Security Bulletin

Microsoft Security Bulletin MS06-011 - Important

Permissive Windows Services DACLs Could Allow Elevation of Privilege (914798)

Published: March 14, 2006 | Updated: June 13, 2006

Version: 2.1

Summary

Who should read this document: Customers who use Microsoft Windows

Impact of Vulnerability: Elevation of Privilege

Maximum Severity Rating: Important

Recommendation: Customers should apply the update at the earliest opportunity.

Security Update Replacement None.

Caveats: Microsoft Knowledge Base Article 914798 documents the currently known issues that customers may experience when they install this security update. The article also documents recommended solutions for these issues. For more information, see Microsoft Knowledge Base Article 914798.

Tested Software and Security Update Download Locations:

Affected Software:

  • Microsoft Windows XP Service Pack 1 Download the update
  • Microsoft Windows Server 2003 - Download the update
  • Microsoft Windows Server 2003 for Itanium-based Systems- Download the update
  • Non-Affected Software:
    • Microsoft Windows 2000 Service Pack 4
    • Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)
    • Microsoft Windows XP Service Pack 2
    • Microsoft Windows XP Professional x64 Edition
    • Microsoft Windows Server 2003 Service Pack 1
    • Microsoft Windows Server 2003 with Service Pack 1 for Itanium-based Systems
    • Microsoft Windows Server 2003 x64 Edition

General Information

Executive Summary

Executive Summary:

This update resolves a newly-discovered, public vulnerability. The vulnerability is documented in the "Vulnerability Details" section of this bulletin.

An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

We recommend that customers apply the update at the earliest opportunity.

Severity Ratings and Vulnerability Identifiers:

Vulnerability Identifiers Impact of Vulnerability Windows 98, 98 SE, ME Windows 2000 Windows XP Service Pack 1 Windows XP Service Pack 2 Windows Server 2003 Windows Server 2003 Service Pack 1
Permissive Windows Service DACLs - CVE-2006-0023 Elevation of Privilege\ None None Important\ None Moderate None

This assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Note The severity ratings for non-x86 operating system versions map to the x86 operating systems versions as follows:

  • The Microsoft Windows XP Professional x64 Edition severity rating is the same as the Windows XP Service Pack 2 severity rating.
  • The Microsoft Windows Server 2003 for Itanium-based Systems severity rating is the same as the Windows Server 2003 severity rating.
  • The Microsoft Windows Server 2003 with SP1 for Itanium-based Systems severity rating is the same as the Windows Server 2003 Service Pack 1 severity rating.
  • The Microsoft Windows Server 2003 x64 Edition severity rating is the same as the Windows Server 2003 Service Pack 1 severity rating.

Why did Microsoft reissue this bulletin on June 13, 2006?
Microsoft updated this bulletin and the associated security updates to include updated registry key values for the NetBT, RemoteAccess, and TCPIP services. These values have been modified to be the same as Windows XP Service Pack 2 on Windows XP Service Pack 1 systems. Customers running Windows XP Service Pack 1 are encouraged to apply this revised update for additional security from privilege elevation through the these services as described in the Vulnerability Details section of this security bulletin. Windows 2003 systems with no service pack applied are not affected by this reissue. For more information, and the updated registry key values, see Microsoft Knowledge Base Article 914798.

What changes does the revised security update include?
The revised security update contains no changes to the binaries included in the initial security update. During installation, the revised security update will update the registry valudes for the NetBT, RemoteAccess, and TCPIP services as indicated in Microsoft Knowledge Base Article 914798.

What are the known issues that customers may experience when they install this security update?
Microsoft Knowledge Base Article 914798 documents the currently known issues that customers may experience when they install this security update. The article also documents recommended solutions for these issues. For more information, see Microsoft Knowledge Base Article 914798.

Why are no updated files applied to the system after installing this update?
For Windows XP Service Pack 1 systems, this update sets the service discretionary access control list (DACL) to the same settings as Windows XP Service Pack 2. For Windows 2003 with no service pack installed, this update sets the selected service DACLs to Windows 2003 Service Pack 1 settings. These configuration changes are made by the installation program, and no system files are updated as a result of applying this security update.

