MS-ISAC ADVISORY NUMBER:
2009-022

DATE(S) ISSUED:
4/15/2009

SUBJECT:
Multiple Vulnerabilities in Microsoft Windows Could Allow Privilege Escalation (MS09-012)

OVERVIEW:

Four vulnerabilities have been discovered in Microsoft Windows which could allow for privilege escalation. This issue affects applications that allow untrusted code to be executed in a trusted environment. An attacker may be able to leverage these vulnerabilities through a vulnerable web application. Utilizing these vulnerabilities, an attacker could execute arbitrary code in the context of SYSTEM and take full control of the affected machine. An attacker could then install programs; view, change, or delete data; or create new accounts with full system rights.

SYSTEMS AFFECTED:

  • Windows 2000 SP4
  • Windows XP SP2, SP3
  • Windows XP Professional x64 Edition SP1, SP2
  • Windows Server 2003 SP1, SP2
  • Windows Server 2003 Itanium SP1, SP2
  • Windows Vista SP1
  • Windows Vista x64, SP1
  • Windows Server 2008 32-bit
  • Windows Server 2008 x64
  • Windows Server 2008 Itanium

RISK:

Government:
Large and medium government entities: High
Small government entities: High

Businesses:
Large and medium business entities: High
Small business entities: High

Home users: High

DESCRIPTION:
Four vulnerabilities have been discovered in Microsoft Windows which allow for local privilege escalation.

Windows SeImpersonatePrivilege Local Privilege Escalation Vulnerability
A local privilege escalation vulnerability exists in the way Microsoft Distributed Transaction Coordinator (MSDTC) allows a process to impersonate the NetworkService token by simply calling into it.

Windows Thread Pool ACL Local Privilege Escalation Vulnerability
A local privilege escalation vulnerability exists in the way Windows places incorrect Access Control Lists (ACL) on threads in the current ThreadPool. An attacker can use this vulnerability in the ACL to gain access to the NetworkService or LocalService accounts.

Windows RPCSS Service Isolation Local Privilege Escalation Vulnerability
A local privilege escalation vulnerability exists due to the way the RPCSS service improperly isolates processes that run under the NetworkService or LocalService accounts.

Windows WMI Service Isolation Local Privilege Escalation Vulnerability
A local privilege escalation vulnerability exists due to the way the Windows Management Instrumentation (WMI) service improperly isolates processes that run under the NetworkService or LocalService accounts.

An attacker may also be able to leverage these vulnerabilities through a vulnerable web application. It is recommended that applications that are built in ASP.NET be run in medium trust mode to help mitigate these vulnerabilities. To configure an application to run with medium trust, add the following element to either the application's specific Web.config file in the application's virtual root directory or to the machine-level Web.config file.

<trust level="Medium" originUrl="" />

Successfully exploiting any of these vulnerabilities could allow an attacker to take complete control of the NetworkService or LocalService accounts. If a NetworkService or LocalService token is successfully obtained, an attacker will then have to probe for a SYSTEM token. If the attacker is able to find a SYSTEM token they will be able to elevate their privileges to the SYSTEM level. An attacker could then install programs; view, change, or delete files; or create new accounts with user rights.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Restrict SQL access to trusted users only.
  • Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.
  • Do not run ASP.NET in full trust.

REFERENCES:

Microsoft:
http://www.microsoft.com/technet/security/Bulletin/ms09-012.mspx(New Window)
http://www.microsoft.com/technet/security/advisory/951306.mspx(New Window)

CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1436(New Window)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0080(New Window)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0079(New Window)
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0078(New Window)

Security Focus:
http://www.securityfocus.com/bid/28833(New Window)
http://www.securityfocus.com/bid/34443(New Window)
http://www.securityfocus.com/bid/34444(New Window)
http://www.securityfocus.com/bid/34442(New Window)


This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.