MS KB982316: Elevation of Privilege Using Windows Service Isolation Bypass
2010-08-26T00:00:00
ID SMB_KB982316.NASL Type nessus Reporter This script is Copyright (C) 2010-2018 Tenable Network Security, Inc. Modified 2021-01-02T00:00:00
Description
Windows Service Isolation can be bypassed on the remote host,
resulting in the elevation of privileges.
A local attacker could exploit this by leveraging the TAPI service to
execute code as SYSTEM.
A similar problem affects other Windows services that run as the
NetworkService user (e.g. IIS, SQL Server), though Nessus has not
checked for those issues.
#
# (C) Tenable Network Security, Inc.
#
include("compat.inc");
if (description)
{
script_id(48761);
script_version("1.12");
script_cvs_date("Date: 2018/11/15 20:50:28");
script_cve_id("CVE-2010-1886");
script_bugtraq_id(42278);
script_xref(name:"MSKB", value:"982316");
script_name(english:"MS KB982316: Elevation of Privilege Using Windows Service Isolation Bypass");
script_summary(english:"Checks version of tapisrv.dll");
script_set_attribute(attribute:"synopsis", value:"The remote Windows host has a privilege escalation vulnerability.");
script_set_attribute(attribute:"description", value:
"Windows Service Isolation can be bypassed on the remote host,
resulting in the elevation of privileges.
A local attacker could exploit this by leveraging the TAPI service to
execute code as SYSTEM.
A similar problem affects other Windows services that run as the
NetworkService user (e.g. IIS, SQL Server), though Nessus has not
checked for those issues.");
script_set_attribute(attribute:"see_also", value:"http://argeniss.com/research/TokenKidnappingRevengePaper.pdf");
script_set_attribute(
attribute:"see_also",
value:"https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2010/2264072"
);
script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows XP, 2003, Vista,
2008, 7, and 2008 R2 :
Although these patches mitigate this vulnerability, users should be
aware this is considered a non-security update by Microsoft. Refer to
the Microsoft advisory for more information.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2010/08/10");
script_set_attribute(attribute:"patch_publication_date", value:"2010/08/10");
script_set_attribute(attribute:"plugin_publication_date", value:"2010/08/26");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Windows");
script_copyright(english:"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.");
script_dependencies("smb_hotfixes.nasl");
script_require_keys("SMB/Registry/Enumerated", "SMB/WindowsVersion");
script_require_ports(139, 445);
exit(0);
}
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");
include("audit.inc");
ACCESS_ALLOWED_ACE_TYPE = 0;
get_kb_item_or_exit('SMB/WindowsVersion');
if (hotfix_check_sp(xp:4, win2003:3, vista:3, win7:1) <= 0)
exit(0, 'The host is not affected based on its version / service pack.');
port = kb_smb_transport();
login = kb_smb_login();
pass = kb_smb_password();
domain = kb_smb_domain();
if(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');
rc = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
if (rc != 1)
{
NetUseDel();
exit(1, "Can't connect to IPC$ share.");
}
hklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);
if (isnull(hklm))
{
NetUseDel();
exit(1, "Can't connect to the remote registry.");
}
key = "Software\Microsoft\Windows\CurrentVersion\Telephony";
key_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);
if (isnull(key_h))
{
NetUseDel();
exit(1, "Can't access the 'HKLM\"+key+"' registry key.");
}
sd = RegGetKeySecurity(handle:key_h, type:DACL_SECURITY_INFORMATION);
RegCloseKey(handle:key_h);
RegCloseKey(handle:hklm);
NetUseDel();
if (isnull(sd)) exit(1, "Can't access the security descriptor for the 'HKLM\"+ key + "' registry key.");
dacl = sd[3];
dacl = parse_pdacl(blob:dacl);
if (isnull(dacl)) exit(1, "Error parsing DACL.");
vulnerable = FALSE;
foreach ace (dacl)
{
ace = parse_dacl(blob:ace);
if (isnull(ace))
{
debug_print("Error parsing ACE.");
continue;
}
rights = ace[0];
type = ace[3];
sid = sid2string(sid:ace[1]);
if (isnull(sid))
{
debug_print(1, "Error parsing SID.");
continue;
}
# Check if this is 1) an allow ACE 2) for Network Service 3) that allows full control
if (
type == ACCESS_ALLOWED_ACE_TYPE &&
sid == '1-5-20' &&
rights & KEY_ALL_ACCESS == KEY_ALL_ACCESS
)
{
vulnerable = TRUE;
break;
}
}
if (vulnerable)
{
port = kb_smb_transport();
if (report_verbosity > 0)
{
report =
'\nThe Network Service group has Full Control rights to :\n\n'+
' HKLM\\'+key+'\n';
security_warning(port:port, extra:report);
}
else security_warning(port);
exit(0);
