|
|
|
View Notes By
|
|
|
|
Other Documents
|
|
|
|
 |
Vulnerability Note VU#953860
Microsoft Windows privilege escalation vulnerability
OverviewMicrosoft Windows access controls may be improperly configured potentially allowing a local attacker to gain elevated privileges on a vulnerable system.
I. DescriptionMicrosoft Windows provides numerous, fine grained permissions and privileges to control access to Windows components, such as services, files, and registry entries.
Recent research has uncovered insecure configurations within user accounts and groups on Microsoft Windows systems. These configurations may allow local attackers to gain access to, and manipulate system resources. The researchers have developed a model that analyzes permissions to expose privilege escalation vulnerabilities. The research focused on three particular components of the Windows architecture:
Services
Windows services may be installed and configured with unnecessary privileges. This may allow a lesser privileged user to access and change the settings for a service that runs with greater privileges. Of particular concern are the following privileges:
The SERVICE_CHANGE_CONFIG access right allows a user to change the a service's configuration. This includes the executable that services launches and the user account with which a service runs as. According to Microsoft, "Because this grants the caller the right to change the executable file that the system runs, it should be granted only to administrators."
The SERVICE_ALL_ACCESS access right allows a user full control over a service.
Files and Directories
Any privileges that allow the contents of a file or a directory to be modified should be granted to only trusted users. The following access rights a of particular concern:
The FILE_ALL_ACCESS access right allows a user to completely control a file, including read, write and execute privileges.
The FILE_APPEND_DATA access right allows a user to add data to a file.
The FILE_WRITE_DATA access right allows a user to write and rewrite data to a file.
Registry Keys
Users with KEY_SET_VALUE permissions can modify registry keys that specify executables, DLLs, and/or Globally Unique Identifiers (GUIDs).
The WRITE_DAC access right provides the ability to modify the access control list for a resource. Users granted this right have the ability to change the way they, or other users, access a resource. This may allow attackers to grant themselves, or others arbitrary permissions over a resource.
Note that these issues can affect all software that is developed for the Microsoft Windows platform. Known Windows services that have weak permissions include, but may not belimited to
- Microsoft SSDP Discovery service (SSDPSRV)
- NetBios over TCP/IP service (NetBT)
- Smart Card service (SCardSvr)
- Universal Plug and Play Device Host service (upnphost)
- DNS Client service (Dnscache)
- DHCP Client service (Dhcp)
II. ImpactA local user with valid login credentials may be able gain elevated privileges on a vulnerable Windows system.
We are aware of publicly available exploit code that claims to be a tool to identify vulnerable services. Installing and running this code may allow a remote attacker to gain access to a system.
III. SolutionThese issues are corrected in Service Pack 2 for Microsoft Windows XP and Service Pack 1 for Microsoft Windows Server 2003. In addition, Microsoft Security Advisory 914457 and Microsoft Security Bulletin MS06-011 contain numerous workarounds to mitigate these vulnerabilities.
Systems Affected
| Vendor | Status | Date Notified | Date Updated |
|---|
| ACROS SI | Unknown | 8-Feb-2006 |
| Adobe | Vulnerable | 8-Feb-2006 |
| Alcatel | Unknown | 8-Feb-2006 |
| America Online, Inc. | Unknown | 8-Feb-2006 |
| Apache HTTP Server Project | Unknown | 8-Feb-2006 |
| Appgate Network Security | Not Vulnerable | 9-Feb-2006 |
| Apple Computer, Inc. | Unknown | 8-Feb-2006 |
| Bitvise | Unknown | 8-Feb-2006 |
| Check Point Software Technologies | Unknown | 8-Feb-2006 |
| Cisco Systems, Inc. | Unknown | 8-Feb-2006 |
| eBay | Unknown | 8-Feb-2006 |
| Ericsson | Unknown | 8-Feb-2006 |
| Ethereal | Unknown | 8-Feb-2006 |
| Fujitsu | Not Vulnerable | 21-Apr-2006 |
| Funk Software Security Group | Unknown | 8-Feb-2006 |
| Hitachi | Unknown | 8-Feb-2006 |
| IAIK Java Group | Unknown | 8-Feb-2006 |
| InfoExpress, Inc. | Unknown | 8-Feb-2006 |
| Inner Media, Inc. | Unknown | 8-Feb-2006 |
| Isode | Unknown | 8-Feb-2006 |
| Lightspeed Systems, Inc. | Unknown | 8-Feb-2006 |
| Lotus Software | Unknown | 8-Feb-2006 |
| Lucent Technologies | Unknown | 8-Feb-2006 |
| Macromedia, Inc. | Vulnerable | 8-Feb-2006 |
| Microsoft Corporation | Vulnerable | 8-Feb-2006 |
| MIT Kerberos Development Team | Unknown | 8-Feb-2006 |
| Mozilla, Inc. | Unknown | 8-Feb-2006 |
| Oracle Corporation | Not Vulnerable | 8-Feb-2006 |
| Orbiteam | Unknown | 8-Feb-2006 |
| Pragma Systems | Unknown | 8-Feb-2006 |
| PuTTY | Unknown | 8-Feb-2006 |
| RSA Security, Inc. | Unknown | 8-Feb-2006 |
| SafeNet | Unknown | 8-Feb-2006 |
| ScriptLogic | Unknown | 8-Feb-2006 |
| Skype Technologies | Unknown | 8-Feb-2006 |
| Sun Microsystems, Inc. | Unknown | 8-Feb-2006 |
| Symantec, Inc. | Unknown | 8-Feb-2006 |
| VanDyke Software | Unknown | 8-Feb-2006 |
| Watchguard Technologies, Inc. | Unknown | 8-Feb-2006 |
| Wind River Systems, Inc. | Unknown | 8-Feb-2006 |
| WRQ, Inc. | Unknown | 8-Feb-2006 |
| Xerox | Unknown | 8-Feb-2006 |
| Yahoo, Inc. | Unknown | 8-Feb-2006 |
References
http://www.microsoft.com/technet/security/advisory/914457.mspx
http://www.microsoft.com/technet/security/Bulletin/MS06-011.mspx
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/fileio/fs/file_security_and_access_rights.asp
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/service_security_and_access_rights.asp
http://www.cs.princeton.edu/~sudhakar/papers/winval.pdf
http://support.microsoft.com/?id=914392
Credit
These vulnerabilities were reported by Sudhakar Govindavajhala and Andrew W. Appel.
This document was written by Jeff Gennari.
Other Information
| Date Public: | 2006-01-31 |
| Date First Published: | 2006-02-07 |
| Date Last Updated: | 2006-04-21 |
| CERT Advisory: | |
| CVE-ID(s): | CVE-2006-0023 |
| NVD-ID(s): | CVE-2006-0023 |
| US-CERT Technical Alerts: | |
| Metric: | 4.22 |
| Document Revision: | 68 |
If you have feedback, comments, or additional information about this vulnerability, please send us
email.
|
|
Get Adobe Reader