HOME > VULNERABILITY NOTES


   VULNERABILITY NOTE

 

CERT-In Vulnerability Note CIVN-2009-50
Microsoft Windows Multiple Privilege Escalation Vulnerabilities

Original Issue Date:April 15, 2009

Severity Rating: High

Systems Affected

  • Microsoft Windows 2000 Service Pack 4
  • Microsoft Windows XP Service Pack 2 and Windows XP Service Pack 3
  • Microsoft Windows XP Professional x64 Edition and with Service Pack 2
  • Microsoft Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2
  • Microsoft Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition SP 2
  • Microsoft Windows Server 2003 with SP1 and SP2 for Itanium-based Systems
  • Microsoft Windows Vista and Windows Vista Service Pack 1
  • Microsoft Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1
  • Microsoft Windows Server 2008 for 32-bit Systems
  • Microsoft Windows Server 2008 for x64-based Systems
  • Microsoft Windows Server 2008 for Itanium-based Systems

Overview

Multiple Vulnerabilities has been reported in Microsoft Windows MSDTC Service, WMI Service, RPCSS service, Access Control List (ACL) which could be exploited by the local attacker to take control of the affected system in context of logged in user.

The Microsoft Distributed Transaction Coordinator (MSDTC) is a distributed transaction facility for Microsoft Windows platforms. MSDTC uses proven transaction processing technology. It is robust despite system failures, process failures, and communication failures; it exploits loosely coupled systems to provide scalable performance; and it is easy to install, configure, and manage.

The NetworkService account is a predefined local account used by the service control manager. It has minimum privileges on the local computer and acts as the computer on the network. A service that runs in the context of the NetworkService account presents the computer's credentials to remote servers.

The LocalService account is a predefined local account used by the service control manager. It has minimum privileges on the local computer and presents anonymous credentials on the network.

Description

1. Windows MS DTC Service Isolation Vulnerability
    (CVE-2008-1436, CIVN-2008-46)

This Vulnerability is exits in Microsoft Distributed Transaction Coordinator (MS DTC ) transaction service in Microsoft Windows . MS DTC leaves a NetworkService token that can be impersonated by any process that calls into it. This vulnerability allows a process that is
not running under the NetworkService account, but that has the SeImpersonatePrivilege , to elevate its privilege to NetworkService and execute code with NetworkService privileges.

Note: Exploit for this Vulnerability are available on Internet


2. Windows WMI Service Isolation Vulnerability
    (CVE-2009-0078)

Windows Management Instrumentation ( WMI ) is the primary management technology for Microsoft Windows operating systems. It enables consistent and uniform management, control, and monitoring of systems throughout your enterprise.

This Vulnerability is exits in Microsoft Windows Management Instrumentation ( WMI ) provider improperly isolating processes that run under the NetworkService or LocalService accounts. Two separate processes running under same account have full access to each other's resources such as file handle, registry keys, handles, and so on. The WMI provider host process holds SYSTEM Tokens in certain scenarios. an attacker who successfully gains access to a computer under the context of a NetworkService or LocalService account, can execute arbitrary code to probe the WMI provider host processes for SYSTEM tokens. Once a SYSTEM token is found, an attacker can use it to gain SYSTEM level privileges.

3. Windows RPCSS Service Isolation Vulnerability
    (CVE-2009-0079)

Remote Procedure Call (RPC) is a protocol that a program can use to request a service from a program located on another computer in a network. RPC helps with interoperability because the program using RPC does not have to understand the network protocols that are supporting communication. In RPC, the requesting program is the client and the service-providing program is the server.

This Vulnerability is exits in Microsoft Windows RP CSS service improperly isolating processes that run under the NetworkService or LocalService accounts.

4. Windows Thread Pool ACL Weakness Vulnerability
    (CVE-2009-0080)

The Windows ThreadPool class provides a pool of threads that can be used to post work items, process asynchronous I/O, wait on behalf of other threads, and process timers. Thread pooling enables to use threads more efficiently by providing the application with a pool of worker threads that are managed by the system. One thread monitors the status of several wait operations queued to the thread pool. When a wait operation completes, a worker thread from the thread pool executes the corresponding callback function.

An access control list (ACL) is a list of security protections that applies to an object. An object can be a file, process, event, or anything else having a security descriptor. An entry in an ACL is an access control entry (ACE). There are two types of access control list, discretionary and system.

This Vulnerability is exits in Microsoft Windows placing incorrect access control lists (ACLs) on threads in the current ThreadPool.

An attacker could exploit these vulnerabilities via executing specially crafted code in the context of the NetworkService or LocalService accounts that could gain access to resources in processes that are also running as NetworkService or LocalService. An attacker who successfully exploit these vulnerabilities could execute arbitrary code and take complete control of an affected system.

Workarounds

  • For IIS 6.0
    Configure a Worker Process Identity (WPI) for an application pool in IIS to use a created account in IIS Manager and disable MSDTC
    Microsoft Knowledge Base Article- 871179
  • For IIS 7.0
    Specify a WPI for an application pool in IIS Manager
    Specify a WPI for an application pool using the Command Line utility APPCMD.exe

Solution

Apply Appropriate patches as mentioned in Microsoft Security Bulletin MS09-012
http://support.microsoft.com/kb/959454

Vendor Information

Microsoft
http://www.microsoft.com /technet/security/Bulletin/ms09-012.mspx
http://support.microsoft.com/kb/959454

References

 Argeniss
http://www.argeniss.com/index.html

Microsoft
http://www.microsoft.com/technet/security/Bulletin/ms09-012.mspx
http://support.microsoft.com/kb/959454

VUPEN
http://www.frsirt.com/english/advisories/2008/1264/references

Secunia
http://secunia.com/advisories/29867

SecurityFocus
http://www.securityfocus.com/bid/34015

SecurityTracker
http://www.securitytracker.com/id?1019904

x-Force
http://xforce.iss.net/xforce/xfdb/41880

CVE-Name
CVE-2008-1436
CVE-2009-0078
CVE-2009-0079
CVE-2009-0080

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003