CVE-2010-3190

Severity Score

9.3

*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Untrusted search path vulnerability in the Microsoft Foundation Class (MFC) Library in Microsoft Visual Studio .NET 2003 SP1; Visual Studio 2005 SP1, 2008 SP1, and 2010; Visual C++ 2005 SP1, 2008 SP1, and 2010; and Exchange Server 2010 Service Pack 3, 2013, and 2013 allows local users to gain privileges via a Trojan horse dwmapi.dll file in the current working directory during execution of an MFC application such as AtlTraceTool8.exe (aka ATL MFC Trace Tool), as demonstrated by a directory that contains a TRC, cur, rs, rct, or res file, aka "MFC Insecure Library Loading Vulnerability."

Vulnerabilidad de ruta de búsqueda no fiable en Microsoft Foundation Class (MFC) Library en Microsoft Visual Studio .NET 2003 SP1; Visual Studio 2005 SP1, 2008 SP1 y 2010; Visual C++ 2005 SP1, 2008 SP1 y 2010 y Exchange Server 2010 Service Pack 3, 2013 y 2013 permite que usuarios locales obtengan privilegios mediante un archivo troyano dwmapi.dll en el directorio de trabajo actual durante la ejecución de una aplicación MFC como AtlTraceTool8.exe (también conocida como ATL MFC Trace Tool), tal y como queda demostrado con un directorio que contiene archivos TRC, cur, rs, rct o res. Esto también se conoce como "MFC Insecure Library Loading Vulnerability".

*Credits: N/A

CVSS Scores

NISTv2 9.3

Attack Vector

Network

Attack Complexity

Medium

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2010-08-31 CVE Reserved
2010-08-31 CVE Published
2024-08-07 CVE Updated
2024-10-18 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-426: Untrusted Search Path

CAPEC

References (9)

URL	Tag	Source
http://secunia.com/advisories/41212	Third Party Advisory
http://www.corelan.be:8800/index.php/2010/08/25/dll-hijacking-kb-2269637-the-unofficial-list	Broken Link
http://www.securityfocus.com/bid/42811	Third Party Advisory
http://www.us-cert.gov/cas/techalerts/TA11-102A.html	Third Party Advisory
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12457	Signature

URL	Date	SRC

URL	Date	SRC
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-025	2020-11-16
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2010-3190	2020-11-16

URL	Date	SRC
http://lists.apple.com/archives/security-announce/2015/Sep/msg00003.html	2020-11-16
https://support.apple.com/HT205221	2020-11-16

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Apple Search vendor "Apple"		Itunes Search vendor "Apple" for product "Itunes"				12.1.3 Search vendor "Apple" for product "Itunes" and version "12.1.3"		-		Affected
Microsoft Search vendor "Microsoft"		Visual C\+\+ Search vendor "Microsoft" for product "Visual C\+\+"				2005 Search vendor "Microsoft" for product "Visual C\+\+" and version "2005"		sp1, redistributable_package		Affected
Microsoft Search vendor "Microsoft"		Visual C\+\+ Search vendor "Microsoft" for product "Visual C\+\+"				2008 Search vendor "Microsoft" for product "Visual C\+\+" and version "2008"		sp1, redistributable_package		Affected
Microsoft Search vendor "Microsoft"		Visual C\+\+ Search vendor "Microsoft" for product "Visual C\+\+"				2010 Search vendor "Microsoft" for product "Visual C\+\+" and version "2010"		sp1, redistributable_package		Affected
Microsoft Search vendor "Microsoft"		Visual Studio Search vendor "Microsoft" for product "Visual Studio"				2005 Search vendor "Microsoft" for product "Visual Studio" and version "2005"		sp1		Affected
Microsoft Search vendor "Microsoft"		Visual Studio Search vendor "Microsoft" for product "Visual Studio"				2008 Search vendor "Microsoft" for product "Visual Studio" and version "2008"		sp1		Affected
Microsoft Search vendor "Microsoft"		Visual Studio Search vendor "Microsoft" for product "Visual Studio"				2010 Search vendor "Microsoft" for product "Visual Studio" and version "2010"		-		Affected
Microsoft Search vendor "Microsoft"		Visual Studio .net Search vendor "Microsoft" for product "Visual Studio .net"				2003 Search vendor "Microsoft" for product "Visual Studio .net" and version "2003"		sp1		Affected