TITLE: Windows Insecure Service Permissions Privilege Escalation SECUNIA ADVISORY ID: SA18756 VERIFY ADVISORY: http://secunia.com/advisories/18756/ CRITICAL: Less critical IMPACT: Privilege escalation WHERE: Local system OPERATING SYSTEM: Microsoft Windows XP Professional http://secunia.com/product/22/ Microsoft Windows XP Home Edition http://secunia.com/product/16/ Microsoft Windows Server 2003 Web Edition http://secunia.com/product/1176/ Microsoft Windows Server 2003 Standard Edition http://secunia.com/product/1173/ Microsoft Windows Server 2003 Enterprise Edition http://secunia.com/product/1174/ Microsoft Windows Server 2003 Datacenter Edition http://secunia.com/product/1175/ DESCRIPTION: Sudhakar Govindavajhala and Andrew W. Appel have reported some security issues in Microsoft Windows, which can be exploited by malicious, local users to gain escalated privileges. Insecure SERVICE_CHANGE_CONFIG permissions on the UPnP, NetBT, SCardSvr, and SSDP services can be exploited to gain escalated privileges by changing the associated program set to run by an identified service. Successful exploitation allows an arbitrary program to be executed when an affected service is restarted. The security issues have been reported in Windows XP SP1 (all listed services) and Windows Server 2003 (NetBT service). SOLUTION: The vendor reports that Windows XP SP2 and Windows Server 2003 SP1 are unaffected. Windows XP Service Pack 2: http://www.microsoft.com/windowsxp/sp2/default.mspx Windows Server 2003 Service Pack 1: http://www.microsoft.com/windowsserver2003/downloads/servicepacks/sp1/default.mspx Various workarounds are also available in the Microsoft security advisory. PROVIDED AND/OR DISCOVERED BY: Sudhakar Govindavajhala and Andrew W. Appel ORIGINAL ADVISORY: Microsoft: http://www.microsoft.com/technet/security/advisory/914457.mspx Sudhakar Govindavajhala and Andrew W. Appel: http://www.cs.princeton.edu/~sudhakar/papers/winval.pdf OTHER REFERENCES: US-CERT VU#953860: http://www.kb.cert.org/vuls/id/953860 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------