Title: Microsoft Source Code Analyzer for SQL Injection 1.3 Improper Permissions
Advisory ID: ZSL-2011-5003
Type: Local
Impact: Privilege Escalation
Risk: (3/5)
Release Date: 16.03.2011
Microsoft Source Code Analyzer for SQL Injection is a static code analysis tool for finding SQL Injection vulnerabilities in ASP code. Customers can run the tool on their ASP source code to help identify code paths that are vulnerable to SQL Injection attacks.
The package suffers from an elevation of privileges vulnerability which can be used by a simple user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the βCβ flag (Change(write)) for the βEveryoneβ group, for the binary file msscasi_asp.exe and the package itself, msscasi_asp_pkg.exe.
Microsoft Corporation - http://www.microsoft.com
1.3.30601.30705
Microsoft Windows XP Professional SP3 (EN)
[12.03.2011] Vendor is informed about the issue.
[14.03.2011] Vendor decides not to track the issue stating that it is not a security issue and that the tool is in its BETA stage.
msscasi_asp.txt
Vulnerability discovered by Gjoko Krstic - <[email protected]>
[1] http://support.microsoft.com/kb/954476
[2] http://www.microsoft.com/downloads/en/details.aspx?FamilyId=58A7C46E-A599-4FCB-9AB4-A4334146B6BA&displaylang=en
[3] http://packetstormsecurity.org/files/99394
[4] http://www.exploit-db.com/exploits/16991/
[5] http://securityreason.com/exploitalert/10147
[6] http://xforce.iss.net/xforce/xfdb/66137
[7] http://www.hackerv.com/security/109.html
[16.03.2011] - Initial release
[17.03.2011] - Added reference [4] and [5]
[22.03.2011] - Added reference [6] and [7]
Zero Science Lab
Web: http://www.zeroscience.mk
e-mail: [email protected]
<html><body><p>Microsoft Source Code Analyzer for SQL Injection 1.3 Improper Permissions
Vendor: Microsoft Corp.
Product web page: http://www.microsoft.com
Affected version: 1.3.30601.30705
summary: Microsoft Source Code Analyzer for SQL Injection is a static
code analysis tool for finding SQL Injection vulnerabilities in ASP code.
Customers can run the tool on their ASP source code to help identify code
paths that are vulnerable to SQL Injection attacks.
Desc: The package suffers from an elevation of privileges vulnerability
which can be used by a simple user that can change the executable file
with a binary of choice. The vulnerability exist due to the improper
permissions, with the "C" flag (Change(write)) for the "Everyone" group,
for the binary file msscasi_asp.exe and the package itself, msscasi_asp_pkg.exe.
Tested on: Microsoft Windows XP Professional SP3 (EN)
Issue discovered by Gjoko 'LiquidWorm' Krstic
liquidworm gmail com
Advisory ID: ZSL-2011-5003
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5003.php
12.03.2011
-------------------------------------------
C:\Documents and Settings\User101\Desktop\msaspscan>dir
Volume in drive C has no label.
Volume Serial Number is 7C64-FE80
Directory of C:\Documents and Settings\User101\Desktop\msaspscan
12.03.2011 02:27 </p><dir> .
12.03.2011 02:27 <dir> ..
12.03.2011 02:27 <dir> bin
03.07.2008 15:08 119.422 license.rtf
09.07.2008 10:43 107.544 microsoft.analysis.aspparser.dll
06.11.2007 20:24 524 microsoft.vc90.crt.manifest
09.07.2008 11:51 4.738.072 msscasi_asp.exe
09.07.2008 13:04 139 msscasi_view.cmd
06.11.2007 20:23 224.768 msvcm90.dll
07.11.2007 01:19 568.832 msvcp90.dll
07.11.2007 01:19 655.872 msvcr90.dll
08.07.2008 16:31 224.405 readme.html
12.03.2011 02:27 <dir> scripts
9 File(s) 6.639.578 bytes
4 Dir(s) 16.956.391.424 bytes free
C:\Documents and Settings\User101\Desktop\msaspscan>cacls msscasi_asp.exe
C:\Documents and Settings\User101\Desktop\msaspscan\msscasi_asp.exe BUILTIN\Administrators:F
Everyone:C
LABPC\User101:F
NT AUTHORITY\SYSTEM:F
C:\Documents and Settings\User101\Desktop\msaspscan>
</dir></dir></dir></dir></body></html>