CVE-2014-4971

Microsoft Windows XP SP3 does not validate addresses in certain IRP handler routines, which allows local users to write data to arbitrary memory locations, and consequently gain privileges, via a crafted address in an IOCTL call, related to (1) the MQAC.sys driver in the MQ Access Control subsystem and (2) the BthPan.sys driver in the Bluetooth Personal Area Networking subsystem.

• http://blogs.technet.com/b/srd/archive/2014/10/14/accessing-risk-for-the-october-2014-security-updates.aspx
• http://packetstormsecurity.com/files/127535/Microsoft-XP-SP3-BthPan.sys-Arbitrary-Write-Privilege-Escalation.html
• http://packetstormsecurity.com/files/127536/Microsoft-XP-SP3-MQAC.sys-Arbitrary-Write-Privilege-Escalation.html
• http://packetstormsecurity.com/files/128674/Microsoft-Bluetooth-Personal-Area-Networking-BthPan.sys-Privilege-Escalation.html
• http://seclists.org/fulldisclosure/2014/Jul/96
• http://seclists.org/fulldisclosure/2014/Jul/97
• http://secunia.com/advisories/60974
• http://www.exploit-db.com/exploits/34112
• http://www.exploit-db.com/exploits/34131
• http://www.exploit-db.com/exploits/34982
• http://www.osvdb.org/109387
• http://www.securityfocus.com/archive/1/532843/100/0/threaded
• http://www.securityfocus.com/archive/1/532844/100/0/threaded
• http://www.securityfocus.com/bid/68764
• http://www.securitytracker.com/id/1031025
• https://docs.microsoft.com/en-us/security-updates/securitybulletins/2014/ms14-062
• https://www.korelogic.com/Resources/Advisories/KL-001-2014-002.txt
• https://www.korelogic.com/Resources/Advisories/KL-001-2014-003.txt