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apple:itunes:6.0.2:*:windows:*:*:*:*:*",
              "matchCriteriaId": "F37B39AB-2D5B-417E-BCEF-29C18D386C53",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apple:itunes:6.0.3:*:windows:*:*:*:*:*",
              "matchCriteriaId": "A1DCEED8-8174-4319-BAA2-E0A70A7EAFC0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apple:itunes:6.0.4:*:windows:*:*:*:*:*",
              "matchCriteriaId": "9730866D-DFE9-448F-9D4E-6B21B3942737",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apple:itunes:6.0.4.2:*:windows:*:*:*:*:*",
              "matchCriteriaId": "E20BC99A-13FC-446C-A27A-6C2D859C172B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apple:itunes:6.0.5:*:windows:*:*:*:*:*",
              "matchCriteriaId": "DD300F1B-EE8F-4606-B024-A14CA2EF4D78",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apple:itunes:7.0.2:*:windows:*:*:*:*:*",
              "matchCriteriaId": "2690D789-B1DC-40A5-8CC6-BBB499E9A550",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apple:itunes:7.3.2:*:windows:*:*:*:*:*",
              "matchCriteriaId": "BC37C091-02B8-4B39-9253-52C1008ADEC6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apple:itunes:7.4:*:windows:*:*:*:*:*",
              "matchCriteriaId": "70A4EEE2-1DD2-4936-8939-4683523670B9",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apple:itunes:7.4.1:*:windows:*:*:*:*:*",
              "matchCriteriaId": "95B58CD1-03CB-4C35-A290-7157941D210D",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apple:itunes:7.4.2:*:windows:*:*:*:*:*",
              "matchCriteriaId": "A27B736F-317F-4538-AA3B-72D6EF0D2D33",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apple:itunes:7.4.3:*:windows:*:*:*:*:*",
              "matchCriteriaId": "481E736B-0A83-4422-B1D3-4BD0F9565A18",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apple:itunes:7.5:*:windows:*:*:*:*:*",
              "matchCriteriaId": "3BB09ABD-C1F1-4101-BDC2-FC3E8C422631",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apple:itunes:7.6:*:windows:*:*:*:*:*",
              "matchCriteriaId": "A7448F89-CC4A-4B18-887F-B47C0B57404C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apple:itunes:7.6.2:*:windows:*:*:*:*:*",
              "matchCriteriaId": "B2943C2E-0DDD-498A-9439-E9394CB06081",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apple:itunes:7.7:*:windows:*:*:*:*:*",
              "matchCriteriaId": "D41DA19A-4403-40A8-A3DB-01A12FD4F267",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:apple:itunes:7.7.1:*:windows:*:*:*:*:*",
              "matchCriteriaId": "25E7EF0A-D79E-44E3-B0D4-3C6E8F6FD666",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Integer overflow in the IopfCompleteRequest API in the kernel in Microsoft Windows 2000, XP, Server 2003, and Vista allows context-dependent attackers to gain privileges. NOTE: this issue was originally reported for GEARAspiWDM.sys 2.0.7.5 in Gear Software CD DVD Filter driver before 4.001.7, as used in other products including Apple iTunes and multiple Symantec and Norton products, which allows local users to gain privileges via repeated IoAttachDevice IOCTL calls to \\\\.\\GEARAspiWDMDevice in this GEARAspiWDM.sys.  However, the root cause is the integer overflow in the API call itself."
    },
    {
      "lang": "es",
      "value": "Desbordamiento de entero en un driver de terceros no especificado incluido en Apple iTunes anterior a la 8.0 para Windows, permite a usuarios locales obtener privilegios a trav\u00e9s de vectores desconocidos."
    }
  ],
  "id": "CVE-2008-3636",
  "lastModified": "2025-04-09T00:30:58.490",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "LOCAL",
          "authentication": "NONE",
          "availabilityImpact": "COMPLETE",
          "baseScore": 7.2,
          "confidentialityImpact": "COMPLETE",
          "integrityImpact": "COMPLETE",
          "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
          "version": "2.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 10.0,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2008-09-11T01:13:10.023",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "http://lists.apple.com/archives/security-announce//2008/Sep/msg00001.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://securityresponse.symantec.com/avcenter/security/Content/2008.10.07a.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://securitytracker.com/id?1020839"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://support.apple.com/kb/HT3025"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.gearsoftware.com/support/GEARAspi%20Security%20Information.pdf"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "US Government Resource"
      ],
      "url": "http://www.kb.cert.org/vuls/id/146896"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.securityfocus.com/archive/1/497131/100/0/threaded"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Patch"
      ],
      "url": "http://www.securityfocus.com/bid/31089"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.securitytracker.com/id?1020997"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.securitytracker.com/id?1020998"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.securitytracker.com/id?1020999"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.symantec.com/avcenter/security/Content/2008.10.07a.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.vupen.com/english/advisories/2008/2526"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.vupen.com/english/advisories/2008/2769"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.vupen.com/english/advisories/2008/2770"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://www.wintercore.com/advisories/advisory_W021008.html"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6035"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://lists.apple.com/archives/security-announce//2008/Sep/msg00001.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://securityresponse.symantec.com/avcenter/security/Content/2008.10.07a.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://securitytracker.com/id?1020839"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://support.apple.com/kb/HT3025"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.gearsoftware.com/support/GEARAspi%20Security%20Information.pdf"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "US Government Resource"
      ],
      "url": "http://www.kb.cert.org/vuls/id/146896"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/archive/1/497131/100/0/threaded"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Patch"
      ],
      "url": "http://www.securityfocus.com/bid/31089"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securitytracker.com/id?1020997"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securitytracker.com/id?1020998"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securitytracker.com/id?1020999"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.symantec.com/avcenter/security/Content/2008.10.07a.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.vupen.com/english/advisories/2008/2526"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.vupen.com/english/advisories/2008/2769"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.vupen.com/english/advisories/2008/2770"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.wintercore.com/advisories/advisory_W021008.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6035"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-189"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GSD-2008-3636

