Elevation of Privilege Using Windows Service Isolation Bypass
Elevation of Privilege Using Windows Service Isolation Bypass
Published: August 10, 2010
Microsoft is aware of the potential for attacks that leverage the Windows Service Isolation feature to gain elevation of privilege. This advisory discusses potential attack scenarios and provides suggested actions that can help to protect against this issue. This advisory also offers a non-security update for one of the potential attack scenarios through Windows Telephony Application Programming Interfaces (TAPI).
This issue affects scenarios where untrusted code is being executed within a process owned by the NetworkService account. In these scenarios, it is possible for an attacker to elevate from running processes as the NetworkService account to running processes as the LocalSystem account on a target server. An attacker who successfully elevated to running processes as the LocalSystem account could execute arbitrary code and take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Although, in most situations, untrusted code is not running under the NetworkService identity, the following scenarios have been identified as possible exceptions:
- Systems running Internet Information Services (IIS) in a non-default configuration are at an increased risk, particularly if IIS is running on Windows Server 2003 and Windows Server 2008, because the default worker process identity on these systems is NetworkService.
- Systems running SQL Server where users are granted SQL Server administrative privileges are at an increased risk.
- Systems running Windows Telephony Application Programming Interfaces (TAPI) are at an increased risk.
For more detailed information about the above scenarios, see the section, Frequently Asked Questions. For the TAPI scenario, Microsoft is providing a non-security update. For more information about the non-security update, see the section, Frequently Asked Questions specifically about the Windows Telephony Application Programming Interfaces (TAPI) Vulnerability - CVE-2010-1886.
In addition, we are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers.
For more information about this issue, see the following references:
|Microsoft Knowledge Base Article||2264072|
|Microsoft Knowledge Base Article for TAPI non-security update||982316|
Affected and Non-Affected Software
This advisory discusses the following software.
|Windows XP Service Pack 3|
|Windows XP Professional x64 Edition Service Pack 2|
|Windows Server 2003 Service Pack 2|
|Windows Server 2003 x64 Edition Service Pack 2|
|Windows Server 2003 with SP2 for Itanium-based Systems|
|Windows Vista Service Pack 1 and Windows Vista Service Pack 2|
|Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2|
|Windows Server 2008 for 32-bit Systems Service Pack 2|
|Windows Server 2008 for x64-based Systems Service Pack 2|
|Windows Server 2008 for Itanium-based Systems Service Pack 2|
|Windows 7 for 32-bit Systems|
|Windows 7 for x64-based Systems|
|Windows Server 2008 R2 for x64-based Systems|
|Windows Server 2008 R2 for Itanium-based Systems|
What is the scope of the advisory?
The security advisory addresses the potential for attacks that leverage the Windows Service Isolation feature by helping to clarify the proper use and limits of the Windows Service Isolation feature, and by providing workarounds.
This security advisory also provides notification of an optional, non-security update available for download from the Microsoft Download Center to address an attack vector through Windows Telephony Application Programming Interfaces (TAPI).
Is this a security vulnerability that requires Microsoft to issue a security update?
No. The Windows Service Isolation feature is an optional configuration that some customers may choose to deploy. This feature is not appropriate for all customers. Windows Service Isolation is a defense-in-depth feature and not a proper security boundary and should not be construed as such.
What is Windows Service Isolation feature?
The Windows Service Isolation feature does not correct a security vulnerability, but instead is a defense-in-depth feature that may be useful for some customers. For instance, service isolation enables access to specific objects without the need to run a high-privilege account or weaken the security protection of the object. By using an access control entry that contains a service SID, a SQL Server service can restrict access to its resources. For more information about this feature and how to appropriately configure it, see Microsoft Knowledge Base Article 2264072.
What is the "impersonate a client after authentication" privilege?
Assigning this privilege to a user allows programs running on behalf of that user to impersonate a client. Requiring this user right for this kind of impersonation prevents an unauthorized user from convincing a client to connect (for example, by remote procedure call (RPC) or named pipes) to a service that they have created and then impersonating that client, which can elevate the unauthorized user's permissions to administrative or system levels.
What is the NetworkService Account?
