[NT] Vulnerability in Windows Shell Allows Elevation of Privilege (MS07-006)



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Vulnerability in Windows Shell Allows Elevation of Privilege (MS07-006)
------------------------------------------------------------------------


SUMMARY

A privilege elevation vulnerability exists in Windows Shell in the way
that the operating system performs detection and registration of new
hardware. This vulnerability could allow an authenticated user to take
complete control of the system.

DETAILS

Affected Software:
* Microsoft Windows XP Service Pack 2 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=f821b3a0-4e5a-4737-b9bf-1249f6683f4d> Download the update
* Microsoft Windows XP Professional x64 Edition -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=75abff9b-c2b5-4151-b366-4be652882944> Download the update
* Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service
Pack 1 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=418acc52-0ebd-4623-81a7-5eacc21c3965> Download the update
* Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft
Windows Server 2003 with SP1 for Itanium-based Systems -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=dc33a2fc-2d01-4577-b133-017493d1f278> Download the update
* Microsoft Windows Server 2003 x64 Edition -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=c3e55066-b34e-485d-ac04-179f8e3a407a> Download the update

Non-Affected Software:
* Microsoft Windows 2000 Service Pack 4
* Microsoft Windows Vista

Mitigating Factors for Windows Shell Hardware Detection Vulnerability -
CVE-2007-0211:
* An attacker must have valid logon credentials to exploit this
vulnerability. The vulnerability could not be exploited by anonymous
users.

* On Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1 an
attacker would have to have Administrator privileges in order to exploit
the vulnerability remotely.

Workarounds for Windows Shell Hardware Detection Vulnerability -
CVE-2007-0211:
Microsoft has tested the following workarounds. Although these workarounds
will not correct the underlying vulnerability, they help block known
attack vectors. When a workaround reduces functionality, it is identified
in the following section.

* Disable the Shell Hardware Detection service

Disabling the Shell Hardware Detection service will help protect the
affected system from attempts to exploit this vulnerability. To disable
the Shell Hardware Detection service, follow these steps:

1. Click Start, and then click Control Panel. Alternatively, point to
Settings, and then click Control Panel.
2. Double-click Administrative Tools.
3. Double-click Services.
4. Double-click Shell Hardware Detection service.
5. In the Startup type list, click Disabled.
6. Click Stop, and then click OK.

You can also stop and disable the Shell Hardware Detection service by
using the following command at the command prompt:
sc stop ShellHWDetection & sc config ShellHWDetection start= disabled

Impact of Workaround: If you disable the Shell Hardware Detection service,
you may not be able to utilize Fast User switching capabilities.
Therefore, we recommend this workaround only on systems that do not
require communication with digital imaging devices.

FAQ for Windows Shell Hardware Detection Vulnerability - CVE-2007-0211:
What is the scope of the vulnerability?
This is a privilege elevation vulnerability. An attacker who successfully
exploited this vulnerability could take complete control of an affected
system. An attacker could then install programs; view, change, or delete
data; or create new accounts with full user rights. To attempt to exploit
the vulnerability, an attacker must have valid logon credentials to the
system and run a program.

What is the Shell Hardware Detection service?
The Shell Hardware Detection service provides notifications for AutoPlay
hardware events.

What causes the vulnerability?
A function parameter in the hardware initialization and detection
capabilities of Microsoft Windows was not validated.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take
complete control of the affected system.

Who could exploit the vulnerability?
To exploit the vulnerability, an attacker must have valid logon
credentials to the system and run a program.

How could an attacker exploit the vulnerability?
To exploit this vulnerability, an attacker would first have to
authenticate to the system and execute a specially crafted application. An
attacker could then force the affected system to perform a hardware
detection and initialization event. The request could be issued locally or
through a terminal services session by calling a specially crafted
application, hardware device, or storage volume that could exploit the
vulnerability and gain complete control over the affected system.

What systems are primarily at risk from the vulnerability?
Workstations and terminal servers are primarily at risk. Servers could be
at more risk if administrators allow users to log on to servers and to run
programs. However, best practices strongly discourage allowing this.

Could the vulnerability be exploited over the Internet?
No. An attacker must be able to log on to the specific system that is
targeted for attack. An unauthenticated attacker cannot load and run a
program remotely by using this vulnerability.

What does the update do?
The update removes the vulnerability by validating the parameter of the
affected function.

When this security bulletin was issued, had this vulnerability been
publicly disclosed?
No. Microsoft received information about this vulnerability through
responsible disclosure. Microsoft had not received any information to
indicate that this vulnerability had been publicly disclosed when this
security bulletin was originally issued.

When this security bulletin was issued, had Microsoft received any reports
that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this
vulnerability had been publicly used to attack customers and had not seen
any examples of proof of concept code published when this security
bulletin was originally issued.

How does this vulnerability relate to the vulnerability that is corrected
by MS06-045?
While both vulnerabilities were in Windows Shell, this update addresses a
new vulnerability that was not addressed as part of MS06-045. MS06-045
helps protect against the vulnerability that is discussed in that
bulletin, but does not address this new vulnerability. This update does
replace MS06-045. You must install this update to help protect your system
against both vulnerabilities.


ADDITIONAL INFORMATION

The information has been provided by Microsoft Security Bulletin MS07-006.
The original article can be found at:
<http://www.microsoft.com/technet/security/bulletin/ms07-006.mspx>
http://www.microsoft.com/technet/security/bulletin/ms07-006.mspx



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages