MS06-011: Permissive Windows Services DACLs Could Allow Elevation of Privilege (914798)

2006-03-1400:00:00

www.tenable.com

CVSS2

4.3

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:S/C:P/I:P/A:P

EPSS

0.001

Percentile

32.5%

JSON

The remote version of Windows contains services whose permissions are set to such a way that low-privileged local users may be able to change properties associated to each service and therefore manage to elevate their privileges.

To exploit this flaw, an attacker would need credentials to log into the remote host.

#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(21077);
 script_version("1.26");
 script_cvs_date("Date: 2018/11/15 20:50:29");

 script_cve_id("CVE-2006-0023");
 script_bugtraq_id(16484);
 script_xref(name:"CERT", value:"953860");
 script_xref(name:"MSFT", value:"MS06-011");
 script_xref(name:"MSKB", value:"914798");

 script_name(english:"MS06-011: Permissive Windows Services DACLs Could Allow Elevation of Privilege (914798)");
 script_summary(english:"Determines the presence of update 914798");

 script_set_attribute(attribute:"synopsis", value:
"Local users may be able to elevate their privileges on the remote
host.");
 script_set_attribute(attribute:"description", value:
"The remote version of Windows contains services whose permissions are
set to such a way that low-privileged local users may be able to
change properties associated to each service and therefore manage to
elevate their privileges.

To exploit this flaw, an attacker would need credentials to log into
the remote host.");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2006/ms06-011");
 script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Windows XP and 2003.");
 script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:P/I:P/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");

 script_set_attribute(attribute:"vuln_publication_date", value:"2006/01/31");
 script_set_attribute(attribute:"patch_publication_date", value:"2006/03/14");
 script_set_attribute(attribute:"plugin_publication_date", value:"2006/03/14");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows : Microsoft Bulletins");

 script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
 script_require_keys("SMB/MS_Bulletin_Checks/Possible");
 script_require_ports(139, 445, 'Host/patch_management_checks');
 exit(0);
}


include("smb_hotfixes_fcheck.inc");
include("smb_hotfixes.inc");
include("smb_func.inc");


include("misc_func.inc");
get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS06-011';
kb = '914798';

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);


if ( hotfix_check_sp(xp:2, win2003:1) <= 0 ) exit(0);


if ( hotfix_missing(name:kb) > 0 )
	 {
 set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
 hotfix_add_report(bulletin:bulletin, kb:kb);
 hotfix_security_warning();
 }