The NetworkService account is a predefined local account used by the service control manager. It has special privileges on the local computer and acts as the computer on the network. A service that runs in the context of the NetworkService account presents the computer's credentials to remote servers. For more information, see the MSDN article, NetworkService Account.
How is IIS affected by this issue?
Systems running user-provided code in Internet Information Services (IIS) may be affected. For example, ISAPI filters, ISAPI extensions, and ASP.NET code running in full trust may be affected by this vulnerability.
IIS Servers are at a reduced risk to the attacks described in this advisory in the following scenarios:
- Default Installations of IIS 5.1, IIS 6.0, and IIS 7.0 block the attack vector from anonymous users because, in the default configuration, anonymous uploads are not allowed.
- All known attack vectors through IIS are blocked where ASP.NET is configured to run with a trust level lower than full trust.
In order to be successful on a Web server, an attacker would first have to add specially crafted Web content to an IIS Web site. An attacker could then use access to this specially crafted Web content to elevate to running processes as LocalSystem.
Normally, untrusted users are not allowed to add Web content to an IIS Web site. However, some Web hosts are more at risk to attacks because they explicitly offer hosting for third-party Web content.
IIS on Windows Server 2003 and Windows Server 2008 may be more at risk to this issue since the default worker process identity is NetworkService.
How could an attacker exploit the issue on an IIS server?
An attacker could upload a specially crafted Web page to a Web site and use access to this page to elevate to running processes as LocalSystem. This can also include uploading specially crafted content to Web sites that accept or host user-provided content or advertisements. It could also be possible to display specially crafted Web content by using banner advertisements or by using other methods to deliver Web content to affected systems.
How is SQL Server affected by this issue?
Systems running SQL Server may be affected if a user is granted SQL Server administrative privileges (which would allow the user to load and run code). A user with SQL Server administrative privileges could run specially crafted code that is used to leverage the attack. However, this privilege is not granted by default.
How could an attacker exploit the issue on a SQL server?
A user with SQL Server administrative privileges could run specially crafted code used to leverage the attack on the affected SQL server.
How is TAPI affected by this issue?
For information on how Windows Telephony Application Programming Interfaces (TAPI) is affected by this issue, refer to the next section, Frequently Asked Questions specifically about the Windows Telephony Application Programming Interfaces (TAPI) Vulnerability - CVE-2010-1886.
What might an attacker use this issue to do?
An attacker who successfully exploited this issue could run specially crafted code in the context of the LocalSystem account. An attacker could then install programs; view, change, or delete data; or create new accounts with full LocalSystem rights.
What systems are primarily at risk from this issue?
All systems running software that is listed in the Overview section are at risk, but Windows XP Professional Service Pack 3 and all supported editions of Windows Server 2003 and Windows Server 2008 running IIS are at an increased risk.
In addition, IIS Web servers that allow users to upload code are at increased risk. This may include Web hosting providers or similar environments.
SQL Server systems are at risk if untrusted users are granted privileged account access.
I am using an older release of the software discussed in this security advisory. What should I do?
The affected software listed in this advisory have been tested to determine which releases are affected. Other releases are past their support life cycle. For more information about the product lifecycle, visit the Microsoft Support Lifecycle Web site.
It should be a priority for customers who have older releases of the software to migrate to supported releases to prevent potential exposure to vulnerabilities. To determine the support lifecycle for your software release, see Select a Product for Lifecycle Information. For more information about service packs for these software releases, see Lifecycle Supported Service Packs.
Customers who require custom support for older software must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit the Microsoft Worldwide Information Web site, select the country in the Contact Information list, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Microsoft Support Lifecycle Policy FAQ.
Where can I find the non-security update for this vulnerability?
The update is available for download from the Microsoft Download Center only. For more information about the update, including download links and the changes to behavior, see Microsoft Knowledge Base Article 982316.
What is the Windows Telephony Application Programming Interface (TAPI)?
The TAPI server (TAPISRV) is the central repository of telephony data on a user computer. This service process tracks local and remote telephony resources, applications registered to handle Assisted Telephony requests, and pending asynchronous functions, and it also enables a consistent interface with telephony service providers (TSPs). For more information and a diagram that illustrates the relationship of the TAPI Server to other components and an overview of their roles, see Microsoft Telephony Programming Model.
What causes this threat?