Vulnerability from gsd - Updated: 2023-12-13 01:23

Details

Aliases

CVE-2008-3636

Aliases

CVE-2008-3636

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2008-3636",
    "description": "Integer overflow in the IopfCompleteRequest API in the kernel in Microsoft Windows 2000, XP, Server 2003, and Vista allows context-dependent attackers to gain privileges. NOTE: this issue was originally reported for GEARAspiWDM.sys 2.0.7.5 in Gear Software CD DVD Filter driver before 4.001.7, as used in other products including Apple iTunes and multiple Symantec and Norton products, which allows local users to gain privileges via repeated IoAttachDevice IOCTL calls to \\\\.\\GEARAspiWDMDevice in this GEARAspiWDM.sys.  However, the root cause is the integer overflow in the API call itself.",
    "id": "GSD-2008-3636"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2008-3636"
      ],
      "details": "Integer overflow in the IopfCompleteRequest API in the kernel in Microsoft Windows 2000, XP, Server 2003, and Vista allows context-dependent attackers to gain privileges. NOTE: this issue was originally reported for GEARAspiWDM.sys 2.0.7.5 in Gear Software CD DVD Filter driver before 4.001.7, as used in other products including Apple iTunes and multiple Symantec and Norton products, which allows local users to gain privileges via repeated IoAttachDevice IOCTL calls to \\\\.\\GEARAspiWDMDevice in this GEARAspiWDM.sys.  However, the root cause is the integer overflow in the API call itself.",
      "id": "GSD-2008-3636",
      "modified": "2023-12-13T01:23:05.962585Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2008-3636",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Integer overflow in the IopfCompleteRequest API in the kernel in Microsoft Windows 2000, XP, Server 2003, and Vista allows context-dependent attackers to gain privileges. NOTE: this issue was originally reported for GEARAspiWDM.sys 2.0.7.5 in Gear Software CD DVD Filter driver before 4.001.7, as used in other products including Apple iTunes and multiple Symantec and Norton products, which allows local users to gain privileges via repeated IoAttachDevice IOCTL calls to \\\\.\\GEARAspiWDMDevice in this GEARAspiWDM.sys.  However, the root cause is the integer overflow in the API call itself."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "1020999",
            "refsource": "SECTRACK",
            "url": "http://www.securitytracker.com/id?1020999"
          },
          {
            "name": "APPLE-SA-2009-09-09",
            "refsource": "APPLE",
            "url": "http://lists.apple.com/archives/security-announce//2008/Sep/msg00001.html"
          },
          {
            "name": "http://www.symantec.com/avcenter/security/Content/2008.10.07a.html",
            "refsource": "CONFIRM",
            "url": "http://www.symantec.com/avcenter/security/Content/2008.10.07a.html"
          },
          {
            "name": "ADV-2008-2770",
            "refsource": "VUPEN",
            "url": "http://www.vupen.com/english/advisories/2008/2770"
          },
          {
            "name": "ADV-2008-2526",
            "refsource": "VUPEN",
            "url": "http://www.vupen.com/english/advisories/2008/2526"
          },
          {
            "name": "1020998",
            "refsource": "SECTRACK",
            "url": "http://www.securitytracker.com/id?1020998"
          },
          {
            "name": "1020839",
            "refsource": "SECTRACK",
            "url": "http://securitytracker.com/id?1020839"
          },
          {
            "name": "http://www.gearsoftware.com/support/GEARAspi%20Security%20Information.pdf",
            "refsource": "CONFIRM",
            "url": "http://www.gearsoftware.com/support/GEARAspi%20Security%20Information.pdf"
          },
          {
            "name": "http://support.apple.com/kb/HT3025",
            "refsource": "CONFIRM",
            "url": "http://support.apple.com/kb/HT3025"
          },
          {
            "name": "1020997",
            "refsource": "SECTRACK",
            "url": "http://www.securitytracker.com/id?1020997"
          },
          {
            "name": "ADV-2008-2769",
            "refsource": "VUPEN",
            "url": "http://www.vupen.com/english/advisories/2008/2769"
          },
          {
            "name": "VU#146896",
            "refsource": "CERT-VN",
            "url": "http://www.kb.cert.org/vuls/id/146896"
          },
          {
            "name": "http://www.wintercore.com/advisories/advisory_W021008.html",
            "refsource": "MISC",
            "url": "http://www.wintercore.com/advisories/advisory_W021008.html"
          },
          {
            "name": "oval:org.mitre.oval:def:6035",
            "refsource": "OVAL",
            "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6035"
          },
          {
            "name": "31089",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/31089"
          },
          {
