__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Vulnerability in Windows [Microsoft Security Advisory (951306)] April 25, 2008 14:00 GMT Number S-280 ______________________________________________________________________________ PROBLEM: Microsoft is investigating a new public report of a vulnerability which could allow elevation of privilege from authenticated user to LocalSystem, affecting Windows XP Professional Servcie Pack 2 and all supported versions and editions of Windows Server 2003, Windows Vista, and Windows Server 2008. PLATFORM: Windows XP Professional Service Pack 2 Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium based Systems Windows Vista and Windows Vista Service Pack 1 Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1 Windows Server 2008 for 32-bit Systems Windows Server 2008 for x64-based Systems Windows Server 2008 for Itanium-based Systems DAMAGE: Elevation of privilege SOLUTION: Please see bulletin below for suggested actions. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. Could allow elevation of privilege. ASSESSMENT: ______________________________________________________________________________ CVSS 2 BASE SCORE: 6.5 TEMPORAL SCORE: 5.4 VECTOR: (AV:N/AC:L/Au:S/C:P/I:P/A:P/E:F/RL:OF/RC:C) ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/s-280.shtml ORIGINAL BULLETIN: http://www.microsoft.com/technet/security/advisory/951306.mspx CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2008-1436 ______________________________________________________________________________ [***** Start Microsoft Security Advisory (951306) *****] Microsoft Security Advisory (951306) Vulnerability in Windows Could Allow Elevation of Privilege Published: April 17, 2008 | Updated: April 23, 2008 Microsoft is investigating new public reports of a vulnerability which could allow elevation of privilege from authenticated user to LocalSystem, affecting Windows XP Professional Service Pack 2 and all supported versions and editions of Windows Server 2003, Windows Vista, and Windows Server 2008. Customers who allow user-provided code to run in an authenticated context, such as within Internet Information Services (IIS) and SQL Server, should review this advisory. Hosting providers may be at increased risk from this elevation of privilege vulnerability. Currently, Microsoft is not aware of any attacks attempting to exploit the potential vulnerability. Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through a service pack, our monthly security update release process, or an out-of-cycle security update, depending on customer needs. General Information Overview Purpose of Advisory: To provide customers with the initial notification and provide additional information regarding the impact to Windows service accounts. For more information, see the Workarounds and Suggested Actions sections of the security advisory. Advisory Status: Advisory published. Recommendation: Review the suggested actions and configure as appropriate. References Identification Microsoft Knowledge Base Article 951306 CVE Reference CVE-2008-1436 This advisory discusses the following software. Related Software Windows XP Professional Service Pack 2 Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium based Systems Windows Vista and Windows Vista Service Pack 1 Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1 Windows Server 2008 for 32-bit Systems Windows Server 2008 for x64-based Systems Windows Server 2008 for Itanium-based Systems Top of section Frequently Asked Questions What is the scope of the advisory? This advisory clarifies public reports of a potential vulnerability which could allow elevation of privilege from authenticated user to LocalSystem, affecting Windows XP Professional Service Pack 2, Windows Server 2003, Windows Vista, and Windows Server 2008. The issue affects the software listed in the “Overview” section. Is this a security vulnerability that requires Microsoft to issue a security update? Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our security update release process. What causes this threat? Specially crafted code running in the context of the NetworkService or LocalService accounts may gain access to resources in processes that are also running as NetworkService or LocalService. Some of these processes may have the ability to elevate their privileges to LocalSystem, allowing any NetworkService or LocalService processes to elevate their privileges to LocalSystem as well. How is IIS affected? User-provided code running in IIS, for example ISAPI filters and extensions, and ASP.NET code running in full trust may be affected by this vulnerability. IIS is not affected in the following scenarios: • Default Installations of IIS 5.1, IIS 6.0, and IIS 7.0 • ASP.NET configured to run with a trust level lower than Full Trust. • Classic ASP code How is SQL Server affected? SQL Server is affected if a user is granted administrative privileges to load and run code. A user with administrative privileges could execute specially crafted code that could leverage the attack. However, this privilege is not granted by default. Are there other vectors that an attacker could leverage? Yes. On Windows Server 2003, an attacker can leverage the Microsoft Distributed Transaction Coordinator (MSDTC) service that runs as NetworkService to acquire a NetworkService token into a process that is running as an identity other than a service identity. An attacker can then use this NetworkService token to elevate to System if this process identity possesses the SeImpersonatePrivilege. This vector does not exist on Windows Server 2008 or Windows Vista. What additional applications may be affected? Any process with SeImpersonatePrivilege, as described in Microsoft Knowledge Base Article 821546, which loads and runs user-provided code may be susceptible to an elevation of privilege attack as described in this