The vulnerability is due to the Windows Telephony Application Programming Interfaces (TAPI) transaction facility allowing the NetworkService token to be obtained and used when making an RPC call.
Is this a security vulnerability that requires Microsoft to issue a security update?
No. This update implements a defense-in-depth change that some customers may choose to deploy. Customers who do not run IIS or SQL, or those who have implemented the workarounds listed below, should evaluate this defense-in-depth update before applying it.
This is a security advisory about a non-security update. Isn’t that a contradiction?
Security advisories address security changes that may not require a security bulletin but may still affect customer’s overall security. Security advisories are a way for Microsoft to communicate security-related information to customers about issues that may not be classified as vulnerabilities and may not require a security bulletin, or about issues for which no security bulletin has been released. In this case, we are communicating the availability of an update that affects your ability to perform subsequent updates, including security updates. Therefore, this advisory does not address a specific security vulnerability; rather, it addresses your overall security.
Why is Microsoft issuing an update for this component?
Although this is not a vulnerability that requires a security update to be issued, an attacker could elevate from NetworkService to LocalSystem using the TAPI service, which runs as system. An attacker must already be running with elevated privileges to exploit this issue. This service isolation was implemented as a defense-in-depth measure only and does not constitute a security boundary.
What systems are primarily at risk from this vulnerability?
Systems running Windows Telephony Application Programming Interfaces (TAPI) are primarily at risk. This could include all systems running software that is listed in the Overview section. In addition, Windows XP Professional Service Pack 3 and all supported editions of Windows Server 2003 and Windows Server 2008 running IIS, IIS Web servers that allow users to upload code, and SQL Server systems where untrusted users are granted privileged account access are at an increased risk. This may include Web hosting providers or similar environments.
What might an attacker use this vulnerability to do?
An attacker who successfully exploited this vulnerability could run specially crafted code with system-level privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. An attacker must already have permissions to execute code as NetworkService in order to successfully exploit this issue.
Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:
- The attacker must be able to run code as the NetworkService account on the target system to exploit this vulnerability.
- IIS servers using the default settings are not affected by this issue.
Workaround refers to a setting or configuration change that does not correct the underlying issue but would help block known attack vectors before a security update is available. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:
- Configure WPI for application pools in IIS
For IIS 6.0, perform the following steps:
- In IIS Manager, expand the local computer, expand Application Pools, right-click the application pool and select Properties.
- Click the Identity tab and click Configurable. In the User name and Password text boxes, type the user name and password of the account under which you want the worker process to operate.
- Add the chosen user account to the IIS_WPG group.
For IIS 7.0 and above, perform the following steps:
- From an elevated command prompt, change to the %systemroot%\system32\inetsrv directory.
- Execute the APPCMD.exe command using the following syntax where string is the name of the application pool; userName:string is the user name of the account assigned to the application pool; and password:string is the password for the account.
appcmd set config /section:applicationPools /
- Apply the non-security update for CVE-2010-1886
Apply the non-security update for the Windows Telephony Application Programming Interfaces (TAPI) Vulnerability (CVE-2010-1886) available for download from the Microsoft Download Center only. For more information about the update, including download links and the changes to behavior, see Microsoft Knowledge Base Article 982316.
Additional Suggested Actions
- Protect your PC
We continue to encourage customers to follow our Protect Your Computer guidance of enabling a firewall, getting software updates and installing antivirus software. Customers can learn more about these steps by visiting Protect Your Computer.
For more information about staying safe on the Internet, visit Microsoft Security Central.
- Keep Windows Updated
All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Windows Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them.
Microsoft thanks the following for working with us to help protect customers:
- Cesar Cerrudo of Argeniss for working with us on the Windows Telephony Application Programming Interfaces (TAPI) Vulnerability (CVE-2010-1886)
Microsoft Active Protections Program (MAPP)
To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections Web sites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners.
- You can provide feedback by completing the Microsoft Help and Support form, Customer Service Contact Us.
- Customers in the United States and Canada can receive technical support from Security Support. For more information about available support options, see Microsoft Help and Support.
- International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit International Support.
- Microsoft TechNet Security provides additional information about security in Microsoft products.
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- V1.0 (August 10, 2010): Advisory published.
Built at 2014-04-16T02:39:51Z-07:00