[NT] Permissive Windows Services DACLs Allow Elevation of Privilege (MS06-011)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Permissive Windows Services DACLs Allow Elevation of Privilege (MS06-011)
------------------------------------------------------------------------


SUMMARY

A privilege elevation vulnerability exists on Windows XP Service Pack 1 on
the identified Windows services where the permissions are set by default
to a level that may allow a low-privileged user to change properties
associated with the service. On Windows 2003 permissions on the identified
services are set to a level that may allow a user that belongs to the
network configuration operators group to change properties associated with
the service. Only members of the Network Configuration Operators group on
the targeted machine can remotely attack Windows Server 2003, and this
group contains no users by default. The vulnerability could allow a user
with valid logon credentials to take complete control of the system on
Microsoft Windows XP Service Pack 1.

An attacker who successfully exploited this vulnerability could take
complete control of an affected system. An attacker could then install
programs; view, change, or delete data; or create new accounts with full
user
rights.

DETAILS

Affected Software:
Microsoft Windows XP Service Pack 1
<http://www.microsoft.com/downloads/details.aspx?FamilyId=004D4492-08A5-445E-B5CD-BCC9162CC8F9> Download the update
Microsoft Windows Server 2003
<http://www.microsoft.com/downloads/details.aspx?FamilyId=B8D2D18F-8D2A-495B-83FF-1696EC1E5EA1> Download the update
Microsoft Windows Server 2003 for Itanium-based Systems
<http://www.microsoft.com/downloads/details.aspx?FamilyId=B1AB9B42-80CD-4002-88FA-7A83AB15C2EE> Download the update

Non-Affected Software:
Microsoft Windows 2000 Service Pack 4
Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
Microsoft Windows Millennium Edition (ME)
Microsoft Windows XP Service Pack 2
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with Service Pack 1 for Itanium-based
Systems
Microsoft Windows Server 2003 x64 Edition

Mitigating Factors for Permissive Windows Services DACLs could allow
elevation of privilege -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0023>
CVE-2006-0023:
An attacker must have valid logon credentials to be able to exploit this
vulnerability. The vulnerability could not be exploited by anonymous
users.

Four of the six services identified (NetBT, SCardSvr, DHCP, DnsCache)
require an attacker to already be running in a privileged security
context. Additionally, the two services, SSDPSRV and UPNPHost, which allow
an authenticated user to attack a vulnerable system are only vulnerable on
Windows XP Service Pack 1.

Workarounds for Vulnerability in Windows Services DACLs could result in
elevation of privilege -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0023>
CVE-2006-0023:
Microsoft has tested the following workarounds. The identified workarounds
change the default DACLs on Windows XP Service Pack 1 and on Windows
Server to the enhanced security DACLs that are used on Windows XP Service
Pack 2 and on Windows Server 2003 Service Pack 1. Therefore, these
workarounds are considered complete solutions to this issue. Because the
recommended access controls have been shipping with the latest operating
systems for some time, they are anticipated to constitute low risk.
However, any DACL change carries some risk of application incompatibility.

Use the sc.exe command to set modified access controls for the identified
services:
Note You must run the sc.exe command as a privileged user. You can run
this command by using a computer startup script or by using an SMS script.
By running this command, you increase the security of the DACLs so that
they are at the same level as Windows XP Service Pack 2 and Windows Server
2003 Service Pack 1. For more information about the sc.exe command and
about how to set DACLs for Windows services, see the following Microsoft
Product Documentation. This mitigation does not require that you restart
the computer.

For Windows XP Service Pack 1, run each of the following commands. Each
command changes the DACL on the associated affected service.

sc sdset ssdpsrv
D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)
(A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)
(A;;CCLCSWRPLORC;;;AU)(A;;RPWPDTRC;;;LS)

sc sdset netbt
D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA) (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY) (A;;DT;;;LS)(A;;DT;;;NS)(A;;CCLCSWRPLOCRRC;;;NO)

sc sdset upnphost
D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)
(A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)
(A;;CCLCSWRPLORC;;;AU)(A;;CCDCLCSWLOCRRC;;;LS)

sc sdset scardsvr
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCLCSWRPWPDTLOCRRC;;;LS)
(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)
(A;;CCLCSWRPLOCRRC;;;S-1-2-0)

sc sdset dhcp D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;NO)
(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)

sc sdset dnscache D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)
(A;;CCLCSWRPWPDTLOCRRC;;;NO)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)
(A;;CCLCSWRPWPDTLOCRRC;;;SY)

