The NtSetLdtEntries function in the programming interface for the Local Descriptor Table (LDT) in Windows NT 4.0 and Windows 2000 allows local attackers to gain access to kernel memory and execute arbitrary code via an expand-down data segment descriptor descriptor that points to protected memory.
lists.grok.org.uk/pipermail/full-disclosure/2004-April/020068.html
www.ciac.org/ciac/bulletins/o-114.shtml
www.eeye.com/html/Research/Advisories/AD20040413D.html
www.kb.cert.org/vuls/id/122076
www.securityfocus.com/bid/10122
www.us-cert.gov/cas/techalerts/TA04-104A.html
docs.microsoft.com/en-us/security-updates/securitybulletins/2004/ms04-011
exchange.xforce.ibmcloud.com/vulnerabilities/15707
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A890
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A911