Microsoft Windows privilege escalation vulnerability

2006-02-08T00:00:00
ID VU:953860
Type cert
Reporter CERT
Modified 2006-04-21T21:58:00

Description

Overview

Microsoft Windows access controls may be improperly configured potentially allowing a local attacker to gain elevated privileges on a vulnerable system.

Description

Microsoft Windows provides numerous, fine grained permissions and privileges to control access to Windows components, such as services, files, and registry entries.

Recent research has uncovered insecure configurations within user accounts and groups on Microsoft Windows systems. These configurations may allow local attackers to gain access to, and manipulate system resources. The researchers have developed a model that analyzes permissions to expose privilege escalation vulnerabilities. The research focused on three particular components of the Windows architecture:

Services

Windows services may be installed and configured with unnecessary privileges. This may allow a lesser privileged user to access and change the settings for a service that runs with greater privileges. Of particular concern are the following privileges:

The SERVICE_CHANGE_CONFIG access right allows a user to change the a service's configuration. This includes the executable that services launches and the user account with which a service runs as. According to Microsoft, "Because this grants the caller the right to change the executable file that the system runs, it should be granted only to administrators."

The SERVICE_ALL_ACCESS access right allows a user full control over a service.

Files and Directories

Any privileges that allow the contents of a file or a directory to be modified should be granted to only trusted users. The following access rights a of particular concern:

The FILE_ALL_ACCESS access right allows a user to completely control a file, including read, write and execute privileges.

The FILE_APPEND_DATA access right allows a user to add data to a file.

The FILE_WRITE_DATA access right allows a user to write and rewrite data to a file.

Registry Keys

Users with KEY_SET_VALUE permissions can modify registry keys that specify executables, DLLs, and/or Globally Unique Identifiers (GUIDs).
The WRITE_DAC access right provides the ability to modify the access control list for a resource. Users granted this right have the ability to change the way they, or other users, access a resource. This may allow attackers to grant themselves, or others arbitrary permissions over a resource.

Note that these issues can affect all software that is developed for the Microsoft Windows platform. Known Windows services that have weak permissions include, but may not belimited to

* Microsoft SSDP Discovery service (`SSDPSRV`)
* NetBios over TCP/IP service (`NetBT`) 
* Smart Card service (`SCardSvr`)
* Universal Plug and Play Device Host service (`upnphost`)
* DNS Client service (`Dnscache`)
* DHCP Client service (`Dhcp`)

Impact

A local user with valid login credentials may be able gain elevated privileges on a vulnerable Windows system.

We are aware of publicly available exploit code that claims to be a tool to identify vulnerable services. Installing and running this code may allow a remote attacker to gain access to a system.


Solution

These issues are corrected in Service Pack 2 for Microsoft Windows XP and Service Pack 1 for Microsoft Windows Server 2003. In addition, Microsoft Security Advisory 914457 and Microsoft Security Bulletin MS06-011 contain numerous workarounds to mitigate these vulnerabilities.


Vendor Information

953860

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Vendor has issued information

__ Sort by: Status Alphabetical

Expand all

Affected Unknown __ Unaffected

Javascript is disabled. Click here to view vendors.

__ Adobe

Notified: November 28, 2005 Updated: February 08, 2006

Status

__ Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see <http://www.adobe.com/support/techdocs/332644.html>.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

__ Macromedia, Inc.

Notified: November 29, 2005 Updated: February 08, 2006

Status

__ Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see <http://www.macromedia.com/devnet/security/security_zone/mpsb05-04.html>

If you have feedback, comments, or additional information about this vulnerability, please send us email.

__ Microsoft Corporation

Notified: November 28, 2005 Updated: February 08, 2006

Status

__ Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see <http://www.microsoft.com/technet/security/advisory/914457.mspx>.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Appgate Network Security

Notified: December 14, 2005 Updated: February 09, 2006

Status

__ Not Vulnerable

Vendor Statement

None of our products are vulnerable to this issue

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

__ Fujitsu

Notified: December 14, 2005 Updated: April 21, 2006

Status

__ Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Oracle Corporation

Notified: December 14, 2005 Updated: February 08, 2006

Status

__ Not Vulnerable

Vendor Statement

We have investigated this issue, and determined that Oracle products are not vulnerable.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

__ ACROS SI

Notified: December 14, 2005 Updated: February 08, 2006

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

__ Alcatel

Notified: December 14, 2005 Updated: February 08, 2006

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

America Online, Inc.

