|
|
|
|
| |
Credit:
The original article can be found at: http://www.microsoft.com/technet/security/Bulletin/MS06-011.mspx
|
| |
Affected Software:
Microsoft Windows XP Service Pack 1 Download the update
Microsoft Windows Server 2003 Download the update
Microsoft Windows Server 2003 for Itanium-based Systems Download the update
Non-Affected Software:
Microsoft Windows 2000 Service Pack 4
Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)
Microsoft Windows XP Service Pack 2
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 Service Pack 1
Microsoft Windows Server 2003 with Service Pack 1 for Itanium-based Systems
Microsoft Windows Server 2003 x64 Edition
Mitigating Factors for Permissive Windows Services DACLs could allow elevation of privilege - CVE-2006-0023:
An attacker must have valid logon credentials to be able to exploit this vulnerability. The vulnerability could not be exploited by anonymous users.
Four of the six services identified (NetBT, SCardSvr, DHCP, DnsCache) require an attacker to already be running in a privileged security context. Additionally, the two services, SSDPSRV and UPNPHost, which allow an authenticated user to attack a vulnerable system are only vulnerable on Windows XP Service Pack 1.
Workarounds for Vulnerability in Windows Services DACLs could result in elevation of privilege - CVE-2006-0023:
Microsoft has tested the following workarounds. The identified workarounds change the default DACLs on Windows XP Service Pack 1 and on Windows Server to the enhanced security DACLs that are used on Windows XP Service Pack 2 and on Windows Server 2003 Service Pack 1. Therefore, these workarounds are considered complete solutions to this issue. Because the recommended access controls have been shipping with the latest operating systems for some time, they are anticipated to constitute low risk. However, any DACL change carries some risk of application incompatibility.
Use the sc.exe command to set modified access controls for the identified services:
Note You must run the sc.exe command as a privileged user. You can run this command by using a computer startup script or by using an SMS script. By running this command, you increase the security of the DACLs so that they are at the same level as Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1. For more information about the sc.exe command and about how to set DACLs for Windows services, see the following Microsoft Product Documentation. This mitigation does not require that you restart the computer.
For Windows XP Service Pack 1, run each of the following commands. Each command changes the DACL on the associated affected service.
sc sdset ssdpsrv D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA) (A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO) (A;;CCLCSWRPLORC;;;AU)(A;;RPWPDTRC;;;LS)
sc sdset netbt D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA) (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY) (A;;DT;;;LS)(A;;DT;;;NS)(A;;CCLCSWRPLOCRRC;;;NO)
sc sdset upnphost
D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA) (A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO) (A;;CCLCSWRPLORC;;;AU)(A;;CCDCLCSWLOCRRC;;;LS)
sc sdset scardsvr D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCLCSWRPWPDTLOCRRC;;;LS) (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO) (A;;CCLCSWRPLOCRRC;;;S-1-2-0)
sc sdset dhcp D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;NO) (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)
sc sdset dnscache D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU) (A;;CCLCSWRPWPDTLOCRRC;;;NO)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA) (A;;CCLCSWRPWPDTLOCRRC;;;SY)
For Windows Server 2003 ,run each of the following commands. Each command changes the DACL on the associated affected service.
sc sdset netbt D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU) (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO) (A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;DT;;;LS)(A;;DT;;;NS) (A;;CCLCSWRPLOCRRC;;;NO)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
sc sdset dhcp D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;NO) (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY) S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
sc sdset dnscache D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU) (A;;CCLCSWRPWPDTLOCRRC;;;NO)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA) (A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
Note For Windows Server 2003 ,NetBT, DnsCache, and DHCP are the only identified affected services. In the Windows Server 2003 scenario, an attack must be launched by a member of the Network Configuration Operators group. This group is empty by default.
Impact of Workaround: None
Use Group Policy to deploy modified access controls for the identified services:
Domain administrators can use Group Policy and the security templates to deploy modified access controls to Windows XP Service Pack 1 systems. For more information about how to implement security templates by using Group Policy, see Microsoft Knowledge Base Article 816585. You do not have to restart the computer to complete this mitigation.
For Windows XP Service Pack 1, use the following security template to modify the Upnphost, SCardSvr, SSDPSRV, DnsCache, and DHCP services.
(delete spaces in Service General Setting string)
[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[Service General Setting]
SSDPSRV,2,"D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY) (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA) (A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-32-549) (A;;CCLCSWRPLORC;;;AU)(A;;RPWPDTRC;;;S-1-5-19)"
upnphost,2,"D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY) (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA) (A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-32-549) (A;;CCLCSWRPLORC;;;AU)(A;;CCDCLCSWLOCRRC;;;S-1-5-19)"
scardsvr,2,"D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCLCSWRPWPDTLOCRRC;;;S-1-5-19) (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA) (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-32-549) (A;;CCLCSWRPLOCRRC;;;S-1-2-0)"
dhcp,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;NO) (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY) S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
dnscache,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU) (A;;CCLCSWRPWPDTLOCRRC;;;NO)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA) (A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
For Windows Server 2003,use the following security template to modify the DnsCache and DHCP services.
