TITLE: Microsoft Windows Kernel and LSASS Privilege Escalation Vulnerabilities SECUNIA ADVISORY ID: SA13465 VERIFY ADVISORY: http://secunia.com/advisories/13465/ CRITICAL: Less critical IMPACT: Privilege escalation WHERE: Local system OPERATING SYSTEM: Microsoft Windows 2000 Advanced Server http://secunia.com/product/21/ Microsoft Windows 2000 Datacenter Server http://secunia.com/product/1177/ Microsoft Windows 2000 Professional http://secunia.com/product/1/ Microsoft Windows 2000 Server http://secunia.com/product/20/ Microsoft Windows NT 4.0 Server http://secunia.com/product/18/ Microsoft Windows NT 4.0 Server, Terminal Server Edition http://secunia.com/product/19/ Microsoft Windows Server 2003 Datacenter Edition http://secunia.com/product/1175/ Microsoft Windows Server 2003 Enterprise Edition http://secunia.com/product/1174/ Microsoft Windows Server 2003 Standard Edition http://secunia.com/product/1173/ Microsoft Windows Server 2003 Web Edition http://secunia.com/product/1176/ Microsoft Windows XP Home Edition http://secunia.com/product/16/ Microsoft Windows XP Professional http://secunia.com/product/22/ DESCRIPTION: Cesar Cerrudo has reported two vulnerabilities in Microsoft Windows, allowing malicious, local users to escalate their privileges. 1) The vulnerability is caused due to an unchecked buffer in the handling of data sent through a LPC (Local Procedure Call) port. This can be exploited to cause a buffer overflow and lead to execution of arbitrary code with elevated privileges. 2) The vulnerability is caused due to an error in the validation of identity tokens in LSASS (Local Security Authority Subsystem Service). This can be exploited to gain elevated privileges. SOLUTION: Apply patches. Microsoft Windows NT Server 4.0 (requires Service Pack 6a): http://www.microsoft.com/downloads/details.aspx?FamilyId=325EAA8F-AF09-4839-B9E8-BB218C7A8564 Microsoft Windows NT Server 4.0 Terminal Server Edition (requires Service Pack 6): http://www.microsoft.com/downloads/details.aspx?FamilyId=9823A61F-C69F-403A-BD6A-EF3984BFA2B8 Microsoft Windows 2000 (requires Service Pack 3 or Service Pack 4): http://www.microsoft.com/downloads/details.aspx?FamilyId=EFDEA122-DDA4-40B8-A7AF-9DDCC3870C38 Microsoft Windows XP (requires Service Pack 1 or Service Pack 2): http://www.microsoft.com/downloads/details.aspx?FamilyId=27115D5C-3E4A-4F41-B81E-376AA1CD204F Microsoft Windows XP 64-Bit Edition (requires Service Pack 1): http://www.microsoft.com/downloads/details.aspx?FamilyId=1649AE1E-0ABF-4D31-BE12-3982C5146AE8 Microsoft Windows XP 64-Bit Edition Version 2003 http://www.microsoft.com/downloads/details.aspx?FamilyId=95849AB9-36BF-4A90-BC37-3B4FB6DCDF9A Microsoft Windows Server 2003 http://www.microsoft.com/downloads/details.aspx?FamilyId=AACB97CB-E8F0-461F-B2D2-F1065229B64E Microsoft Windows Server 2003 64-Bit Edition http://www.microsoft.com/downloads/details.aspx?FamilyId=95849AB9-36BF-4A90-BC37-3B4FB6DCDF9A PROVIDED AND/OR DISCOVERED BY: Cesar Cerrudo, Application Security ORIGINAL ADVISORY: MS04-044 (KB885835): http://www.microsoft.com/technet/security/bulletin/ms04-044.mspx ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------