Vulnerability Name:

CVE-2006-0023 (CCN-24463)

Assigned:2005-11-30
Published:2006-02-02
Updated:2018-10-19
Summary:Microsoft Windows XP SP1 and SP2 before August 2004, and possibly other operating systems and versions, uses insecure default ACLs that allow the Authenticated Users group to gain privileges by modifying critical configuration information for the (1) Simple Service Discovery Protocol (SSDP), (2) Universal Plug and Play Device Host (UPnP), (3) NetBT, (4) SCardSvr, (5) DHCP, and (6) DnsCache services, aka "Permissive Windows Services DACLs."
Note: the NetBT, SCardSvr, DHCP, DnsCache already require privileged access to exploit.
CVSS v3 Severity:4.8 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): Low
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:L/AC:L/Au:S/C:P/I:P/A:P)
3.7 Low (Temporal CVSS v2 Vector: AV:L/AC:L/Au:S/C:P/I:P/A:P/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
4.3 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:P/I:P/A:P)
3.7 Low (CCN Temporal CVSS v2 Vector: AV:L/AC:L/Au:S/C:P/I:P/A:P/E:H/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
Vulnerability Type:CWE-264
Vulnerability Consequences:Gain Privileges
References:Source: MITRE
Type: CNA
CVE-2006-0023

Source: CCN
Type: SA18756
Windows Insecure Service Permissions Privilege Escalation

Source: SECUNIA
Type: Patch, Vendor Advisory
18756

Source: CCN
Type: SA19238
Avaya Modular Messaging Windows Privilege Escalation Security Issues

Source: SECUNIA
Type: Vendor Advisory
19238

Source: CCN
Type: SA19313
Nortel Centrex IP Client Manager Windows Privilege Escalation

Source: SECUNIA
Type: Vendor Advisory
19313

Source: CCN
Type: SECTRACK ID: 1015595
Microsoft Windows UPnP/NetBT/SCardSvr/SSDP Services May Be Incorrectly Configured By 3rd Party Applications, Allowing Local Users to Gain Elevated Privileges

Source: SECTRACK
Type: UNKNOWN
1015595

Source: CCN
Type: SECTRACK ID: 1015765
Microsoft Windows Services Have Unsafe Default ACLs That Let Remote Authenticated Users Gain Elevated Privileges

Source: SECTRACK
Type: UNKNOWN
1015765

Source: CONFIRM
Type: UNKNOWN
http://support.avaya.com/elmodocs2/security/ASA-2006-069.htm

Source: CCN
Type: ASA-2006-069
Windows Security Updates for March 2006 - (MS06-011 MS06-012)

Source: CCN
Type: Secure Internet Programming laboratory at Princeton University Research Paper - January 31, 2006
Windows Access Control Demystified

Source: MISC
Type: UNKNOWN
http://www.cs.princeton.edu/~sudhakar/papers/winval.pdf

Source: CCN
Type: US-CERT VU#953860
Microsoft Windows privilege escalation vulnerability

Source: CERT-VN
Type: Third Party Advisory, US Government Resource
VU#953860

Source: CCN
Type: Microsoft Security Advisory (914457)
Possible Vulnerability in Windows Service ACLs

Source: MISC
Type: Vendor Advisory
http://www.microsoft.com/technet/security/advisory/914457.mspx

Source: CCN
Type: Microsoft Security Bulletin MS06-011
Permissive Windows Services DACLs Could Allow Elevation of Privilege (914798)

Source: BUGTRAQ
Type: UNKNOWN
20060131 Windows Access Control Demystified

Source: VUPEN
Type: Vendor Advisory
ADV-2006-0417

Source: CCN
Type: Nortel Networks Security Advisory 2006006777
Centrex IP Client Manager (CICM) Response to Microsoft March Security Bulletin

Source: CONFIRM
Type: UNKNOWN
http://www130.nortelnetworks.com/cgi-bin/eserv/cs/main.jsp?cscat=BLTNDETAIL&DocumentOID=391523&RenditionID=

Source: MS
Type: UNKNOWN
MS06-011

Source: XF
Type: UNKNOWN
win-auth-users-insecure-permissions(24463)

Source: XF
Type: UNKNOWN
win-auth-users-insecure-permissions(24463)

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:1671

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:1696

Vulnerable Configuration:Configuration 1:
  • cpe:/o:microsoft:windows_xp:*:sp1:tablet_pc:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_xp:*:sp2:tablet_pc:*:*:*:*:*

  • Configuration CCN 1:
  • cpe:/o:microsoft:windows_xp:-:sp1:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_2003_server:-::~~~~itanium~:*:*:*:*:*
  • OR cpe:/a:microsoft:windows_2003:*:*:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.mitre.oval:def:1671
    V
    Server 2003 Insecure Default ACLs
    2011-05-16
    oval:org.mitre.oval:def:1696
    V
    Windows XP Insecure Default ACLs
    2011-05-16
    BACK
    microsoft windows xp * sp1
    microsoft windows xp * sp2
    microsoft windows xp - sp1
    microsoft windows 2003 server -
    microsoft windows 2003 *