CERT-In Vulnerability Note CIVN-2008-46
Microsoft Windows SeImpersonatePrivilege Local Privilege Escalation Vulnerability
Original Issue Date:
April 19, 2008
Severity Rating:
Medium
System Affected
- Windows XP Professional Service Pack 2
- Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2
- Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2
- Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium based Systems
- Windows Vista and Windows Vista Service Pack 1
- Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1
- Windows Server 2008 for 32-bit Systems
- Windows Server 2008 for x64-based Systems
- Windows Server 2008 for Itanium-based Systems
Overview
A Vulnerability has been reported in Microsoft Windows which could allow elevation of privilege from authenticated user to Local System. This Vulnerability could be exploited by an authenticated attacker to gain additional rights on vulnerable systems.
Description
The vulnerability exists because in some circumstances, Windows improperly allows processes that run with NetworkService or LocalService privileges to gain LocalSystem privileges. Any process with SeImpersonatePrivilege, as described in Microsoft Knowledge Base Article 821546 , which loads and runs user-provided code may be affected by this vulnerability. An attacker with sufficient permissions could execute code in the context of an affected process to perform a token kidnapping attack, potentially causing the process to elevate its privileges and execute the supplied code as LocalSystem.
User-provided code running in IIS, for example ISAPI filters and extensions, and ASP.NET code running in full trust may be affected by this vulnerability. SQL Server is affected if a user is granted administrative privileges to load and run code. This privilege is not granted by default in SQL Server.
Workarounds
For IIS 6.0
- Configure Worker Process Identity (WPI) for an application pool, use a created account in IIS Manager
- Disable MSDTC
For IIS 7.0
- Specify a WPI for an application pool in IIS Manager
- Specify a WPI for an application pool using the Command Line utility
For detailed steps to implement the workarounds and related impact, refer to Microsoft
Security Advisory 951306 Vendor Information
Microsoft
http://www.microsoft.com/technet/security/advisory/951306.mspx References
FrSIRT
http://www.frsirt.com/english/advisories/2008/1264
CISCO
http://tools.cisco.com/security/center/viewAlert.x?alertId=15702
SANS
http://www.isc.sans.org/diary.html?storyid=4306
SecurityFocus
http://www.securityfocus.com/bid/28833
CVE Name
CVE-2008-1436
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