            "name": "20081007 [W02-1008] GearSoftware Powered Products Local Privilege Escalation (Microsoft Windows Kernel IopfCompleteRequest Integer Overflow)",
            "refsource": "BUGTRAQ",
            "url": "http://www.securityfocus.com/archive/1/497131/100/0/threaded"
          },
          {
            "name": "http://securityresponse.symantec.com/avcenter/security/Content/2008.10.07a.html",
            "refsource": "CONFIRM",
            "url": "http://securityresponse.symantec.com/avcenter/security/Content/2008.10.07a.html"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:apple:itunes:2.0.2:*:windows:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apple:itunes:2.0.3:*:windows:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apple:itunes:4.2:*:windows:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apple:itunes:4.2.72:*:windows:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apple:itunes:4.9:*:windows:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apple:itunes:5.0:*:windows:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apple:itunes:6.0.5:*:windows:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apple:itunes:7.0.2:*:windows:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apple:itunes:7.6:*:windows:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apple:itunes:7.6.2:*:windows:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apple:itunes:2.0:*:windows:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apple:itunes:2.0.1:*:windows:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apple:itunes:4.0.1:*:windows:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apple:itunes:4.1:*:windows:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apple:itunes:4.7.1.30:*:windows:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apple:itunes:4.8:*:windows:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apple:itunes:6.0.4:*:windows:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apple:itunes:6.0.4.2:*:windows:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apple:itunes:7.4.3:*:windows:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apple:itunes:7.5:*:windows:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apple:itunes:1.0:*:windows:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apple:itunes:1.1.2:*:windows:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apple:itunes:1.1.1:*:windows:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apple:itunes:3.0.1:*:windows:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apple:itunes:4.0:*:windows:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apple:itunes:4.7:*:windows:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apple:itunes:4.7.1:*:windows:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apple:itunes:6.0.2:*:windows:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apple:itunes:6.0.3:*:windows:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apple:itunes:7.4.1:*:windows:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apple:itunes:7.4.2:*:windows:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apple:itunes:*:*:windows:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "7.6.1",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apple:itunes:2.0.4:*:windows:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apple:itunes:3.0:*:windows:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apple:itunes:4.5:*:windows:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apple:itunes:4.6:*:windows:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apple:itunes:5.0.1:*:windows:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apple:itunes:6.0:*:windows:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apple:itunes:6.0.1:*:windows:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apple:itunes:7.3.2:*:windows:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apple:itunes:7.4:*:windows:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apple:itunes:7.7:*:windows:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:apple:itunes:7.7.1:*:windows:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2008-3636"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Integer overflow in the IopfCompleteRequest API in the kernel in Microsoft Windows 2000, XP, Server 2003, and Vista allows context-dependent attackers to gain privileges. NOTE: this issue was originally reported for GEARAspiWDM.sys 2.0.7.5 in Gear Software CD DVD Filter driver before 4.001.7, as used in other products including Apple iTunes and multiple Symantec and Norton products, which allows local users to gain privileges via repeated IoAttachDevice IOCTL calls to \\\\.\\GEARAspiWDMDevice in this GEARAspiWDM.sys.  However, the root cause is the integer overflow in the API call itself."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-189"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "APPLE-SA-2009-09-09",
              "refsource": "APPLE",
              "tags": [],
              "url": "http://lists.apple.com/archives/security-announce//2008/Sep/msg00001.html"
