Security in Context: The BeyondTrust Blog

Welcome to the Zeroday Tracker: Your Vulnerability Watchlist

Get critical updates on the latest zeroday threats, including impact, mitigation and protection information - only from BeyondTrust.

Windows XP Keyboard Layouts Pool Corruption Local Privilege Elevation

Disclosed May 18, 2012    No Patch Available

Vulnerability Description:

A vulnerability exists within an undocumented Windows XP function, NtUserLoadKeyboardLayoutEx, as a result of an incomplete patch for CVE-2012-0181 on Windows XP in Microsoft Security Bulletin MS12-034. The patch issued within MS12-034 inhibits the loading of arbitrary keyboard layout files, but fails to validate the "offTable" parameter to NtUserLoadKeyboardLayoutEx() within win32k.sys.

HKL WINAPI NtUserLoadKeyboardLayoutEx(
  HANDLE Handle,
  DWORD offTable,
  PUNICODE_STRING puszKeyboardName,
  HKL hKL,
  UINT Flags

Rudimentary exploitation is achieved by locally executing a crafted application on the system to cause kernel pool corruption, thus resulting in the legendary Blue Screen of Death. At the time of this writing, no public exploits that attain code execution are known to exist nor has exploitation been witnessed in-the-wild.



Vulnerable Software/Devices:

Microsoft Windows XP SP3 (fully patched through May 2012, including MS12-034)

Vulnerability Severity:


Exploit Availability:


Exploit Impact:

Elevation of Privilege
Local elevation of privileges to kernel context Exploitation of this vulnerability is difficult and will most likely result in a system crash (via pool corruption). Local attackers who successfully exploit this vulnerability will be able to execute code on the vulnerable system with LocalSystem rights. This would lead to a complete system compromise, giving attackers full control of the system.

BeyondTrust Prevention and Detection:

BeyondTrust's Retina® Network Security Scanner scans devices to detect for this vulnerability.

  • 16477 - Windows XP Keyboard Layouts Pool Corruption (Zero-Day)


No known mitigation exists.


- Original Disclosure (Russian)
- CVE-2012-0181

Leave a Reply