# never reached
# Exit on the first sign that the system is unpatched
}
# I ran into one circumstance where the registry looked fine on unpatched
# systems. In these cases, the plugin should check to see if tapisrv.dll
# has been updated, just to be safe.
if (!is_accessible_share()) exit(1, 'is_accessible_share() failed.');
if (
# Windows 7 and Windows Server 2008 R2
hotfix_is_vulnerable(os:"6.1", file:"Tapisrv.dll", version:"6.1.7600.20756", min_version:"6.1.7600.20000", dir:"\system32") ||
hotfix_is_vulnerable(os:"6.1", file:"Tapisrv.dll", version:"6.1.7600.16637", min_version:"6.1.7600.16000", dir:"\system32") ||
# Vista / Windows 2008
hotfix_is_vulnerable(os:"6.0", sp:2, file:"Tapisrv.dll", version:"6.0.6002.22390", min_version:"6.0.6002.22000", dir:"\system32") ||
hotfix_is_vulnerable(os:"6.0", sp:2, file:"Tapisrv.dll", version:"6.0.6002.18247", min_version:"6.0.6002.18000", dir:"\system32") ||
hotfix_is_vulnerable(os:"6.0", sp:1, file:"Tapisrv.dll", version:"6.0.6001.22676", min_version:"6.0.6001.22000", dir:"\system32") ||
hotfix_is_vulnerable(os:"6.0", sp:1, file:"Tapisrv.dll", version:"6.0.6001.18463", min_version:"6.0.6001.18000", dir:"\system32") ||
# Windows 2003 / XP x64
hotfix_is_vulnerable(os:"5.2", sp:2, file:"Tapisrv.dll", version:"5.2.3790.4699", dir:"\system32")
# After patching, I didn't see tapicust.dll on XP 32-bit so I'll omit the file version check here.
# The patch _should_ be detected by the registry check above, though
)
{
hotfix_security_warning();
hotfix_check_fversion_end();
exit(0);
}
else
{
hotfix_check_fversion_end();
exit(0, 'The host is not affected.');
}
{"id": "SMB_KB982316.NASL", "bulletinFamily": "scanner", "title": "MS KB982316: Elevation of Privilege Using Windows Service Isolation Bypass", "description": "Windows Service Isolation can be bypassed on the remote host,\nresulting in the elevation of privileges.\n\nA local attacker could exploit this by leveraging the TAPI service to\nexecute code as SYSTEM.\n\nA similar problem affects other Windows services that run as the\nNetworkService user (e.g. IIS, SQL Server), though Nessus has not\nchecked for those issues.", "published": "2010-08-26T00:00:00", "modified": "2021-01-02T00:00:00", "cvss": {"score": 6.8, "vector": "AV:L/AC:L/Au:S/C:C/I:C/A:C"}, "href": "https://www.tenable.com/plugins/nessus/48761", "reporter": "This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.", "references": ["http://argeniss.com/research/TokenKidnappingRevengePaper.pdf", "https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2010/2264072"], "cvelist": ["CVE-2010-1886"], "type": "nessus", "lastseen": "2021-01-01T05:43:19", "edition": 25, "viewCount": 366, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2010-1886"]}], "modified": "2021-01-01T05:43:19", "rev": 2}, "score": {"value": 6.5, "vector": "NONE", "modified": "2021-01-01T05:43:19", "rev": 2}, "vulnersScore": 6.5}, "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\n\nif (description)\n{\n script_id(48761);\n script_version(\"1.12\");\n script_cvs_date(\"Date: 2018/11/15 20:50:28\");\n\n script_cve_id(\"CVE-2010-1886\");\n script_bugtraq_id(42278);\n script_xref(name:\"MSKB\", value:\"982316\");\n\n script_name(english:\"MS KB982316: Elevation of Privilege Using Windows Service Isolation Bypass\");\n script_summary(english:\"Checks version of tapisrv.dll\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"The remote Windows host has a privilege escalation vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"Windows Service Isolation can be bypassed on the remote host,\nresulting in the elevation of privileges.