For Windows Server 2003 ,run each of the following commands. Each command
changes the DACL on the associated affected service.

sc sdset netbt D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)
(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)
(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;DT;;;LS)(A;;DT;;;NS)
(A;;CCLCSWRPLOCRRC;;;NO)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

sc sdset dhcp D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;NO)
(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)
S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

sc sdset dnscache D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)
(A;;CCLCSWRPWPDTLOCRRC;;;NO)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)
(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

Note For Windows Server 2003 ,NetBT, DnsCache, and DHCP are the only
identified affected services. In the Windows Server 2003 scenario, an
attack must be launched by a member of the Network Configuration Operators
group. This group is empty by default.

Impact of Workaround: None

Use Group Policy to deploy modified access controls for the identified
services:

Domain administrators can use Group Policy and the security templates to
deploy modified access controls to Windows XP Service Pack 1 systems. For
more information about how to implement security templates by using Group
Policy, see Microsoft Knowledge Base Article 816585. You do not have to
restart the computer to complete this mitigation.

For Windows XP Service Pack 1, use the following security template to
modify the Upnphost, SCardSvr, SSDPSRV, DnsCache, and DHCP services.
(delete spaces in Service General Setting string)

[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[Service General Setting]
SSDPSRV,2,"D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)
(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)
(A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-32-549)
(A;;CCLCSWRPLORC;;;AU)(A;;RPWPDTRC;;;S-1-5-19)"
upnphost,2,"D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)
(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)
(A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-32-549)
(A;;CCLCSWRPLORC;;;AU)(A;;CCDCLCSWLOCRRC;;;S-1-5-19)"
scardsvr,2,"D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCLCSWRPWPDTLOCRRC;;;S-1-5-19) (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA) (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-32-549) (A;;CCLCSWRPLOCRRC;;;S-1-2-0)"
dhcp,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;NO)
(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)
S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
dnscache,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)
(A;;CCLCSWRPWPDTLOCRRC;;;NO)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)
(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

For Windows Server 2003,use the following security template to modify the
DnsCache and DHCP services.
(delete spaces in Service General Setting string)

[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[Service General Setting]
dhcp,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;NO)
(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)
S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
dnscache,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)
(A;;CCLCSWRPWPDTLOCRRC;;;NO)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)
(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

Note For Windows XP Service Pack 1 and Windows Server 2003 ,changing the
service DACLs on the NetBT service is not supported by using the Microsoft
Group Policy Object Editor. Therefore, the NetBT service DACL change is
not included in the security template for Windows Server 2003.

Note For Windows Server 2003 ,NetBT, DHCP, and DnsCache are the only
identified affected services. In the Windows Server 2003 scenario, a
member of the Network Configuration Operators group must launch an attack.
This group is empty by default and is rarely populated.

Impact of Workaround: In addition to setting the Services DACLs the same
as those for Windows XP Service Pack 2, the security template that is
provided sets the service startup type for the affected service to its
original default configuration of Automatic. Because Windows Server 2003
the supports the ability to configure startup type settings, the startup
type is unchanged for Windows Server 2003.


Modify the Windows registry to modify access controls for each of the
identified services:

The preferred method of service modification is by using the sc.exe
command. However, you can use the following command to modify the security
DACLs of the affected services to the same level as Windows XP Service
Pack 2. Users are encouraged to back up the registry before they make any
modifications. For more information about registry scripts and about how
to modify the Windows registry, see Microsoft Knowledge Base Article
214752.