(delete spaces in Service General Setting string)
[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[Service General Setting]
dhcp,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;NO) (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY) S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
dnscache,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU) (A;;CCLCSWRPWPDTLOCRRC;;;NO)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA) (A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
Note For Windows XP Service Pack 1 and Windows Server 2003 ,changing the service DACLs on the NetBT service is not supported by using the Microsoft Group Policy Object Editor. Therefore, the NetBT service DACL change is not included in the security template for Windows Server 2003.
Note For Windows Server 2003 ,NetBT, DHCP, and DnsCache are the only identified affected services. In the Windows Server 2003 scenario, a member of the Network Configuration Operators group must launch an attack. This group is empty by default and is rarely populated.
Impact of Workaround: In addition to setting the Services DACLs the same as those for Windows XP Service Pack 2, the security template that is provided sets the service startup type for the affected service to its original default configuration of Automatic. Because Windows Server 2003 the supports the ability to configure startup type settings, the startup type is unchanged for Windows Server 2003.
Modify the Windows registry to modify access controls for each of the identified services:
The preferred method of service modification is by using the sc.exe command. However, you can use the following command to modify the security DACLs of the affected services to the same level as Windows XP Service Pack 2. Users are encouraged to back up the registry before they make any modifications. For more information about registry scripts and about how to modify the Windows registry, see Microsoft Knowledge Base Article 214752.
For Windows XP Service Pack 1, modify the following registry keys to change the default Windows XP Service Pack 1 affected services
For the SSDPSRV service:
reg add HKLM\System\CurrentControlSet\Services\SSDPSRV\Security /v Security /t REG_BINARY /d _
01001480bc000000c8000000140000003000000002001c00010 0000002801400ff010f00010100000000000100000_
00002008c000600000000001400ff010f0001010000000000051 200000000001800ff010f00010200000000000520_
0000002002000000001800fd010200010200000000000520000 0002302000000001800ff010f00010200000000000_
52000000025020000000014009d00020001010000000000050b 000000000014007000020001010000000000051300_
0000010100000000000512000000010100000000000512000000
For the NetBT service:
reg add HKLM\System\CurrentControlSet\Services\netbt\Security /v Security /t REG_BINARY /d _
01001480e8000000f4000000140000003000000002001c000100 000002801400ff010f00010100000000000100000_
0000200b80008000000000014008d0102000101000000000005 0b000000000018009d010200010200000000000520_
0000002302000000001800ff010f000102000000000005200000 002002000000001800ff010f00010200000000000_
5200000002502000000001400fd010200010100000000000512 000000000014004000000001010000000000051300_
000000001400400000000101000000000005140000000000180 09d0102000102000000000005200000002c0200000_
10100000000000512000000010100000000000512000000
For the UPnPHost service:
reg add HKLM\System\CurrentControlSet\Services\upnphost\Security /v Security /t REG_BINARY /d _
01001480bc000000c8000000140000003000000002001c00010 0000002801400ff010f00010100000000000100000_
00002008c000600000000001400ff010f0001010000000000051 200000000001800ff010f00010200000000000520_
0000002002000000001800fd010200010200000000000520000 0002302000000001800ff010f00010200000000000_
52000000025020000000014009d00020001010000000000050b 000000000014008f01020001010000000000051300_
0000010100000000000512000000010100000000000512000000
For the ScardSvr service:
reg add HKLM\System\CurrentControlSet\Services\scardsvr\Security /v Security /t REG_BINARY /d _
01001480a4000000b0000000140000003000000002001c00010 0000002801400ff010f00010100000000000100000_
000020074000500000000001400fd0102000101000000000005 1200000000001400fd010200010100000000000513_
00000000001800ff010f000102000000000005200000002002000 000001800ff010f0001020000000000052000000_
025020000000014009d010200010100000000000200000000010 10000000000051200000001010000000000051200_
0000
For the DHCP service:
reg add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\dhcp\security /v Security /t REG_BINARY /d _
01001480900000009C000000140000003000000002001C00010 000002801400FF010F00010100000000000100000000020060000_
4000000000014008D01020001010000000000050B0000000000 1800FD010200012000000000005200000002C02000000001800FF_
010F00010200000000005200000002002000000001400FD01020 0010100000000000512000000101000000000005120000000101_
00000000000512000000
For the DnsCache service:
reg add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\dnscache\security /v Security /t REG_BINARY /d_
01001480A8000000B4000000140000003000000002001C0001 0000002801400FF010F00010100000000000100000000020078000500_
0000000014008D01020001010000000000050B00000000001 8009D010200012000000000005200000002302000000001800FD010200_
010200000000005200000002C02000000001800FF010F000102 000000000005200000002002000000001400FD010200010100000000_
00051200000001010000000000512000000010100000000000 512000000
For Windows Server 2003 ,modify the following registry keys to change the default Windows Server 2003 affected service:
For the NetBT service:
reg add HKLM\System\CurrentControlSet\Services\netbt\Security /v Security /t REG_BINARY /d _