\n\nA local attacker could exploit this by leveraging the TAPI service to\nexecute code as SYSTEM.\n\nA similar problem affects other Windows services that run as the\nNetworkService user (e.g. IIS, SQL Server), though Nessus has not\nchecked for those issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://argeniss.com/research/TokenKidnappingRevengePaper.pdf\");\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2010/2264072\"\n );\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows XP, 2003, Vista,\n2008, 7, and 2008 R2 :\n\nAlthough these patches mitigate this vulnerability, users should be\naware this is considered a non-security update by Microsoft. Refer to\nthe Microsoft advisory for more information.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2010/08/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2010/08/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2010/08/26\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\", \"SMB/WindowsVersion\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"audit.inc\");\n\nACCESS_ALLOWED_ACE_TYPE = 0;\n\nget_kb_item_or_exit('SMB/WindowsVersion');\nif (hotfix_check_sp(xp:4, win2003:3, vista:3, win7:1) <= 0)\n exit(0, 'The host is not affected based on its version / service pack.');\n\nport = kb_smb_transport();\nlogin = kb_smb_login();\npass = kb_smb_password();\ndomain = kb_smb_domain();\n\nif(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');\nrc = NetUseAdd(login:login, password:pass, domain:domain, share:\"IPC$\");\nif (rc != 1)\n{\n NetUseDel();\n exit(1, \"Can't connect to IPC$ share.\");\n}\n\nhklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);\nif (isnull(hklm))\n{\n NetUseDel();\n exit(1, \"Can't connect to the remote registry.\");\n}\n\nkey = \"Software\\Microsoft\\Windows\\CurrentVersion\\Telephony\";\nkey_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);\n\nif (isnull(key_h))\n{\n NetUseDel();\n exit(1, \"Can't access the 'HKLM\\\"+key+\"' registry key.\");\n}\n\nsd = RegGetKeySecurity(handle:key_h, type:DACL_SECURITY_INFORMATION);\nRegCloseKey(handle:key_h);\nRegCloseKey(handle:hklm);\nNetUseDel();\n\nif (isnull(sd)) exit(1, \"Can't access the security descriptor for the 'HKLM\\\"+ key + \"' registry key.\");\n\ndacl = sd[3];\ndacl = parse_pdacl(blob:dacl);\nif (isnull(dacl)) exit(1, \"Error parsing DACL.\");\n\nvulnerable = FALSE;\n\nforeach ace (dacl)\n{\n ace = parse_dacl(blob:ace);\n if (isnull(ace))\n {\n debug_print(\"Error parsing ACE.\");\n continue;\n }\n\n rights = ace[0];\n type = ace[3];\n sid = sid2string(sid:ace[1]);\n if (isnull(sid))\n {\n debug_print(1, \"Error parsing SID.\");\n continue;\n }\n\n # Check if this is 1) an allow ACE 2) for Network Service 3) that allows full control\n if (\n type == ACCESS_ALLOWED_ACE_TYPE &&\n sid == '1-5-20' &&\n rights & KEY_ALL_ACCESS == KEY_ALL_ACCESS\n )\n {\n vulnerable = TRUE;\n break;\n }\n}\n\nif (vulnerable)\n{\n port = kb_smb_transport();\n\n if (report_verbosity > 0)\n {\n report =\n '\\nThe Network Service group has Full Control rights to :\\n\\n'+\n ' HKLM\\\\'+key+'\\n';\n security_warning(port:port, extra:report);\n }\n else security_warning(port);\n\n exit(0);\n # never reached\n # Exit on the first sign that the system is unpatched\n}\n\n# I ran into one circumstance where the registry looked fine on unpatched\n# systems. In these cases, the plugin should check to see if tapisrv.dll\n# has been updated, just to be safe.