For Windows XP Service Pack 1, modify the following registry keys to
change the default Windows XP Service Pack 1 affected services

For the SSDPSRV service:

reg add HKLM\System\CurrentControlSet\Services\SSDPSRV\Security /v
Security /t REG_BINARY /d _
01001480bc000000c8000000140000003000000002001c00010
0000002801400ff010f00010100000000000100000_
00002008c000600000000001400ff010f0001010000000000051
200000000001800ff010f00010200000000000520_
0000002002000000001800fd010200010200000000000520000
0002302000000001800ff010f00010200000000000_
52000000025020000000014009d00020001010000000000050b
000000000014007000020001010000000000051300_
0000010100000000000512000000010100000000000512000000

For the NetBT service:

reg add HKLM\System\CurrentControlSet\Services\netbt\Security /v Security
/t REG_BINARY /d _
01001480e8000000f4000000140000003000000002001c000100
000002801400ff010f00010100000000000100000_
0000200b80008000000000014008d0102000101000000000005
0b000000000018009d010200010200000000000520_
0000002302000000001800ff010f000102000000000005200000
002002000000001800ff010f00010200000000000_
5200000002502000000001400fd010200010100000000000512
000000000014004000000001010000000000051300_
000000001400400000000101000000000005140000000000180
09d0102000102000000000005200000002c0200000_
10100000000000512000000010100000000000512000000

For the UPnPHost service:

reg add HKLM\System\CurrentControlSet\Services\upnphost\Security /v
Security /t REG_BINARY /d _
01001480bc000000c8000000140000003000000002001c00010
0000002801400ff010f00010100000000000100000_
00002008c000600000000001400ff010f0001010000000000051
200000000001800ff010f00010200000000000520_
0000002002000000001800fd010200010200000000000520000
0002302000000001800ff010f00010200000000000_
52000000025020000000014009d00020001010000000000050b
000000000014008f01020001010000000000051300_
0000010100000000000512000000010100000000000512000000

For the ScardSvr service:

reg add HKLM\System\CurrentControlSet\Services\scardsvr\Security /v
Security /t REG_BINARY /d _
01001480a4000000b0000000140000003000000002001c00010
0000002801400ff010f00010100000000000100000_
000020074000500000000001400fd0102000101000000000005
1200000000001400fd010200010100000000000513_
00000000001800ff010f000102000000000005200000002002000
000001800ff010f0001020000000000052000000_
025020000000014009d010200010100000000000200000000010
10000000000051200000001010000000000051200_
0000

For the DHCP service:

reg add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\dhcp\security
/v Security /t REG_BINARY /d _
01001480900000009C000000140000003000000002001C00010
000002801400FF010F00010100000000000100000000020060000_
4000000000014008D01020001010000000000050B0000000000
1800FD010200012000000000005200000002C02000000001800FF_
010F00010200000000005200000002002000000001400FD01020
0010100000000000512000000101000000000005120000000101_
00000000000512000000

For the DnsCache service:

reg add
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\dnscache\security /v
Security /t REG_BINARY /d_
01001480A8000000B4000000140000003000000002001C0001
0000002801400FF010F00010100000000000100000000020078000500_
0000000014008D01020001010000000000050B00000000001
8009D010200012000000000005200000002302000000001800FD010200_
010200000000005200000002C02000000001800FF010F000102
000000000005200000002002000000001400FD010200010100000000_
00051200000001010000000000512000000010100000000000 512000000

For Windows Server 2003 ,modify the following registry keys to change the
default Windows Server 2003 affected service:

For the NetBT service:

reg add HKLM\System\CurrentControlSet\Services\netbt\Security /v Security
/t REG_BINARY /d _
01001480e8000000f4000000140000003000000002001c00010
0000002801400ff010f00010100000000000100000_
0000200b80008000000000014008d010200010100000000000
50b000000000018009d010200010200000000000520_
0000002302000000001800ff010f00010200000000000520000
0002002000000001800ff010f00010200000000000_
5200000002502000000001400fd01020001010000000000051
2000000000014004000000001010000000000051300_
00000000140040000000010100000000000514000000000018
009d0102000102000000000005200000002c0200000_
10100000000000512000000010100000000000512000000

For the DHCP service:

reg add HKLM\System\CurrentControlSet\Services\dhcp\Security /v Security
/t REG_BINARY /d _
01001480900000009C000000140000003000000002001C0001
0000002801400FF010F000101000000000001000_
000000200600004000000000014008D0102000101000000000
0050B00000000001800FD0102000020000000000_
05200000002C02000000001800FF010F0001020000000000052
00000002002000000001400FD01020001010000_
00000005120000001010000000000051200000001010000000 0000512000000

For the DnsCache service:

reg add HKLM\System\CurrentControlSet\Services\dnscache\Security /v
Security /t REG_BINARY /d _
01001480900000009C000000140000003000000002001C00010
000002801400FF010F000101000000000001000_
000000200600004000000000014008D01020001010000000000
050B00000000001800FD0102000020000000000_
05200000002C02000000001800FF010F00010200000000000520
0000002002000000001400FD01020001010000_
000000051200000010100000000000512000000010100000000 000512000000

Note For these registry key values, the _ character and a carriage
return have been inserted for readability. Remove this character and this
carriage return in order to execute the command correctly.