Will I be able to uninstall this update?
Since no system files are modified as a result of applying this update, this update cannot be removed.  For Windows 2003 with no service pack installed and Windows XP SP1 systems, this update sets the selected service DACLs to Windows 2003 SP1 and Windows XP SP2 settings. These configuration changes are made by the installation program, and no system files are updated as a result of applying this security update. However the changes can be reverted using system utilities. To learn more about removing and restoring the DACL configuration changes made by this update please see Microsoft Knowledge Base Article 914798.

Does this update contain any security-related changes to functionality?
Yes. In addition to the services listed in the “Vulnerability Details” section of the bulletin, the update also modifies the DACLs for the service and service registry keys listed in the table below for additional defense-in-depth protection. These additional services and service registry keys set the DACLs for the services listed below to the same as Windows XP Service Pack 2 on Windows XP Service Pack 1 systems, and Windows 2003 Service Pack 1 on Windows 2003 systems with no service pack applied. For additional information on these and other service and registry key DACLs changes included with this update, see, Microsoft Knowledge Base Article 914798.

Additional Service and Registry Key Changes Included in this Update

Operating System Service Registry Key
Microsoft Windows XP Service Pack 1 MSDTC
DHCP
NetBT
Remote Access
TCPIP
Windows Server 2003 MSDTC
SysmonLog
DHCP
DnsCache
NetBT
Remote Access
TCPIP

Are Windows 98, Windows 98 Second Edition, or Windows Millennium Edition critically affected by one or more of the vulnerabilities that are addressed in this security bulletin?
No. The software listed in Executive Summary has been tested to determine whether the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support life cycle for your product and version, visit the Microsoft Support Lifecycle Web site.

Can I use the Microsoft Baseline Security Analyzer (MBSA) 1.2.1 to determine whether this update is required?
Yes. MBSA 1.2.1 will determine whether this update is required. For more information about MBSA, visit the MBSA Web site. Because this update cannot be uninstalled, if the affected DACLs are changed or restored to a previous state, users will need to edit the registry for MBSA to correctly identify the need for this update again. For information about how to change the registry for MBSA 1.2.1 to identify manual removal of this update, see Microsoft Knowledge Base Article 914798.

Can I use the Microsoft Baseline Security Analyzer (MBSA) 2.0 to determine whether this update is required?
Yes. MBSA 2.0 will determine whether this update is required. MBSA 2.0 can detect security updates for products that Microsoft Update supports. For more information about MBSA, visit the MBSA Web site. Because this update cannot be uninstalled, if the affected DACLs are changed or restored to a previous state, users will need to edit the registry for MBSA to correctly identify the need for this update again. For information about how to change the registry for MBSA 2.0 to identify manual removal of this update, see Microsoft Knowledge Base Article 914798.

Can I use Systems Management Server (SMS) to determine whether this update is required?
Yes. SMS can help detect and deploy this security update. For information about SMS, visit the SMS Web site.

The Security Update Inventory Tool can be used by SMS for detecting security updates that are offered by Windows Update, that are supported by Software Update Services, and other security updates that are supported by MBSA 1.2.1. For more information about the Security Update Inventory Tool, visit the following Microsoft Web site. For more information about the limitations of the Security Update Inventory Tool, see Microsoft Knowledge Base Article 306460.

The SMS 2003 Inventory Tool for Microsoft Updates can be used by SMS for detecting security updates that are offered by Microsoft Update and that are supported by Windows Server Update Services. For more information about the SMS 2003 Inventory Tool for Microsoft Updates, visit the following Microsoft Web site.

Vulnerability Details

Permissive Windows Services DACLs could allow elevation of privilege - CVE-2006-0023

A privilege elevation vulnerability exists on Windows XP Service Pack 1 on the identified Windows services where the permissions are set by default to a level that may allow a low-privileged user to change properties associated with the service. On Windows 2003 permissions on the identified services are set to a level that may allow a user that belongs to the network configuration operators group to change properties associated with the service. Only members of the Network Configuration Operators group on the targeted machine can remotely attack Windows Server 2003, and this group contains no users by default. The vulnerability could allow a user with valid logon credentials to take complete control of the system on Microsoft Windows XP Service Pack 1.

Mitigating Factors for Permissive Windows Services DACLs could allow elevation of privilege - CVE-2006-0023

  • An attacker must have valid logon credentials to be able to exploit this vulnerability. The vulnerability could not be exploited by anonymous users.
  • Four of the six services identified (NetBT, SCardSvr, DHCP, DnsCache) require an attacker to already be running in a privileged security context. Additionally, the two services, SSDPSRV and UPNPHost, which allow an authenticated user to attack a vulnerable system are only vulnerable on Windows XP Service Pack 1.

Workarounds for Vulnerability in Windows Services DACLs could result in elevation of privilege - CVE-2006-0023:

Microsoft has tested the following workarounds. The identified workarounds change the default DACLs on Windows XP Service Pack 1 and on Windows Server to the enhanced security DACLs that are used on Windows XP Service Pack 2 and on Windows Server 2003 Service Pack 1. Therefore, these workarounds are considered complete solutions to this issue. Because the recommended access controls have been shipping with the latest operating systems for some time, they are anticipated to constitute low risk. However, any DACL change carries some risk of application incompatibility.

  • Use the sc.exe command to set modified access controls for the identified services:

    Note You must run the sc.exe command as a privileged user. You can run this command by using a computer startup script or by using an SMS script. By running this command, you increase the security of the DACLs so that they are at the same level as Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1. For more information about the sc.exe command and about how to set DACLs for Windows services, see the following Microsoft Product Documentation. This mitigation does not require that you restart the computer.

    For Windows XP Service Pack 1, run each of the following commands. Each command changes the DACL on the associated affected service.

    sc sdset ssdpsrv D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPLORC;;;AU)(A;;RPWPDTRC;;;LS)

    sc sdset netbt D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;DT;;;LS)(A;;DT;;;NS)(A;;CCLCSWRPLOCRRC;;;NO)

    sc sdset upnphost
    D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPLORC;;;AU)(A;;CCDCLCSWLOCRRC;;;LS)

    sc sdset scardsvr D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCLCSWRPWPDTLOCRRC;;;LS)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPLOCRRC;;;S-1-2-0)

    sc sdset dhcp D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;NO)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)

    sc sdset dnscache D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCLCSWRPWPDTLOCRRC;;;NO)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)

    For Windows Server 2003 ,run each of the following commands. Each command changes the DACL on the associated affected service.

    sc sdset netbt D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SO)(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;DT;;;LS)(A;;DT;;;NS)(A;;CCLCSWRPLOCRRC;;;NO)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

    sc sdset dhcp D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;NO)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

    sc sdset dnscache D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCLCSWRPWPDTLOCRRC;;;NO)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

    Note For Windows Server 2003 ,NetBT, DnsCache, and DHCP are the only identified affected services. In the Windows Server 2003 scenario, an attack must be launched by a member of the Network Configuration Operators group. This group is empty by default.

    Impact of Workaround: None

  • Use Group Policy to deploy modified access controls for the identified services.

    Domain administrators can use Group Policy and the security templates to deploy modified access controls to Windows XP Service Pack 1 systems. For more information about how to implement security templates by using Group Policy, see Microsoft Knowledge Base Article 816585. You do not have to restart the computer to complete this mitigation.

    For Windows XP Service Pack 1, use the following security template to modify the Upnphost, SCardSvr, SSDPSRV, DnsCache, and DHCP services.

    [Unicode]
    Unicode=yes
    [Version]
    signature="$CHICAGO$"
    Revision=1
    [Service General Setting]
    SSDPSRV,2,"D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-32-549)(A;;CCLCSWRPLORC;;;AU)(A;;RPWPDTRC;;;S-1-5-19)"
    upnphost,2,"D:(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;PU)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-32-549)(A;;CCLCSWRPLORC;;;AU)(A;;CCDCLCSWLOCRRC;;;S-1-5-19)"
    scardsvr,2,"D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCLCSWRPWPDTLOCRRC;;;S-1-5-19)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;S-1-5-32-549)(A;;CCLCSWRPLOCRRC;;;S-1-2-0)"
    dhcp,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;NO)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
    dnscache,2,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCLCSWRPWPDTLOCRRC;;;NO)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

    For Windows Server 2003,use the following security template to modify the DnsCache and DHCP services.

    [Unicode]
    Unicode=yes
    [Version]
    signature="$CHICAGO$"
    Revision=1
    [Service General Setting]
    dhcp,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPWPDTLOCRRC;;;NO)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
    dnscache,,"D:(A;;CCLCSWLOCRRC;;;AU)(A;;CCLCSWRPLOCRRC;;;PU)(A;;CCLCSWRPWPDTLOCRRC;;;NO)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWRPWPDTLOCRRC;;;SY)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"

    Note For Windows XP Service Pack 1 and Windows Server 2003 ,changing the service DACLs on the NetBT service is not supported by using the Microsoft Group Policy Object Editor. Therefore, the NetBT service DACL change is not included in the security template for Windows Server 2003.

    Note For Windows Server 2003 ,NetBT, DHCP, and DnsCache are the only identified affected services. In the Windows Server 2003 scenario, a member of the Network Configuration Operators group must launch an attack. This group is empty by default and is rarely populated.

    Impact of Workaround: In addition to setting the Services DACLs the same as those for Windows XP Service Pack 2, the security template that is provided sets the service startup type for the affected service to its original default configuration of “Automatic.” Because Windows Server 2003 the supports the ability to configure startup type settings, the startup type is unchanged for Windows Server 2003.

  • Modify the Windows registry to modify access controls for each of the identified services.

    The preferred method of service modification is by using the sc.exe command. However, you can use the following command to modify the security DACLs of the affected services to the same level as Windows XP Service Pack 2. Users are encouraged to back up the registry before they make any modifications. For more information about registry scripts and about how to modify the Windows registry, see Microsoft Knowledge Base Article 214752.

    For Windows XP Service Pack 1, modify the following registry keys to change the default Windows XP Service Pack 1 affected services

    For the SSDPSRV service:

    reg add HKLM\System\CurrentControlSet\Services\SSDPSRV\Security /v Security /t REG_BINARY /d _
    01001480bc000000c8000000140000003000000002001c000100000002801400ff010f00010100000000000100000_
    00002008c000600000000001400ff010f0001010000000000051200000000001800ff010f00010200000000000520_
    0000002002000000001800fd0102000102000000000005200000002302000000001800ff010f00010200000000000_
    52000000025020000000014009d00020001010000000000050b000000000014007000020001010000000000051300_
    0000010100000000000512000000010100000000000512000000

    For the NetBT service:

    reg add HKLM\System\CurrentControlSet\Services\netbt\Security /v Security /t REG_BINARY /d _
    01001480e8000000f4000000140000003000000002001c000100000002801400ff010f00010100000000000100000_
    0000200b80008000000000014008d01020001010000000000050b000000000018009d010200010200000000000520_
    0000002302000000001800ff010f000102000000000005200000002002000000001800ff010f00010200000000000_
    5200000002502000000001400fd010200010100000000000512000000000014004000000001010000000000051300_
    00000000140040000000010100000000000514000000000018009d0102000102000000000005200000002c0200000_
    10100000000000512000000010100000000000512000000

    For the UPnPHost service:

    reg add HKLM\System\CurrentControlSet\Services\upnphost\Security /v Security /t REG_BINARY /d _
    01001480bc000000c8000000140000003000000002001c000100000002801400ff010f00010100000000000100000_
    00002008c000600000000001400ff010f0001010000000000051200000000001800ff010f00010200000000000520_
    0000002002000000001800fd0102000102000000000005200000002302000000001800ff010f00010200000000000_
    52000000025020000000014009d00020001010000000000050b000000000014008f01020001010000000000051300_
    0000010100000000000512000000010100000000000512000000

    For the ScardSvr service:

    reg add HKLM\System\CurrentControlSet\Services\scardsvr\Security /v Security /t REG_BINARY /d _
    01001480a4000000b0000000140000003000000002001c000100000002801400ff010f00010100000000000100000_
    000020074000500000000001400fd01020001010000000000051200000000001400fd010200010100000000000513_
    00000000001800ff010f000102000000000005200000002002000000001800ff010f0001020000000000052000000_
    025020000000014009d01020001010000000000020000000001010000000000051200000001010000000000051200_
    0000

