CVE-2006-0023

Microsoft Windows XP SP1 and SP2 before August 2004, and possibly other operating systems and versions, uses insecure default ACLs that allow the Authenticated Users group to gain privileges by modifying critical configuration information for the (1) Simple Service Discovery Protocol (SSDP), (2) Universal Plug and Play Device Host (UPnP), (3) NetBT, (4) SCardSvr, (5) DHCP, and (6) DnsCache services, aka "Permissive Windows Services DACLs." NOTE: the NetBT, SCardSvr, DHCP, DnsCache already require privileged access to exploit.

CVSS v2.0 4.3 MEDIUM

4.3^/10

CVSS v2.0 : MEDIUM

Vector : AV:L/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 3.1 / Impact : 6.4

Access Vector LOCAL

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://secunia.com/advisories/18756	Patch Vendor Advisory
http://secunia.com/advisories/19238	Vendor Advisory
http://secunia.com/advisories/19313	Vendor Advisory
http://securitytracker.com/id?1015595
http://securitytracker.com/id?1015765
http://support.avaya.com/elmodocs2/security/ASA-2006-069.htm
http://www.cs.princeton.edu/~sudhakar/papers/winval.pdf
http://www.kb.cert.org/vuls/id/953860	Third Party Advisory US Government Resource
http://www.microsoft.com/technet/security/advisory/914457.mspx	Vendor Advisory
http://www.securityfocus.com/archive/1/423587/100/0/threaded
http://www.vupen.com/english/advisories/2006/0417	Vendor Advisory
http://www130.nortelnetworks.com/cgi-bin/eserv/cs/main.jsp?cscat=BLTNDETAIL&DocumentOID=391523&RenditionID=
https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-011
https://exchange.xforce.ibmcloud.com/vulnerabilities/24463
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1671
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1696

Configurations

Configuration 1 (hide)

OR	cpe:2.3:o:microsoft:windows_xp::sp1:tablet_pc:::::
	cpe:2.3:o:microsoft:windows_xp::sp2:tablet_pc:::::

History

No history.

Information

Published : 2006-02-08 02:18

Updated : 2024-02-28 10:42

NVD link : CVE-2006-0023

Mitre link : CVE-2006-0023

CVE.ORG link : CVE-2006-0023

JSON object : View

Products Affected

microsoft

windows_xp

CWE

CWE-264

Permissions, Privileges, and Access Controls

{"id": "CVE-2006-0023", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.3, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 3.1, "obtainUserPrivilege": true, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2006-02-08T02:18:00.000", "references": [{"url": "http://secunia.com/advisories/18756", "tags": ["Patch", "Vendor Advisory"], "source": "secure@microsoft.com"}, {"url": "http://secunia.com/advisories/19238", "tags": ["Vendor Advisory"], "source": "secure@microsoft.com"}, {"url": "http://secunia.com/advisories/19313", "tags": ["Vendor Advisory"], "source": "secure@microsoft.com"}, {"url": "http://securitytracker.com/id?1015595", "source": "secure@microsoft.com"}, {"url": "http://securitytracker.com/id?1015765", "source": "secure@microsoft.com"}, {"url": "http://support.avaya.com/elmodocs2/security/ASA-2006-069.htm", "source": "secure@microsoft.com"}, {"url": "http://www.cs.princeton.edu/~sudhakar/papers/winval.pdf", "source": "secure@microsoft.com"}, {"url": "http://www.kb.cert.org/vuls/id/953860", "tags": ["Third Party Advisory", "US Government Resource"], "source": "secure@microsoft.com"}, {"url": "http://www.microsoft.com/technet/security/advisory/914457.mspx", "tags": ["Vendor Advisory"], "source": "secure@microsoft.com"}, {"url": "http://www.securityfocus.com/archive/1/423587/100/0/threaded", "source": "secure@microsoft.com"}, {"url": "http://www.vupen.com/english/advisories/2006/0417", "tags": ["Vendor Advisory"], "source": "secure@microsoft.com"}, {"url": "http://www130.nortelnetworks.com/cgi-bin/eserv/cs/main.jsp?cscat=BLTNDETAIL&DocumentOID=391523&RenditionID=", "source": "secure@microsoft.com"}, {"url": "https://docs.microsoft.com/en-us/security-updates/securitybulletins/2006/ms06-011", "source": "secure@microsoft.com"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/24463", "source": "secure@microsoft.com"}, {"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1671", "source": "secure@microsoft.com"}, {"url": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1696", "source": "secure@microsoft.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-264"}]}], "descriptions": [{"lang": "en", "value": "Microsoft Windows XP SP1 and SP2 before August 2004, and possibly other operating systems and versions, uses insecure default ACLs that allow the Authenticated Users group to gain privileges by modifying critical configuration information for the (1) Simple Service Discovery Protocol (SSDP), (2) Universal Plug and Play Device Host (UPnP), (3) NetBT, (4) SCardSvr, (5) DHCP, and (6) DnsCache services, aka \"Permissive Windows Services DACLs.\" NOTE: the NetBT, SCardSvr, DHCP, DnsCache already require privileged access to exploit."}, {"lang": "es", "value": "Microsoft Windows XP SP1 y SP2 anteriores a agosto de 2004, y posiblemente otros sistemas operativos y versiones, usa ACLs inseguras por defecto que permiten al grupo Usuarios autentificados ganar privilegios modificando informaci\u00f3n de configuraci\u00f3n cr\u00edtica de los servicios (1) Protocolo de Descubrimiento de Servicio Simple (SSDP) y (2) 'Plug and Play' Universal (UPnP), (3) NetBT, (4) SCardSvr, (5) DHCP y (6) servicios DnsCache, tcc \"DACLs de Servicios de Windows Permisivas\". NOTA: Los servicios NetBT, SCardSvr, DHCP, DnsCache ya requer\u00edan acceso privilegiado para acceder a la explotaci\u00f3n."}], "lastModified": "2018-10-19T15:42:05.527", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows_xp:*:sp1:tablet_pc:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B9687E6C-EDE9-42E4-93D0-C4144FEC917A"}, {"criteria": "cpe:2.3:o:microsoft:windows_xp:*:sp2:tablet_pc:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FB2BE2DE-7B06-47ED-A674-15D45448F357"}], "operator": "OR"}]}], "sourceIdentifier": "secure@microsoft.com"}