            },
            {
              "name": "1020839",
              "refsource": "SECTRACK",
              "tags": [],
              "url": "http://securitytracker.com/id?1020839"
            },
            {
              "name": "31089",
              "refsource": "BID",
              "tags": [
                "Patch"
              ],
              "url": "http://www.securityfocus.com/bid/31089"
            },
            {
              "name": "http://support.apple.com/kb/HT3025",
              "refsource": "CONFIRM",
              "tags": [],
              "url": "http://support.apple.com/kb/HT3025"
            },
            {
              "name": "http://www.wintercore.com/advisories/advisory_W021008.html",
              "refsource": "MISC",
              "tags": [],
              "url": "http://www.wintercore.com/advisories/advisory_W021008.html"
            },
            {
              "name": "VU#146896",
              "refsource": "CERT-VN",
              "tags": [
                "US Government Resource"
              ],
              "url": "http://www.kb.cert.org/vuls/id/146896"
            },
            {
              "name": "http://www.symantec.com/avcenter/security/Content/2008.10.07a.html",
              "refsource": "CONFIRM",
              "tags": [],
              "url": "http://www.symantec.com/avcenter/security/Content/2008.10.07a.html"
            },
            {
              "name": "http://securityresponse.symantec.com/avcenter/security/Content/2008.10.07a.html",
              "refsource": "CONFIRM",
              "tags": [],
              "url": "http://securityresponse.symantec.com/avcenter/security/Content/2008.10.07a.html"
            },
            {
              "name": "ADV-2008-2770",
              "refsource": "VUPEN",
              "tags": [],
              "url": "http://www.vupen.com/english/advisories/2008/2770"
            },
            {
              "name": "1020997",
              "refsource": "SECTRACK",
              "tags": [],
              "url": "http://www.securitytracker.com/id?1020997"
            },
            {
              "name": "1020998",
              "refsource": "SECTRACK",
              "tags": [],
              "url": "http://www.securitytracker.com/id?1020998"
            },
            {
              "name": "1020999",
              "refsource": "SECTRACK",
              "tags": [],
              "url": "http://www.securitytracker.com/id?1020999"
            },
            {
              "name": "http://www.gearsoftware.com/support/GEARAspi%20Security%20Information.pdf",
              "refsource": "CONFIRM",
              "tags": [],
              "url": "http://www.gearsoftware.com/support/GEARAspi%20Security%20Information.pdf"
            },
            {
              "name": "ADV-2008-2769",
              "refsource": "VUPEN",
              "tags": [],
              "url": "http://www.vupen.com/english/advisories/2008/2769"
            },
            {
              "name": "ADV-2008-2526",
              "refsource": "VUPEN",
              "tags": [],
              "url": "http://www.vupen.com/english/advisories/2008/2526"
            },
            {
              "name": "oval:org.mitre.oval:def:6035",
              "refsource": "OVAL",
              "tags": [],
              "url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6035"
            },
            {
              "name": "20081007 [W02-1008] GearSoftware Powered Products Local Privilege Escalation (Microsoft Windows Kernel IopfCompleteRequest Integer Overflow)",
              "refsource": "BUGTRAQ",
              "tags": [],
              "url": "http://www.securityfocus.com/archive/1/497131/100/0/threaded"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "availabilityImpact": "COMPLETE",
            "baseScore": 7.2,
            "confidentialityImpact": "COMPLETE",
            "integrityImpact": "COMPLETE",
            "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 10.0,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        }
      },
      "lastModifiedDate": "2018-10-11T20:48Z",
      "publishedDate": "2008-09-11T01:13Z"
    }
  }
}

CERTA-2008-AVI-454

Vulnerability from certfr_avis - Published: 2008-09-10 - Updated: 2008-09-10

Une vulnérabilité dans iTunes permet à un utilisateur local d'élever ses privilèges.

Description

Une erreur de type débordement d'entier est présente dans un pilote fourni avec iTunes. Cette vulnérabilité permet à un utilisateur local d'élever ses privilèges jusqu'au niveau system.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

iTunes version 8.0 pour Windows XP ou Vista.

Impacted products

	Vendor	Product	Description

References

Title

Publication Time

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2008-3636 (GCVE-0-2008-3636)

VAR-200809-0208

.text:00011BB6 ;

GHSA-4Q27-W7JF-V3MH

FKIE_CVE-2008-3636

GSD-2008-3636

CERTA-2008-AVI-454

Description

Solution

Tags

Sightings

Nomenclature