    For the DHCP service:

    reg add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\dhcp\security /v Security /t REG_BINARY /d _
    01001480900000009C000000140000003000000002001C00010000002801400FF010F00010100000000000100000000020060000_
    4000000000014008D01020001010000000000050B00000000001800FD010200012000000000005200000002C02000000001800FF_
    010F00010200000000005200000002002000000001400FD010200010100000000000512000000101000000000005120000000101_
    00000000000512000000

    For the DnsCache service:

    reg add HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\dnscache\security /v Security /t REG_BINARY /d_
    01001480A8000000B4000000140000003000000002001C00010000002801400FF010F00010100000000000100000000020078000500_
    0000000014008D01020001010000000000050B000000000018009D010200012000000000005200000002302000000001800FD010200_
    010200000000005200000002C02000000001800FF010F000102000000000005200000002002000000001400FD010200010100000000_
    00051200000001010000000000512000000010100000000000512000000

    For Windows Server 2003 ,modify the following registry keys to change the default Windows Server 2003 affected service.

    For the NetBT service:

    reg add HKLM\System\CurrentControlSet\Services\netbt\Security /v Security /t REG_BINARY /d _
    01001480e8000000f4000000140000003000000002001c000100000002801400ff010f00010100000000000100000_
    0000200b80008000000000014008d01020001010000000000050b000000000018009d010200010200000000000520_
    0000002302000000001800ff010f000102000000000005200000002002000000001800ff010f00010200000000000_
    5200000002502000000001400fd010200010100000000000512000000000014004000000001010000000000051300_
    00000000140040000000010100000000000514000000000018009d0102000102000000000005200000002c0200000_
    10100000000000512000000010100000000000512000000

    For the DHCP service:

    reg add HKLM\System\CurrentControlSet\Services\dhcp\Security /v Security /t REG_BINARY /d _
    01001480900000009C000000140000003000000002001C00010000002801400FF010F000101000000000001000_
    000000200600004000000000014008D01020001010000000000050B00000000001800FD0102000020000000000_
    05200000002C02000000001800FF010F000102000000000005200000002002000000001400FD01020001010000_
    000000051200000010100000000000512000000010100000000000512000000

    For the DnsCache service:

    reg add HKLM\System\CurrentControlSet\Services\dnscache\Security /v Security /t REG_BINARY /d _
    01001480900000009C000000140000003000000002001C00010000002801400FF010F000101000000000001000_
    000000200600004000000000014008D01020001010000000000050B00000000001800FD0102000020000000000_
    05200000002C02000000001800FF010F000102000000000005200000002002000000001400FD01020001010000_
    000000051200000010100000000000512000000010100000000000512000000

    Note For these registry key values, the “_” character and a carriage return have been inserted for readability. Remove this character and this carriage return in order to execute the command correctly.

    Impact of Workaround: In addition to setting the services DACLs the same as those for Windows Server 2003 Service Pack 1 and Windows XP Service Pack 2, you do not have to restart the computer to complete this mitigation.

FAQ for Permissive Windows Services DACLs could allow elevation of privilege - CVE-2006-0023

What is the scope of this vulnerability?
This is a privilege elevation vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could change the default binary that is associated with the affected services. Then an attacker could stop and restart the services to run a malicious program or binary. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

What causes the vulnerability?
On Windows XP Service Pack 1, permissions on the identified Windows services are set by default to a level that may allow a low-privileged user to change properties that are associated with the service. On Windows Server 2003, permissions on the identified services are set to a level that may allow a user who belongs to the Network Configuration Operators group to change properties that are associated with the service.

What might an attacker use the vulnerability to do?
By changing the default associated program that is set to run by an identified service, a low-privileged user may be able run commands or executables that would normally require higher privileged access.

Who could exploit the vulnerability?
To try to exploit the vulnerability, an attacker must have valid logon credentials to the affected system.

How could an attacker exploit the vulnerability?
To exploit this vulnerability, an attacker would first need valid logon credentials to the affected system. An attacker could then access the affected component and run a standard application that could exploit the vulnerability and gain complete control over the affected system.

What systems are primarily at risk from the vulnerability?
Workstations and servers are both at risk from this vulnerability.

Are Windows 98, Windows 98 Second Edition, or Windows Millennium Edition critically affected by this vulnerability?
No. Windows 98, Windows 98 Second Edition, and Windows Millennium Edition do not contain the affected components.

Is Windows 2000 affected by this vulnerability?
Scenarios have been identified that involve members of the Power User administrative group, but such users should be considered trusted users who have extensive privileges and the ability to change computer-wide settings. For more information about rights that are associated with the Power Users administrative group, see Microsoft Knowledge Base Article 825069. Windows 2000 may become vulnerable if third-party application code is installed that adds services that have overly-permissive access controls.

How do I determine if a third party application is affected?
Users are encouraged to contact their third-party software vendors whose products require services installation to determine if any non-default Windows services are affected**.** Software developers are encouraged to visit Microsoft Knowledge Base Article 914392 for additional information and best practices on how to apply secure access controls to services.

Could the vulnerability be exploited over the Internet?
No. An attacker must have valid logon credentials to the specific system that is targeted for attack.

What does the update do?
The update changes the default DACLs on Windows XP Service Pack 1 and on Windows Server to the enhanced security DACLs that are used on Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1.

When this security bulletin was issued, had this vulnerability been publicly disclosed?
Yes. This vulnerability has been publicly disclosed. It has been assigned Common Vulnerability and Exposure number CVE-2006-0023.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had seen examples of proof of concept code published publicly but had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security bulletin was originally issued.

Security Update Information

Affected Software:

For information about the specific security update for your affected software, click the appropriate link:

Windows Server 2003

Prerequisites
This security update requires a release version of Windows Server 2003.

Inclusion in Future Service Packs:
The update for this issue is included Windows Server 2003 Service Pack 1.

Installation Information

This security update supports the following setup switches.

Switch Description
/help Displays the command-line options
Setup Modes
/passive Unattended Setup mode. No user interaction is required, but installation status is displayed. If a restart is required at the end of Setup, a dialog box will be presented to the user with a timer warning that the computer will restart in 30 seconds.
/quiet Quiet mode. This is the same as unattended mode, but no status or error messages are displayed.
Restart Options
/norestart Does not restart when installation has completed
/forcerestart Restarts the computer after installation and force other applications to close at shutdown without saving open files first.
/warnrestart[:x] Presents a dialog box with a timer warning the user that the computer will restart in x seconds. (The default setting is 30 seconds.) Intended for use with the /quiet switch or the /passive switch.
/promptrestart Display a dialog box prompting the local user to allow a restart
Special Options
/overwriteoem Overwrites OEM files without prompting
/nobackup Does not back up files needed for uninstall
/forceappsclose Forces other programs to close when the computer shuts down
/log: path Allows the redirection of installation log files
/integrate:path Integrates the update into the Windows source files. These files are located at the path that is specified in the switch.
/extract[:path] Extracts files without starting the Setup program
/ER Enables extended error reporting
/verbose Enables verbose logging. During installation, creates %Windir%\CabBuild.log. This log details the files that are copied. Using this switch may cause the installation to proceed more slowly.

Note You can combine these switches into one command. For backward compatibility, the security update also supports many of the setup switches that the earlier version of the Setup program uses. For more information about the supported installation switches, see Microsoft Knowledge Base Article 262841. For more information about the Update.exe installer, visit the Microsoft TechNet Web site.

Deployment Information

To install the security update without any user intervention, use the following command at a command prompt for Windows Server 2003:

Windowsserver2003-kb914798-x86-enu /quiet

Note Use of the /quiet switch will suppress all messages. This includes suppressing failure messages. Administrators should use one of the supported methods to verify the installation was successful when they use the /quiet switch. Administrators should also review the KB914798.log file for any failure messages when they use this switch.

For information about how to deploy this security update by using Software Update Services, visit the Software Update Services Web site. For more information about how to deploy this security update using Windows Server Update Services, visit the Windows Server Update Services Web site. This security update will also be available through the Microsoft Update Web site.

Restart Requirement

This update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart. To help reduce the chance that a reboot will be required, stop all affected services and close all applications that may use the affected files prior to installing the security update. For more information about the reasons why you may be prompted to restart your computer, see Microsoft Knowledge Base Article 887012.

Removal Information

This update cannot be removed. To learn more about manually removing the changes made by this update, please see Microsoft Knowledge Base Article 914798.

File Information

As this update is only modifying system properties for the identified services, no new binaries are applied to the system as a result of the update installation.

For more information about this behavior, see Microsoft Knowledge Base Article 824994.

For more information about the Update.exe installer, visit the Microsoft TechNet Web site.

For more information about the terminology that appears in this bulletin, such as hotfix, see Microsoft Knowledge Base Article 824684.

Verifying that the Update Has Been Applied

  • Microsoft Baseline Security Analyzer

    To verify that a security update has been applied to an affected system, you can use the Microsoft Baseline Security Analyzer (MBSA) tool. MBSA allows administrators to scan local and remote systems for missing security updates and for common security misconfigurations. For more information about MBSA, visit the Microsoft Baseline Security Analyzer Web site.

  • Registry Key Verification

    You may also be able to verify the files that this security update has installed by reviewing the following registry key.

    Windows Server 2003, Web Edition; Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; Windows Server 2003, Datacenter Edition; Windows Small Business Server 2003; Windows Server 2003, Enterprise Edition for Itanium-based Systems; and Windows Server 2003, Datacenter Edition for Itanium-based Systems:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP1\KB914798\Filelist

    Note This registry key may not contain a complete list of installed files. Also, this registry key may not be created correctly if an administrator or an OEM integrates or slipstreams the security update into the Windows installation source files.

Windows XP

Prerequisites
This security update requires Microsoft Windows XP Service Pack 1. For more information, see Microsoft Knowledge Base Article 322389.

Inclusion in Future Service Packs:
The update for this issue is included in Windows XP Service Pack 2.

Installation Information

This security update supports the following setup switches.

Switch Description
/help Displays the command-line options
Setup Modes
/passive Unattended Setup mode. No user interaction is required, but installation status is displayed. If a restart is required at the end of Setup, a dialog box will be presented to the user with a timer warning that the computer will restart in 30 seconds.
/quiet Quiet mode. This is the same as unattended mode, but no status or error messages are displayed.
Restart Options
/norestart Does not restart when installation has completed
/forcerestart Restarts the computer after installation and force other applications to close at shutdown without saving open files first.
/warnrestart[:x] Presents a dialog box with a timer warning the user that the computer will restart in x seconds. (The default setting is 30 seconds.) Intended for use with the /quiet switch or the /passive switch.
/promptrestart Display a dialog box prompting the local user to allow a restart
Special Options
/overwriteoem Overwrites OEM files without prompting
/nobackup Does not back up files needed for uninstall
/forceappsclose Forces other programs to close when the computer shuts down
/log:path Allows the redirection of installation log files
/integrate:path Integrates the update into the Windows source files. These files are located at the path that is specified in the switch.
/extract[:path] Extracts files without starting the Setup program
/ER Enables extended error reporting
/verbose Enables verbose logging. During installation, creates %Windir%\CabBuild.log. This log details the files that are copied. Using this switch may cause the installation to proceed more slowly.

Note You can combine these switches into one command. For backward compatibility, the security update also supports the setup switches that the earlier version of the Setup program uses. For more information about the supported installation switches, see Microsoft Knowledge Base Article 262841. For more information about the Update.exe installer, visit the Microsoft TechNet Web site.

Deployment Information

To install the security update without any user intervention, use the following command at a command prompt for Microsoft Windows XP:

Windowsxp-kb914798-x86-enu /quiet

Note Use of the /quiet switch will suppress all messages. This includes suppressing failure messages. Administrators should use one of the supported methods to verify the installation was successful when they use the /quiet switch. Administrators should also review the KB914798.log file for any failure messages when they use this switch.

Restart Requirement

This update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart. For more information about the reasons why you may be prompted to restart your computer, see Microsoft Knowledge Base Article 887012.