Impact of Workaround: In addition to setting the services DACLs the same
as those for Windows Server 2003 Service Pack 1 and Windows XP Service
Pack 2, you do not have to restart the computer to complete this
mitigation.

FAQ for Permissive Windows Services DACLs could allow elevation of
privilege -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0023>
CVE-2006-0023:
What is the scope of this vulnerability?
This is a privilege elevation vulnerability. An attacker who successfully
exploited this vulnerability could take complete control of an affected
system. An attacker could change the default binary that is associated
with the affected services. Then an attacker could stop and restart the
services to run a malicious program or binary. An attacker could then
install programs; view, change, or delete data; or create new accounts
with full user rights.

What causes the vulnerability?
On Windows XP Service Pack 1, permissions on the identified Windows
services are set by default to a level that may allow a low-privileged
user to change properties that are associated with the service. On Windows
Server 2003, permissions on the identified services are set to a level
that may allow a user who belongs to the Network Configuration Operators
group to change properties that are associated with the service.

What might an attacker use the vulnerability to do?
By changing the default associated program that is set to run by an
identified service, a low-privileged user may be able run commands or
executables that would normally require higher privileged access.

Who could exploit the vulnerability?
To try to exploit the vulnerability, an attacker must have valid logon
credentials to the affected system.

How could an attacker exploit the vulnerability?
To exploit this vulnerability, an attacker would first need valid logon
credentials to the affected system. An attacker could then access the
affected component and run a standard application that could exploit the
vulnerability and gain complete control over the affected system.

What systems are primarily at risk from the vulnerability?
Workstations and servers are both at risk from this vulnerability.

Are Windows 98, Windows 98 Second Edition, or Windows Millennium Edition
critically affected by this vulnerability?
No. Windows 98, Windows 98 Second Edition, and Windows Millennium Edition
do not contain the affected components.

Is Windows 2000 affected by this vulnerability?
Scenarios have been identified that involve members of the Power User
administrative group, but such users should be considered trusted users
who have extensive privileges and the ability to change computer-wide
settings. For more information about rights that are associated with the
Power Users administrative group, see
<http://support.microsoft.com/kb/825069> Microsoft Knowledge Base Article
825069. Windows 2000 may become vulnerable if third-party application code
is installed that adds services that have overly-permissive access
controls.

How do I determine if a third party application is affected?
Users are encouraged to contact their third-party software vendors whose
products require services installation to determine if any non-default
Windows services are affected. Software developers are encouraged to visit
Microsoft Knowledge Base Article 914392 for additional information and
best practices on how to apply secure access controls to services.

Could the vulnerability be exploited over the Internet?
No. An attacker must have valid logon credentials to the specific system
that is targeted for attack.

What does the update do?
The update changes the default DACLs on Windows XP Service Pack 1 and on
Windows Server to the enhanced security DACLs that are used on Windows XP
Service Pack 2 and Windows Server 2003 Service Pack 1.

When this security bulletin was issued, had this vulnerability been
publicly disclosed?
Yes. This vulnerability has been publicly disclosed. It has been assigned
Common Vulnerability and Exposure number
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0023>
CVE-2006-0023.

When this security bulletin was issued, had Microsoft received any reports
that this vulnerability was being exploited?
No. Microsoft had seen examples of proof of concept code published
publicly but had not received any information to indicate that this
vulnerability had been publicly used to attack customers when this
security bulletin was originally issued.


ADDITIONAL INFORMATION

The original article can be found at:
<http://www.microsoft.com/technet/security/Bulletin/MS06-011.mspx>
http://www.microsoft.com/technet/security/Bulletin/MS06-011.mspx



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages