Vulnerability Name:

CVE-2008-1436 (CCN-41880)

Assigned:2008-04-17
Published:2008-04-17
Updated:2019-02-26
Summary:Microsoft Windows XP Professional SP2, Vista, and Server 2003 and 2008 does not properly assign activities to the (1) NetworkService and (2) LocalService accounts, which might allow context-dependent attackers to gain privileges by using one service process to capture a resource from a second service process that has a LocalSystem privilege-escalation ability, related to improper management of the SeImpersonatePrivilege user right, as originally reported for Internet Information Services (IIS), aka Token Kidnapping.
CVSS v3 Severity:7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): High
Privileges Required (PR): Low
User Interaction (UI): Required
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:9.0 High (CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C)
6.7 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
6.6 Medium (CCN CVSS v2 Vector: AV:L/AC:M/Au:S/C:C/I:C/A:C)
4.9 Medium (CCN Temporal CVSS v2 Vector: AV:L/AC:M/Au:S/C:C/I:C/A:C/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Medium
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-264
Vulnerability Consequences:Gain Privileges
References:Source: CONFIRM
Type: UNKNOWN
http://blogs.technet.com/msrc/archive/2008/04/17/msrc-blog-microsoft-security-advisory-951306.aspx

Source: MITRE
Type: CNA
CVE-2008-1436

Source: MISC
Type: UNKNOWN
http://isc.sans.org/diary.html?storyid=4306

Source: MISC
Type: UNKNOWN
http://milw0rm.com/sploits/2008-Churrasco.zip

Source: MISC
Type: UNKNOWN
http://nomoreroot.blogspot.com/2008/10/windows-2003-poc-exploit-for-token.html

Source: CCN
Type: SA29867
Microsoft Windows Privilege Escalation Vulnerability

Source: SECUNIA
Type: Vendor Advisory
29867

Source: CCN
Type: SECTRACK ID: 1019904
Windows Kernel Bug Lets Local Users Gain LocalSystem Privileges

Source: MISC
Type: UNKNOWN
http://securitywatch.eweek.com/flaws/microsoft_belatedly_admits_to_windows_server_2008_token_kidnapping.html

Source: CCN
Type: ASA-2009-137
MS09-012 Vulnerabilities in Windows Could Allow Elevation of Privilege (959454)

Source: MISC
Type: UNKNOWN
http://www.argeniss.com/research/Churrasco.zip

Source: MISC
Type: UNKNOWN
http://www.argeniss.com/research/TokenKidnapping.pdf

Source: CCN
Type: Microsoft Security Advisory (951306)
Vulnerability in Windows Could Allow Elevation of Privilege

Source: CONFIRM
Type: UNKNOWN
http://www.microsoft.com/technet/security/advisory/951306.mspx

Source: CCN
Type: Microsoft Security Bulletin MS09-012
Vulnerabilities in Windows Could Allow Elevation of Privilege (959454)

Source: BUGTRAQ
Type: UNKNOWN
20080419 Token Kidnapping (Microsoft Security Advisory 951306) presentation available

Source: BUGTRAQ
Type: UNKNOWN
20081008 Token Kidnapping Windows 2003 PoC exploit

Source: BID
Type: UNKNOWN
28833

Source: CCN
Type: BID-28833
Microsoft Windows SeImpersonatePrivilege Local Privilege Escalation Vulnerability

Source: SECTRACK
Type: UNKNOWN
1019904

Source: CERT
Type: US Government Resource
TA09-104A

Source: VUPEN
Type: Vendor Advisory
ADV-2008-1264

Source: VUPEN
Type: Vendor Advisory
ADV-2009-1026

Source: MS
Type: UNKNOWN
MS09-012

Source: XF
Type: UNKNOWN
win-msdtc-privilege-escalation(41880)

Source: XF
Type: UNKNOWN
ms-windows-localsystem-privilege-escalation(41880)

Source: CCN
Type: Churrasco GIT Repository
Churrasco/Churrasco.cpp

Source: CCN
Type: Medium Web site
[Windows Privelege Escalation via Token Kidnapping]

Source: CCN
Type: NotSoSecure Web site
Windows 2003 Token Kidnapping Privilege Escalation

Source: OVAL
Type: UNKNOWN
oval:org.mitre.oval:def:5891

Source: EXPLOIT-DB
Type: EXPLOIT
Offensive Security Exploit Database [2008-10-08]

Source: EXPLOIT-DB
Type: UNKNOWN
6705

Vulnerable Configuration:Configuration 1:
  • cpe:/o:microsoft:windows-nt:vista:sp1:x64:*:*:*:*:*
  • OR cpe:/o:microsoft:windows-nt:vista:sp2:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows-nt:vista:sp2:x64:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_server_2003:*:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_server_2003:*:sp1:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_server_2003:*:sp1:itanium:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_server_2003:*:sp2:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_server_2008:*:*:*:*:*:*:itanium:*
  • OR cpe:/o:microsoft:windows_server_2008:*:*:*:*:*:*:x32:*
  • OR cpe:/o:microsoft:windows_server_2008:*:*:x64:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_vista:*:*:x64:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_vista:-:sp1:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_xp:*:sp2:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/o:microsoft:windows_2000:-:sp4:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows:2003_server::x64:*:*:*:*:*
  • OR cpe:/o:microsoft:windows:xp:sp2:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows:2003_server:sp1:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_xp:::x64:*:professional:*:*:*
  • OR cpe:/o:microsoft:windows:2003_server:sp1_itanium:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_vista:-:*:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows:server_2003:*:sp2:*:*:*:*:*
  • OR cpe:/o:microsoft:windows:server_2003:*:sp2:*:*:*:itanium:*
  • OR cpe:/o:microsoft:windows:server_2003:*:sp2:*:*:*:x64:*
  • OR cpe:/o:microsoft:windows_vista:::~~~~x64~:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_xp::sp2:x64:*:professional:*:*:*
  • OR cpe:/o:microsoft:windows_vista:-:sp1:*:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_vista:-:sp1:x64:*:*:*:*:*
  • OR cpe:/o:microsoft:windows_server_2008:*:*:*:*:*:*:itanium:*
  • OR cpe:/o:microsoft:windows_server_2008:*:*:*:*:*:*:x32:*
  • OR cpe:/o:microsoft:windows_server_2008:*:*:*:*:*:*:x64:*
  • OR cpe:/o:microsoft:windows:xp:sp3:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.mitre.oval:def:5891
    V
    		Microsoft Distributed Transaction Coordinator Service Isolation Vulnerability
    2015-08-10
    BACK
    microsoft windows-nt vista sp1
    microsoft windows-nt vista sp2
    microsoft windows-nt vista sp2
    microsoft windows server 2003 *
    microsoft windows server 2003 * sp1
    microsoft windows server 2003 * sp1
    microsoft windows server 2003 * sp2
    microsoft windows server 2008 *
    microsoft windows server 2008 *
    microsoft windows server 2008 *
    microsoft windows vista *
    microsoft windows vista - sp1
    microsoft windows xp * sp2
    microsoft windows 2000 sp4
    microsoft windows 2003_server
    microsoft windows xp sp2
    microsoft windows 2003_server sp1
    microsoft windows xp
    microsoft windows 2003_server sp1_itanium
    microsoft windows vista
    microsoft windows server_2003
    microsoft windows server_2003
    microsoft windows server_2003
    microsoft windows vista
    microsoft windows xp sp2
    microsoft windows vista sp1
    microsoft windows vista sp1
    microsoft windows server 2008
    microsoft windows server 2008 -
    microsoft windows server 2008 -
    microsoft windows xp sp3