Vulnerability CVE-2008-0074 - CERT Civis.Net

Vulnerability Name:

CVE-2008-0074 (CCN-39235)

Assigned:

2008-02-12

Published:

2008-02-12

Updated:

2021-02-05

Summary:

Unspecified vulnerability in Microsoft Internet Information Services (IIS) 5.0 through 7.0 allows local users to gain privileges via unknown vectors related to file change notifications in the TPRoot, NNTPFile\Root, or WWWRoot folders.

CVSS v3 Severity:

9.3 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

CVSS v2 Severity:

7.2 High (CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C)
5.3 Medium (Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

7.2 High (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C)
5.3 Medium (CCN Temporal CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

Vulnerability Type:

CWE-264
CWE-noinfo

Vulnerability Consequences:

Gain Privileges

References:

Source: MITRE
Type: CNA
CVE-2008-0074

Source: HP
Type: UNKNOWN
HPSBST02314

Source: CCN
Type: SA28849
Microsoft Internet Information Services Privilege Escalation

Source: SECUNIA
Type: UNKNOWN
28849

Source: CCN
Type: SECTRACK ID: 1019384
Microsoft Internet Information Services File Change Notification Bug Lets Local Users Gain Elevated Privileges

Source: CCN
Type: ASA-2008-064
MS08-005 Vulnerability in Internet Information Services Could Allow Elevation of Privilege (942831)

Source: CCN
Type: Microsoft Security Bulletin MS08-005
Vulnerability in Internet Information Services Could Allow Elevation of Privilege (942831)

Source: BID
Type: UNKNOWN
27101

Source: CCN
Type: BID-27101
Microsoft IIS File Change Notification Local Privilege Escalation Vulnerability

Source: SECTRACK
Type: UNKNOWN
1019384

Source: CERT
Type: US Government Resource
TA08-043C

Source: VUPEN
Type: UNKNOWN
ADV-2008-0507

Source: MS
Type: UNKNOWN
MS08-005

Source: XF
Type: UNKNOWN
iis-rootfolder-privilege-escalation(39235)

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:5389

Vulnerable Configuration:

Configuration 1:

cpe:/a:microsoft:internet_information_services:5.0:*:*:*:*:*:*:*

OR cpe:/a:microsoft:internet_information_services:6.0:*:*:*:*:*:*:*

OR cpe:/a:microsoft:internet_information_server:6.0:beta:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:microsoft:internet_information_server:6.0:*:*:*:*:*:*:*

OR cpe:/a:microsoft:internet_information_server:5.0:::far_east:*:*:*:*

OR cpe:/a:microsoft:internet_information_services:5.1:*:*:*:*:*:*:*

AND

cpe:/o:microsoft:windows_2000:-:sp4:*:*:*:*:*:*

OR cpe:/o:microsoft:windows:2003_server::x64:*:*:*:*:*

OR cpe:/o:microsoft:windows_xp:-:sp2:*:*:professional:*:x86:*

OR cpe:/o:microsoft:windows:2003_server:sp1:*:*:*:*:*:*

OR cpe:/o:microsoft:windows:2003_server:sp1_itanium:*:*:*:*:*:*

OR cpe:/o:microsoft:windows_vista:*:*:*:*:*:*:*:*

OR cpe:/o:microsoft:windows:server_2003:sp2:*:*:*:*:*:*

OR cpe:/o:microsoft:windows:server_2003:sp2:itanium:*:*:*:*:*

OR cpe:/o:microsoft:windows:server_2003:sp2:x64:*:*:*:*:*

OR cpe:/o:microsoft:windows_vista:-:*:x64:*:*:*:*:*

OR cpe:/o:microsoft:windows_xp::sp2:x64:*:professional:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.mitre.oval:def:5389	V	Internet Information Services Local Privilege Elevation Vulnerability	2011-11-14