advisory. What systems are primarily at risk from the vulnerability? Windows XP Professional Service Pack 2 and all supported versions and editions of Windows Server 2003, Windows Vista, and Windows Server 2008 may be at risk if IIS is enabled or SQL Server is installed and configured or deployed in a vulnerable state as described by this advisory. IIS systems that allow users to upload code are at increased risk. SQL Server systems are at risk if untrusted users are granted privileged account access. This may include Web hosting providers or similar environments. Top of section Suggested Actions Workarounds IIS 6.0 - Configure a Worker Process Identity (WPI) for an application pool in IIS to use a created account in IIS Manager and disable MSDTC Perform the following steps: 1. In IIS Manager, expand the local computer, expand Application Pools, right-click the application pool and select Properties. 2. Click the Identity tab and click Configurable. In the User name and Password boxes, type the user name and password of the account under which you want the worker process to operate. 3. Add the chosen user account to the IIS_WPG group. Disabling the Distributed Transaction Coordinator will help protect the affected system from attempts to exploit this vulnerability. To disable the Distributed Transaction Coordinator, perform these steps: 1. Click Start, and then click Control Panel. Alternatively, point to Settings, and then click Control Panel. 2. Double-click Administrative Tools. Alternatively, click Switch to Classic View and then double-click Administrative Tools. 3. Double-click Services. 4. Double-click Distributed Transaction Coordinator. 5. In the Startup type list, click Disabled. 6. Click Stop (if started), and then click OK. You can also stop and disable the MSDTC service by using the following command at the command prompt: sc stop MSDTC & sc config MSDTC start= disabled Impact of Workaround: Managing the additional user accounts created in this workaround results in increased administrative overhead. Depending on the nature of applications running in this application pool, application functionality may be affected. An example is Windows Authentication; see Microsoft Knowledge Base Article 871179. Disabling MSDTC will prevent applications from using distributed transactions. Disabling MSDTC will prevent IIS 5.1 from running in Windows XP Professional Service Pack 2 and IIS 6.0 running in IIS 5.0 compatibility mode. Disabling MSDTC will prevent configuration as well as running of COM+ applications. Top of section IIS 7.0 - Specify a WPI for an application pool in IIS Manager 1. In IIS Manager, expand the server node, click Application Pools, right-click the application pool, and then click Advanced Settings… 2. Find the Identity entry, and click the … button to open the Application Pool Identity dialog box. 3. Select the Custom account option and click Set to open the Set Credentials dialog box. Type in the selected Account name and Password in the user name and password text boxes. Retype the Password in the Confirm password text box, then click OK. Note Application pool identities are dynamically added to IIS_WPG group in IIS7 and don’t need to be manually added. Impact of Workaround: Managing the additional user accounts created in this workaround results in increased administrative overhead. Depending on the nature of applications running in this application pool, application functionality may be affected. Top of section IIS 7.0 - Specify a WPI for an application pool using the Command Line utility APPCMD.exe 1. From a command prompt, change to the %systemroot%\system32\inetsrv directory. 2. Execute the APPCMD.exe command using the following syntax: string is the name of the application pool; Username string is the user name of the account assigned to the application pool; Password string is the password for the account. appcmd set config /section:applicationPools / [name='string'].processModel.identityType:SpecificUser / [name='string'].processModel.userName:string / [name='string'].processModel.password:string Note Application pool identities are dynamically added to IIS_WPG group in IIS 7.0 and don’t need to be manually added. Impact of Workaround: Managing the additional user accounts created in this workaround results in increased administrative overhead. Depending on the nature of applications running in this application pool, application functionality may be affected. Top of section Top of section Top of section Resources: • You can provide feedback by completing the form by visiting Microsoft Help and Support: Contact Us. • Customers in the United States and Canada can receive technical support from Microsoft Product Support Services. For more information about available support options, see Microsoft Help and Support. • International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit International Support. • Microsoft TechNet Security provides additional information about security in Microsoft products. Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions: • April 17, 2008: Advisory published • April 23, 2008: Added clarification to impact of workaround for IIS 6.0 [***** End Microsoft Security Advisory (951306) *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Microsoft for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) S-213: Nukedit 'email' Parameter Vulnerability S-214: SurgeMail and WebMail 'Page' Command Vulnerability S-215: Symantec Backup Exec Scheduler ActiveX Control Multiple Vulnerabilities S-216: Juniper Networks Secure Access 2000 'rdremediate.cgi' Vulnerability S-217: Drupal Multiple HTML Vulnerabilities S-218: gd Security Update S-219: Juniper Networks Secure Access 2000 Web Root Path Vulnerability S-220: PHP-Nuke My_eGallery Module 'gid' Parameter Vulnerability S-221: Learn2 STRunner ActiveX Control Vulnerabilities S-222: Evolution Security Update