Notified: November 28, 2005 Updated: February 08, 2006

Status

__ Unknown

Vendor Statement

AOL is in the process of evaluating the research findings as they relate to installations of AOL software.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

__ Apache HTTP Server Project

Notified: December 14, 2005 Updated: February 08, 2006

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

__ Apple Computer, Inc.

Notified: December 14, 2005 Updated: February 08, 2006

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

__ Bitvise

Notified: December 14, 2005 Updated: February 08, 2006

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

__ Check Point Software Technologies

Notified: December 14, 2005 Updated: February 08, 2006

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

__ Cisco Systems, Inc.

Notified: December 14, 2005 Updated: February 08, 2006

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

__ Ericsson

Notified: December 14, 2005 Updated: February 08, 2006

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

__ Ethereal

Notified: December 14, 2005 Updated: February 08, 2006

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

__ Funk Software Security Group

Notified: December 14, 2005 Updated: February 08, 2006

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

__ Hitachi

Notified: December 14, 2005 Updated: February 08, 2006

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

__ IAIK Java Group

Notified: December 14, 2005 Updated: February 08, 2006

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

__ InfoExpress, Inc.

Notified: December 14, 2005 Updated: February 08, 2006

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

__ Inner Media, Inc.

Notified: December 14, 2005 Updated: February 08, 2006

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

__ Isode

Notified: December 14, 2005 Updated: February 08, 2006

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

__ Lightspeed Systems, Inc.

Notified: December 14, 2005 Updated: February 08, 2006

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

__ Lotus Software

Notified: December 14, 2005 Updated: February 08, 2006

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

__ Lucent Technologies

Notified: December 14, 2005 Updated: February 08, 2006

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

__ MIT Kerberos Development Team

Notified: December 14, 2005 Updated: February 08, 2006

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

__ Mozilla, Inc.

Notified: December 14, 2005 Updated: February 08, 2006

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

__ Orbiteam

Notified: December 14, 2005 Updated: February 08, 2006

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

__ Pragma Systems

Notified: December 14, 2005 Updated: February 08, 2006

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

__ PuTTY

Notified: December 14, 2005 Updated: February 08, 2006

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

__ RSA Security, Inc.

Notified: December 14, 2005 Updated: February 08, 2006

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

__ SafeNet

Notified: December 14, 2005 Updated: February 08, 2006

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

__ ScriptLogic

Notified: December 14, 2005 Updated: February 08, 2006

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

__ Skype Technologies

Notified: December 14, 2005 Updated: February 08, 2006

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

__ Sun Microsystems, Inc.

Notified: December 14, 2005 Updated: February 08, 2006

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

__ Symantec, Inc.

Notified: December 14, 2005 Updated: February 08, 2006

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

VanDyke Software

Notified: December 14, 2005 Updated: February 08, 2006

Status

__ Unknown

Vendor Statement

As of yet, we have been unable to find any indication that our VShell product is affected by the privilege escalation issues described. We will continue to investigate the issue and provide any updates to the applicability of this vulnerability to our VShell product as they become available.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

__ WRQ, Inc.

Notified: December 14, 2005 Updated: February 08, 2006

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

__ Watchguard Technologies, Inc.

Notified: December 14, 2005 Updated: February 08, 2006

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

__ Wind River Systems, Inc.

Notified: December 14, 2005 Updated: February 08, 2006

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

__ Xerox

Notified: December 14, 2005 Updated: February 08, 2006

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

__ Yahoo, Inc.

Notified: December 14, 2005 Updated: February 08, 2006

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

__ eBay

Notified: December 14, 2005 Updated: February 08, 2006

Status

__ Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | | N/A

References

  • <http://www.microsoft.com/technet/security/advisory/914457.mspx>
  • <http://www.microsoft.com/technet/security/Bulletin/MS06-011.mspx>
  • <http://msdn.microsoft.com/library/default.asp?url=/library/en-us/fileio/fs/file_security_and_access_rights.asp>
  • <http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/service_security_and_access_rights.asp>
  • <http://www.cs.princeton.edu/~sudhakar/papers/winval.pdf>
  • <http://support.microsoft.com/?id=914392>

Credit

These vulnerabilities were reported by Sudhakar Govindavajhala and Andrew W. Appel.

This document was written by Jeff Gennari.

Other Information

CVE IDs: | CVE-2006-0023
---|---
Severity Metric:** | 4.22
Date Public:
| 2006-01-31
Date First Published: | 2006-02-08
Date Last Updated: | 2006-04-21 21:58 UTC
Document Revision: | 68