\nif (!is_accessible_share()) exit(1, 'is_accessible_share() failed.');\n\nif (\n # Windows 7 and Windows Server 2008 R2\n hotfix_is_vulnerable(os:\"6.1\", file:\"Tapisrv.dll\", version:\"6.1.7600.20756\", min_version:\"6.1.7600.20000\", dir:\"\\system32\") ||\n hotfix_is_vulnerable(os:\"6.1\", file:\"Tapisrv.dll\", version:\"6.1.7600.16637\", min_version:\"6.1.7600.16000\", dir:\"\\system32\") ||\n\n # Vista / Windows 2008\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Tapisrv.dll\", version:\"6.0.6002.22390\", min_version:\"6.0.6002.22000\", dir:\"\\system32\") ||\n hotfix_is_vulnerable(os:\"6.0\", sp:2, file:\"Tapisrv.dll\", version:\"6.0.6002.18247\", min_version:\"6.0.6002.18000\", dir:\"\\system32\") ||\n hotfix_is_vulnerable(os:\"6.0\", sp:1, file:\"Tapisrv.dll\", version:\"6.0.6001.22676\", min_version:\"6.0.6001.22000\", dir:\"\\system32\") ||\n hotfix_is_vulnerable(os:\"6.0\", sp:1, file:\"Tapisrv.dll\", version:\"6.0.6001.18463\", min_version:\"6.0.6001.18000\", dir:\"\\system32\") ||\n\n # Windows 2003 / XP x64\n hotfix_is_vulnerable(os:\"5.2\", sp:2, file:\"Tapisrv.dll\", version:\"5.2.3790.4699\", dir:\"\\system32\")\n\n # After patching, I didn't see tapicust.dll on XP 32-bit so I'll omit the file version check here.\n # The patch _should_ be detected by the registry check above, though\n)\n{\n hotfix_security_warning();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n exit(0, 'The host is not affected.');\n}\n", "naslFamily": "Windows", "pluginID": "48761", "cpe": ["cpe:/o:microsoft:windows"], "scheme": null}
{"cve": [{"lastseen": "2020-10-03T11:57:25", "description": "Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 SP2 and R2, and Windows 7 allow local users to gain privileges by leveraging access to a process with NetworkService credentials, as demonstrated by TAPI Server, SQL Server, and IIS processes, and related to the Windows Service Isolation feature. NOTE: the vendor states that privilege escalation from NetworkService to LocalSystem does not cross a \"security boundary.\"", "edition": 3, "cvss3": {}, "published": "2010-08-16T18:39:00", "title": "CVE-2010-1886", "type": "cve", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.1, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 6.8, "vectorString": "AV:L/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "SINGLE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2010-1886"], "modified": "2018-10-30T16:27:00", "cpe": ["cpe:/o:microsoft:windows_vista:*", "cpe:/o:microsoft:windows_2003_server:*", "cpe:/o:microsoft:windows_xp:-", "cpe:/o:microsoft:windows_2003_server:-", "cpe:/o:microsoft:windows_server_2008:*", "cpe:/o:microsoft:windows_server_2008:r2", "cpe:/o:microsoft:windows_xp:*", "cpe:/o:microsoft:windows_7:-"], "id": "CVE-2010-1886", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1886", "cvss": {"score": 6.8, "vector": "AV:L/AC:L/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:microsoft:windows_server_2008:*:*:x32:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_2003_server:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:*:sp1:x64:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_xp:*:sp2:professional:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_2003_server:*:sp2:itanium:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:*:itanium:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:r2:*:x64:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_2003_server:-:sp2:x64:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:sp2:itanium:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_7:-:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_xp:-:sp3:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_server_2008:*:*:x64:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:*:sp1:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_vista:*:sp2:x64:*:*:*:*:*"]}]}