01001480e8000000f4000000140000003000000002001c00010 0000002801400ff010f00010100000000000100000_
0000200b80008000000000014008d010200010100000000000 50b000000000018009d010200010200000000000520_
0000002302000000001800ff010f00010200000000000520000 0002002000000001800ff010f00010200000000000_
5200000002502000000001400fd01020001010000000000051 2000000000014004000000001010000000000051300_
00000000140040000000010100000000000514000000000018 009d0102000102000000000005200000002c0200000_
10100000000000512000000010100000000000512000000
For the DHCP service:
reg add HKLM\System\CurrentControlSet\Services\dhcp\Security /v Security /t REG_BINARY /d _
01001480900000009C000000140000003000000002001C0001 0000002801400FF010F000101000000000001000_
000000200600004000000000014008D0102000101000000000 0050B00000000001800FD0102000020000000000_
05200000002C02000000001800FF010F0001020000000000052 00000002002000000001400FD01020001010000_
00000005120000001010000000000051200000001010000000 0000512000000
For the DnsCache service:
reg add HKLM\System\CurrentControlSet\Services\dnscache\Security /v Security /t REG_BINARY /d _
01001480900000009C000000140000003000000002001C00010 000002801400FF010F000101000000000001000_
000000200600004000000000014008D01020001010000000000 050B00000000001800FD0102000020000000000_
05200000002C02000000001800FF010F00010200000000000520 0000002002000000001400FD01020001010000_
000000051200000010100000000000512000000010100000000 000512000000
Note For these registry key values, the _ character and a carriage return have been inserted for readability. Remove this character and this carriage return in order to execute the command correctly.
Impact of Workaround: In addition to setting the services DACLs the same as those for Windows Server 2003 Service Pack 1 and Windows XP Service Pack 2, you do not have to restart the computer to complete this mitigation.
FAQ for Permissive Windows Services DACLs could allow elevation of privilege - CVE-2006-0023:
What is the scope of this vulnerability?
This is a privilege elevation vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could change the default binary that is associated with the affected services. Then an attacker could stop and restart the services to run a malicious program or binary. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
What causes the vulnerability?
On Windows XP Service Pack 1, permissions on the identified Windows services are set by default to a level that may allow a low-privileged user to change properties that are associated with the service. On Windows Server 2003, permissions on the identified services are set to a level that may allow a user who belongs to the Network Configuration Operators group to change properties that are associated with the service.
What might an attacker use the vulnerability to do?
By changing the default associated program that is set to run by an identified service, a low-privileged user may be able run commands or executables that would normally require higher privileged access.
Who could exploit the vulnerability?
To try to exploit the vulnerability, an attacker must have valid logon credentials to the affected system.
How could an attacker exploit the vulnerability?
To exploit this vulnerability, an attacker would first need valid logon credentials to the affected system. An attacker could then access the affected component and run a standard application that could exploit the vulnerability and gain complete control over the affected system.
What systems are primarily at risk from the vulnerability?
Workstations and servers are both at risk from this vulnerability.
Are Windows 98, Windows 98 Second Edition, or Windows Millennium Edition critically affected by this vulnerability?
No. Windows 98, Windows 98 Second Edition, and Windows Millennium Edition do not contain the affected components.
Is Windows 2000 affected by this vulnerability?
Scenarios have been identified that involve members of the Power User administrative group, but such users should be considered trusted users who have extensive privileges and the ability to change computer-wide settings. For more information about rights that are associated with the Power Users administrative group, see Microsoft Knowledge Base Article 825069. Windows 2000 may become vulnerable if third-party application code is installed that adds services that have overly-permissive access controls.
How do I determine if a third party application is affected?
Users are encouraged to contact their third-party software vendors whose products require services installation to determine if any non-default Windows services are affected. Software developers are encouraged to visit Microsoft Knowledge Base Article 914392 for additional information and best practices on how to apply secure access controls to services.
Could the vulnerability be exploited over the Internet?
No. An attacker must have valid logon credentials to the specific system that is targeted for attack.
What does the update do?
The update changes the default DACLs on Windows XP Service Pack 1 and on Windows Server to the enhanced security DACLs that are used on Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1.
When this security bulletin was issued, had this vulnerability been publicly disclosed?
Yes. This vulnerability has been publicly disclosed. It has been assigned Common Vulnerability and Exposure number CVE-2006-0023.
When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had seen examples of proof of concept code published publicly but had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security bulletin was originally issued.
|
|
|
|
|
