Executive Summary
Summary | |
---|---|
Title | Elevation of Privilege Using Windows Service Isolation Bypass |
Informations | |||
---|---|---|---|
Name | KB2264072 | First vendor Publication | 2010-08-10 |
Vendor | Microsoft | Last vendor Modification | 1970-01-01 |
Severity (Vendor) | N/A | Revision | 1.0 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:L/AC:L/Au:S/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 6.8 | Attack Range | Local |
Cvss Impact Score | 10 | Attack Complexity | Low |
Cvss Expoit Score | 3.1 | Authentication | Requires single instance |
Calculate full CVSS 2.0 Vectors scores |
Detail
Microsoft is aware of the potential for attacks that leverage the Windows Service Isolation feature to gain elevation of privilege. This advisory discusses potential attack scenarios and provides suggested actions that can help to protect against this issue. This advisory also offers a non-security update for one of the potential attack scenarios through Windows Telephony Application Programming Interfaces (TAPI). This issue affects scenarios where untrusted code is being executed within a process owned by the NetworkService account. In these scenarios, it is possible for an attacker to elevate from running processes as the NetworkService account to running processes as the LocalSystem account on a target server. An attacker who successfully elevated to running processes as the LocalSystem account could execute arbitrary code and take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Although, in most situations, untrusted code is not running under the NetworkService identity, the following scenarios have been identified as possible exceptions: For more detailed information about the above scenarios, see the section, Frequently Asked Questions. For the TAPI scenario, Microsoft is providing a non-security update. For more information about the non-security update, see the section, Frequently Asked Questions specifically about the Windows Telephony Application Programming Interfaces (TAPI) Vulnerability - CVE-2010-1886. In addition, we are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers. For more information about this issue, see the following references: This advisory discusses the following software. What is the scope of the advisory? This security advisory also provides notification of an optional, non-security update available for download from the Microsoft Download Center to address an attack vector through Windows Telephony Application Programming Interfaces (TAPI). Is this a security vulnerability that requires Microsoft to issue a security update? What is Windows Service Isolation feature? What is the "impersonate a client after authentication" privilege? What is the NetworkService Account? How is IIS affected by this issue? IIS Servers are at a reduced risk to the attacks described in this advisory in the following scenarios: In order to be successful on a Web server, an attacker would first have to add specially crafted Web content to an IIS Web site. An attacker could then use access to this specially crafted Web content to elevate to running processes as LocalSystem. Normally, untrusted users are not allowed to add Web content to an IIS Web site. However, some Web hosts are more at risk to attacks because they explicitly offer hosting for third-party Web content. IIS on Windows Server 2003 and Windows Server 2008 may be more at risk to this issue since the default worker process identity is NetworkService. How could an attacker exploit the issue on an IIS server? How is SQL Server affected by this issue? How could an attacker exploit the issue on a SQL server? How is TAPI affected by this issue? What might an attacker use this issue to do? What systems are primarily at risk from this issue? In addition, IIS Web servers that allow users to upload code are at increased risk. This may include Web hosting providers or similar environments. SQL Server systems are at risk if untrusted users are granted privileged account access. I am using an older release of the software discussed in this security advisory. What should I do? It should be a priority for customers who have older releases of the software to migrate to supported releases to prevent potential exposure to vulnerabilities. To determine the support lifecycle for your software release, see Select a Product for Lifecycle Information. For more information about service packs for these software releases, see Lifecycle Supported Service Packs. Customers who require custom support for older software must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit the Microsoft Worldwide Information Web site, select the country in the Contact Information list, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Microsoft Support Lifecycle Policy FAQ. Where can I find the non-security update for this vulnerability? What is the Windows Telephony Application Programming Interface (TAPI)? What causes this threat? Is this a security vulnerability that requires Microsoft to issue a security update? This is a security advisory about a non-security update. Isnt that a contradiction? Why is Microsoft issuing an update for this component? What systems are primarily at risk from this vulnerability? What might an attacker use this vulnerability to do? Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation: Workaround refers to a setting or configuration change that does not correct the underlying issue but would help block known attack vectors before a security update is available. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality: For IIS 6.0, perform the following steps: For IIS 7.0 and above, perform the following steps: Apply the non-security update for the Windows Telephony Application Programming Interfaces (TAPI) Vulnerability (CVE-2010-1886) available for download from the Microsoft Download Center only. For more information about the update, including download links and the changes to behavior, see Microsoft Knowledge Base Article 982316. We continue to encourage customers to follow our Protect Your Computer guidance of enabling a firewall, getting software updates and installing antivirus software. Customers can learn more about these steps by visiting Protect Your Computer. For more information about staying safe on the Internet, visit Microsoft Security Central. All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Windows Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them. |
Original Source
Url : http://www.microsoft.com/technet/security/advisory/2264072.mspx |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-264 | Permissions, Privileges, and Access Controls |
CPE : Common Platform Enumeration
Type | Description | Count |
---|---|---|
Os | 3 | |
Os | 1 | |
Os | 5 | |
Os | 2 | |
Os | 2 |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
67083 | Microsoft Windows TAPI Server (TAPISRV) Service Isolation Bypass Local Privil... Microsoft Windows contains a flaw that may allow an attacker to gain access to unauthorized privileges. The issue is triggered when an error occurs in Windows Service Isolation, allowing a local attacker to leverage access to a process with NetworkService credentials to gain elevated privileges. |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2010-08-26 | Name : The remote Windows host has a privilege escalation vulnerability. File : smb_kb982316.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:38:37 |
|