Microsoft Windows XP SP1 and SP2 before August 2004, and possibly other operating systems and versions, uses insecure default ACLs that allow the Authenticated Users group to gain privileges by modifying critical configuration information for the (1) Simple Service Discovery Protocol (SSDP), (2) Universal Plug and Play Device Host (UPnP), (3) NetBT, (4) SCardSvr, (5) DHCP, and (6) DnsCache services, aka “Permissive Windows Services DACLs.” NOTE: the NetBT, SCardSvr, DHCP, DnsCache already require privileged access to exploit.
secunia.com/advisories/18756
secunia.com/advisories/19238
secunia.com/advisories/19313
securitytracker.com/id?1015595
securitytracker.com/id?1015765
support.avaya.com/elmodocs2/security/ASA-2006-069.htm
www.cs.princeton.edu/~sudhakar/papers/winval.pdf
www.kb.cert.org/vuls/id/953860
www.microsoft.com/technet/security/advisory/914457.mspx
www.securityfocus.com/archive/1/423587/100/0/threaded
www.vupen.com/english/advisories/2006/0417
www130.nortelnetworks.com/cgi-bin/eserv/cs/main.jsp?cscat=BLTNDETAIL&DocumentOID=391523&RenditionID=
docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-011
exchange.xforce.ibmcloud.com/vulnerabilities/24463
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1671
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1696