Microsoft Windows UPnP/NetBT/SCardSvr/SSDP Services May Be Incorrectly Configured By 3rd Party Applications, Allowing Local Users to Gain Elevated Privileges
|
|
SecurityTracker Alert ID: 1015595 |
|
SecurityTracker URL: http://securitytracker.com/id/1015595
|
|
CVE Reference:
CVE-2006-0023
(Links to External Site)
|
Date: Feb 7 2006
|
Impact:
Root access via local system, User access via local system
|
Vendor Confirmed: Yes Exploit Included: Yes
|
Version(s): Windows XP SP1, Windows Server 2003
|
Description:
A vulnerability was reported in Microsoft Windows in the configuration of several services by third party applications. A local user can gain elevated privileges.
Some third party applications may configure overly permissive access controls on certain Windows services. A local user may be able to change properties associated with services, such as changing the default associated program set to run by the service. As a result, a local user may be able to run commands or executables with elevated privileges.
The UPnP, NetBT, SCardSvr, and SSDP services are affected.
The vendor indicates that Windows XP SP2 and Windows Server 2003 SP 1 are not affected.
The original advisory is available at:
http://www.cs.princeton.edu/~sudhakar/papers/winval.pdf
Sudhakar Govindavajhala and Andrew Appel reported this vulnerability.
|
Impact:
A local user may be able to obtain administrative privileges.
|
Solution:
The vendor indicates that Windows XP SP2 and Windows Server 2003 SP 1 are not vulnerable.
The vendor's advisory is available at:
http://www.microsoft.com/technet/security/advisory/914457.mspx
|
Vendor URL: www.microsoft.com/technet/security/advisory/914457.mspx (Links to External Site)
|
Cause:
Access control error, Configuration error
|
Underlying OS:
|
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 31 Jan 2006 23:08:18 +0000
Subject: Windows Access Control Demystified
|
Hello everybody,
We have constructed a logical model of Windows XP access control, in a declarative but executable (Datalog) format. We have built
a scanner that reads access-control configuration information from the Windows registry, file system, and service control manager
database, and feeds raw configuration data to the model. Therefore we can reason about such things as the existence of privilege-escalation
attacks, and indeed we have found several user-to-administrator vulnerabilities caused by misconfigurations of the access-control
lists of commercial software from several major vendors. We propose tools such as ours as a vehicle for software developers and
system administrators to model and debug the complex interactions of access control on installations under Windows.
The full version of the paper can be found at:
http://www.cs.princeton.edu/~sudhakar/papers/winval.pdf
All the vendors and CERT are aware of this paper. The bugs are *not*
remotely exploitable. The CERT id is VU#953860.
regards,
Sudhakar Govindavajhala and Andrew Appel.
Bio:
Sudhakar Govindavajhala is a finishing PhD student at Computer Science department, Princeton university. His interests are computer
security, operating systems and networks. Sudhakar is looking for employment opportunities.
Andrew Appel is a Professor of Computer Science at Princeton University. He is currently on sabbatcal at INRIA Rocquencourt. His
interests are computer security, compilers, programming languages, type theory, and functional programming.
|
|
