A vulnerability exists within an undocumented Windows XP function, NtUserLoadKeyboardLayoutEx, as a result of an incomplete patch for CVE-2012-0181 on Windows XP in Microsoft Security Bulletin MS12-034. The patch issued within MS12-034 inhibits the loading of arbitrary keyboard layout files, but fails to validate the "offTable" parameter to NtUserLoadKeyboardLayoutEx() within win32k.sys.
HKL WINAPI NtUserLoadKeyboardLayoutEx(
Rudimentary exploitation is achieved by locally executing a crafted application on the system to cause kernel pool corruption, thus resulting in the legendary Blue Screen of Death. At the time of this writing, no public exploits that attain code execution are known to exist nor has exploitation been witnessed in-the-wild.
Microsoft Windows XP SP3 (fully patched through May 2012, including MS12-034)
Elevation of Privilege
Local elevation of privileges to kernel context Exploitation of this vulnerability is difficult and will most likely result in a system crash (via pool corruption). Local attackers who successfully exploit this vulnerability will be able to execute code on the vulnerable system with LocalSystem rights. This would lead to a complete system compromise, giving attackers full control of the system.
BeyondTrust Prevention and Detection:
BeyondTrust's Retina® Network Security Scanner scans devices to detect for this vulnerability.
- 16477 - Windows XP Keyboard Layouts Pool Corruption (Zero-Day)
No known mitigation exists.
Links:- Original Disclosure (Russian)