Zero-day vulnerability in Windows
Privilege escalation
CVE-2009-1123
This vulnerability was used by Equation group in attacks, which involved Fanny malware. The exploit is later added to Stuxnet malware. Initially discovered by Kaspersky Lab in December 2008.
Microsoft bulletin describing 4 vulnerabilities is not clear on which vulnerability was used during the attacks. We are aware of at least two publicly disclosed exploits from this bulletin used by different malware in targeted attacks during Operation Pawn Storm and Turla.
The CVEs covered in this bulletin: CVE-2009-1123, CVE-2009-1124, CVE-2009-1125, CVE-2009-1126. At least one of them has being exploited in the wild before official security patch.
Exploit kits: Fanny, Stuxnet, Turla.
Vulnerability details
Advisory: SB2009060901 - Multiple priviledge escalation vulnerabilities in Microsoft Windows
Vulnerable component: Windows
CVE-ID: CVE-2009-1123
CVSSv3 score: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C
CWE-ID: CWE-822 - Untrusted Pointer Dereference
Description:
The vulnerability allows a local attacker to gain elevated privileges on the target system.
The weakness exists due to improper validation of changes in certain kernel objects. By running a malicious application, a local attacker can submit malformed calls to the Windows Kernel and execute arbitrary code in kernel mode.
Successful exploitation of the vulnerability results in privilege escalation allowing to execute arbitrary code and take complete control of an affected system.
Note: according to reports this vulnerability was being actively exploited before Microsoft issued security patch.