Title: Microsoft Process Monitor SSDT Hooks Multiple Local Vulnerabilities
Severity: MODERATE
Description:
Microsoft Process Monitor is a utility designed to allow users to monitor various system events in real time for Microsoft Windows operating systems. It was originally developed by SysInternals.
Process Monitor is prone to multiple local vulnerabilities. Specifically, the application's kernel-mode driver used for hooking the SSDT (System Service Dispatch Table) fails to properly validate data passed to it from userspace. The vulnerabilities affect the following functions:
NtCreateKey
NtDeleteKeyValue
NtLoadKey
NtOpenKey
NtQueryValueKey
NtSetValueKey
NtUnloadKey
When a userspace process calls these functions with specially crafted data, it may trigger computer crashes.
Exploiting these vulnerabilities allows local attackers to crash affected computers, denying service to legitimate users. Attackers might also be able to gain elevated privileges by executing arbitrary machine code in the context of the kernel, but this has not been confirmed.
Process Monitor 1.22 is vulnerable to these issues; other versions may also be affected.
Affected Products:
- Microsoft Process Monitor 1.22
- Microsoft Process Monitor 1.23
References:
- Matousec: Windows Personal Firewall Analysis
- Microsoft: Process Monitor Product Page
- Microsoft: Updates: BgInfo v4.11, ProcessMonitor v1.24
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
