Microsoft Windows UPnP/NetBT/SCardSvr/SSDP Services May Be Incorrectly Configured By 3rd Party Applications, Allowing Local Users to Gain Elevated Privileges
|
|
SecurityTracker Alert ID: 1015595
|
|
SecurityTracker URL: http://securitytracker.com/id?1015595
|
|
CVE Reference: CVE-2006-0023
(Links to External Site)
|
Date: Feb 7 2006
|
Impact: Root access via local system, User access via local system
|
Exploit Included: Yes
Vendor Confirmed: Yes
|
Advisory: Microsoft Security Advisory
|
Version(s): Windows XP SP1, Windows Server 2003
|
Description: A vulnerability was reported in Microsoft Windows in the configuration of several services by third party applications. A local user can gain elevated privileges.
Some third party applications may configure overly permissive access controls on certain Windows services. A local user may be able
to change properties associated with services, such as changing the default associated program set to run by the service. As a
result, a local user may be able to run commands or executables with elevated privileges.
The UPnP, NetBT, SCardSvr, and SSDP
services are affected.
The vendor indicates that Windows XP SP2 and Windows Server 2003 SP 1 are not affected.
The original
advisory is available at:
http://www.cs.princeton.edu/~sudhakar/papers/winval.pdf
Sudhakar Govindavajhala and Andrew Appel
reported this vulnerability.
|
Impact: A local user may be able to obtain administrative privileges.
|
Solution: The vendor indicates that Windows XP SP2 and Windows Server 2003 SP 1 are not vulnerable.
The vendor's advisory is available at:
http://www.microsoft.com/technet/security/advisory/914457.mspx
|
Vendor URL: www.microsoft.com/technet/security/advisory/914457.mspx (Links to External Site)
|
Cause: Access control error, Configuration error
|
Underlying OS: Windows (2003), Windows (XP)
|
Reported By: sudhakar+bugtraq@cs.princeton.edu
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 31 Jan 2006 23:08:18 +0000
From: sudhakar+bugtraq@cs.princeton.edu
Subject: Windows Access Control Demystified
|
Hello everybody,
We have constructed a logical model of Windows XP access control, in a declarative but executable (Da
talog) format. We have built
a scanner that reads access-control configuration information from the Windows registry, file system
, and service control manager
database, and feeds raw configuration data to the model. Therefore we can reason about such things
as the existence of privilege-escalation
attacks, and indeed we have found several user-to-administrator vulnerabilities caused by misconfig
urations of the access-control
lists of commercial software from several major vendors. We propose tools such as ours as a vehicl
e for software developers and
system administrators to model and debug the complex interactions of access control on installation
s under Windows.
The full version of the paper can be found at:
http://www.cs.princeton.edu/~sudhakar/papers/winval.pdf
All the vendors and CERT are aware of this paper. The bugs are *not*
remotely exploitable. The CERT id is VU#953860.
regards,
Sudhakar Govindavajhala and Andrew Appel.
Bio:
Sudhakar Govindavajhala is a finishing PhD student at Computer Science department, Princeton univers
ity. His interests are computer
security, operating systems and networks. Sudhakar is looking for employment opportunities.
Andrew Appel is a Professor of Computer Science at Princeton University. He is currently on sabbatca
l at INRIA Rocquencourt. His
interests are computer security, compilers, programming languages, type theory, and functional pro
gramming.
|
|