Removal Information

This update cannot be removed. To learn more about manually removing the changes made by this update, please see Microsoft Knowledge Base Article 914798.

As this update is only modifying system properties for the identified services, no new binaries are applied to the system as a result of the update installation.

Verifying that the Update Has Been Applied

  • Microsoft Baseline Security Analyzer

    To verify that a security update has been applied to an affected system, you can use the Microsoft Baseline Security Analyzer (MBSA) tool. MBSA allows administrators to scan local and remote systems for missing security updates and for common security misconfigurations. For more information about MBSA, visit the Microsoft Baseline Security Analyzer Web site.

  • Registry Key Verification

    You may also be able to verify the files that this security update has installed by reviewing the following registry key.

    For Windows XP Home Edition Service Pack 1, Windows XP Professional Service Pack 1, Windows XP Tablet PC Edition, Windows XP Media Center Edition:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP2\KB914798\Filelist

    Note This registry key may not contain a complete list of installed files. Also, this registry key may not be created correctly if an administrator or an OEM integrates or slipstreams the security update into the Windows installation source files.

Other Information

Acknowledgments

Microsoft thanks the following for working with us to help protect customers:

  • Andres Tarasco of SIA Group for working with us on Permissive Windows Services DACLs could allow elevation of privilege - CVE-2006-0023

Obtaining Other Security Updates:

Updates for other security issues are available at the following locations:

Support:

  • Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.
  • International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.

Security Resources:

Software Update Services:

By using Microsoft Software Update Services (SUS), administrators can quickly and reliably deploy the latest critical updates and security updates to Windows 2000 and Windows Server 2003-based servers, and to desktop systems that are running Windows 2000 Professional or Windows XP Professional.

For more information about how to deploy security updates by using Software Update Services, visit the Software Update Services Web site.

Windows Server Update Services:

By using Windows Server Update Services (WSUS), administrators can quickly and reliably deploy the latest critical updates and security updates for Windows 2000 operating systems and later, Office XP and later, Exchange Server 2003, and SQL Server 2000 onto Windows 2000 and later operating systems.

For more information about how to deploy security updates using Windows Server Update Services, visit the Windows Server Update Services Web site.

Systems Management Server:

Microsoft Systems Management Server (SMS) delivers a highly-configurable enterprise solution for managing updates. By using SMS, administrators can identify Windows-based systems that require security updates and can perform controlled deployment of these updates throughout the enterprise with minimal disruption to end users. For more information about how administrators can use SMS 2003 to deploy security updates, visit the SMS 2003 Security Patch Management Web site. SMS 2.0 users can also use Software Updates Service Feature Pack to help deploy security updates. For information about SMS, visit the SMS Web site.

Note SMS uses the Microsoft Baseline Security Analyzer, the Microsoft Office Detection Tool, and the Enterprise Update Scanning Tool to provide broad support for security bulletin update detection and deployment. Some software updates may not be detected by these tools. Administrators can use the inventory capabilities of the SMS in these cases to target updates to specific systems. For more information about this procedure, visit the following Web site. Some security updates require administrative rights following a restart of the system. Administrators can use the Elevated Rights Deployment Tool (available in the SMS 2003 Administration Feature Pack and in the SMS 2.0 Administration Feature Pack) to install these updates.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

  • V1.0 March 14, 2006: Bulletin published.
  • V1.1 March 17, 2006: For Windows Server 2003 the File verification section updated to reflect the appropriate registry key for file detection.
  • V2.0 June 13, 2006: This update has been revised to include updated registry key values for the NetBT, RemoteAccess, and TCPIP services. These values have been modified to be the same as Windows XP Service Pack 2 on Windows XP Service Pack 1 systems, and the same as Windows 2003 Service Pack 1 on Windows 2003 systems with no service pack applied. Customers are encouraged to apply this revised update for additional security from privilege elevation through the these services as described in the Vulnerability Details section of this security bulletin.
  • V2.1 June 14, 2006: Bulletin Updated to clarify that Windows 2003 systems with no service pack applied are not affected by the June 13, 2006 reissue.

Built at 2014-04-18T13:49:36Z-07:00