TechNet Home > TechNet Security > Security Advisories

Microsoft Security Advisory (951306)

Vulnerability in Windows Could Allow Elevation of Privilege

Published: April 17, 2008 | Updated: April 23, 2008

Microsoft is investigating new public reports of a vulnerability which could allow elevation of privilege from authenticated user to LocalSystem, affecting Windows XP Professional Service Pack 2 and all supported versions and editions of Windows Server 2003, Windows Vista, and Windows Server 2008. Customers who allow user-provided code to run in an authenticated context, such as within Internet Information Services (IIS) and SQL Server, should review this advisory. Hosting providers may be at increased risk from this elevation of privilege vulnerability.

Currently, Microsoft is not aware of any attacks attempting to exploit the potential vulnerability. Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through a service pack, our monthly security update release process, or an out-of-cycle security update, depending on customer needs.

General Information

Overview

Purpose of Advisory: To provide customers with the initial notification and provide additional information regarding the impact to Windows service accounts. For more information, see the Workarounds and Suggested Actions sections of the security advisory.

Advisory Status: Advisory published.

Recommendation: Review the suggested actions and configure as appropriate.

References	Identification
Microsoft Knowledge Base Article	951306
CVE Reference	CVE-2008-1436

This advisory discusses the following software.

Related Software
Windows XP Professional Service Pack 2
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium based Systems
Windows Vista and Windows Vista Service Pack 1
Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1
Windows Server 2008 for 32-bit Systems
Windows Server 2008 for x64-based Systems
Windows Server 2008 for Itanium-based Systems

Top of section

Frequently Asked Questions

What is the scope of the advisory?
This advisory clarifies public reports of a potential vulnerability which could allow elevation of privilege from authenticated user to LocalSystem, affecting Windows XP Professional Service Pack 2, Windows Server 2003, Windows Vista, and Windows Server 2008. The issue affects the software listed in the “Overview” section.

Is this a security vulnerability that requires Microsoft to issue a security update?
Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our security update release process.

What causes this threat?
Specially crafted code running in the context of the NetworkService or LocalService accounts may gain access to resources in processes that are also running as NetworkService or LocalService. Some of these processes may have the ability to elevate their privileges to LocalSystem, allowing any NetworkService or LocalService processes to elevate their privileges to LocalSystem as well.

How is IIS affected?
User-provided code running in IIS, for example ISAPI filters and extensions, and ASP.NET code running in full trust may be affected by this vulnerability. IIS is not affected in the following scenarios:

•	Default Installations of IIS 5.1, IIS 6.0, and IIS 7.0
•	ASP.NET configured to run with a trust level lower than Full Trust.
•	Classic ASP code

How is SQL Server affected?
SQL Server is affected if a user is granted administrative privileges to load and run code. A user with administrative privileges could execute specially crafted code that could leverage the attack. However, this privilege is not granted by default.

Are there other vectors that an attacker could leverage?
Yes. On Windows Server 2003, an attacker can leverage the Microsoft Distributed Transaction Coordinator (MSDTC) service that runs as NetworkService to acquire a NetworkService token into a process that is running as an identity other than a service identity. An attacker can then use this NetworkService token to elevate to System if this process identity possesses the SeImpersonatePrivilege. This vector does not exist on Windows Server 2008 or Windows Vista.

What additional applications may be affected?
Any process with SeImpersonatePrivilege, as described in Microsoft Knowledge Base Article 821546, which loads and runs user-provided code may be susceptible to an elevation of privilege attack as described in this advisory.

What systems are primarily at risk from the vulnerability?
Windows XP Professional Service Pack 2 and all supported versions and editions of Windows Server 2003, Windows Vista, and Windows Server 2008 may be at risk if IIS is enabled or SQL Server is installed and configured or deployed in a vulnerable state as described by this advisory. IIS systems that allow users to upload code are at increased risk. SQL Server systems are at risk if untrusted users are granted privileged account access. This may include Web hosting providers or similar environments.

Top of section

Suggested Actions

Workarounds

IIS 6.0 - Configure a Worker Process Identity (WPI) for an application pool in IIS to use a created account in IIS Manager and disable MSDTC

Perform the following steps:

1.	In IIS Manager, expand the local computer, expand Application Pools, right-click the application pool and select Properties.
2.	Click the Identity tab and click Configurable. In the User name and Password boxes, type the user name and password of the account under which you want the worker process to operate.
3.	Add the chosen user account to the IIS_WPG group.

Disabling the Distributed Transaction Coordinator will help protect the affected system from attempts to exploit this vulnerability. To disable the Distributed Transaction Coordinator, perform these steps:

1.	Click Start, and then click Control Panel. Alternatively, point to Settings, and then click Control Panel.
2.	Double-click Administrative Tools. Alternatively, click Switch to Classic View and then double-click Administrative Tools.
3.	Double-click Services.
4.	Double-click Distributed Transaction Coordinator.
5.	In the Startup type list, click Disabled.
6.	Click Stop (if started), and then click OK.

You can also stop and disable the MSDTC service by using the following command at the command prompt:

sc stop MSDTC & sc config MSDTC start= disabled

Impact of Workaround: Managing the additional user accounts created in this workaround results in increased administrative overhead. Depending on the nature of applications running in this application pool, application functionality may be affected. An example is Windows Authentication; see Microsoft Knowledge Base Article 871179. Disabling MSDTC will prevent applications from using distributed transactions. Disabling MSDTC will prevent IIS 5.1 from running in Windows XP Professional Service Pack 2 and IIS 6.0 running in IIS 5.0 compatibility mode. Disabling MSDTC will prevent configuration as well as running of COM+ applications.

Top of section

IIS 7.0 - Specify a WPI for an application pool in IIS Manager

1.	In IIS Manager, expand the server node, click Application Pools, right-click the application pool, and then click Advanced Settings…
2.	.Find the Identity entry, and click the … button to open the Application Pool Identity dialog box.
3.	Select the Custom account option and click Set to open the Set Credentials dialog box. Type in the selected Account name and Password in the user name and password text boxes. Retype the Password in the Confirm password text box, then click OK.

Note Application pool identities are dynamically added to IIS_WPG group in IIS7 and don’t need to be manually added.

Top of section

IIS 7.0 - Specify a WPI for an application pool using the Command Line utility APPCMD.exe

From a command prompt, change to the %systemroot%\system32\inetsrv directory.

Execute the APPCMD.exe command using the following syntax: string is the name of the application pool; Username string is the user name of the account assigned to the application pool; Password string is the password for the account.

appcmd set config /section:applicationPools /
[name='string'].processModel.identityType:SpecificUser /
[name='string'].processModel.userName:string /
[name='string'].processModel.password:string

Note Application pool identities are dynamically added to IIS_WPG group in IIS 7.0 and don’t need to be manually added.

Top of section

Resources:

•	You can provide feedback by completing the form by visiting Microsoft Help and Support: Contact Us.
•	Customers in the United States and Canada can receive technical support from Microsoft Product Support Services. For more information about available support options, see Microsoft Help and Support.
•	International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit International Support.
•	Microsoft TechNet Security provides additional information about security in Microsoft products.

Disclaimer:

The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

•	April 17, 2008: Advisory published
•	April 23, 2008: Added clarification to impact of workaround for IIS 6.0

Top of page