Argeniss Security Advisory


Name:  Microsoft Windows weak registry permissions vulnerability
Affected Software:  Windows Vista, Windows 2008, Windows 2008 R2, Windows 7
Severity:  Medium
Remote exploitable:  No
Credits: Cesar Cerrudo
Date:  08/10/2010
Advisory Number:  ARG081002


Details:
There is a Tracing functionality used by some Windows applications, including Windows services, that allows to log debug information.
This functionality is not enabled by default, in order to enable it certain registry values must be edited 
under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing key.
Windows processes that use this Tracing functionality continuosly monitor for changes in its associated subkey, when a 
registry value is modified the process will instantly read the values. One of those registry values is called FileDirectory which 
contains a Windows directory name. Setting a named pipe as a FileDirectory value in the registry key makes the process using Tracing to 
access the named pipe and connect to it. Named pipes allows impersonation, a user with impersonation privileges can elevate privileges 
by impersonaing Local System account (or privileged accounts such as Administrator, etc.) when a service running under Local System account 
connects to the pipe. The registry key has "Set Value" permissions to Users group, then any authenticated user can set arbitrary values. 



Vendor status:
Microsoft was contacted on 11/30/2009 and after 8 months a patch was released.


Patch Available:
http://www.microsoft.com/technet/security/Bulletin/MS10-059.mspx


Links:
http://www.argeniss.com/research/TokenKidnappingRevengePaper.pdf
http://www.argeniss.com/research/Chimichurri.zip





Argeniss - Information Security & Software
*Information Security and Software Experts*
http://www.argeniss.com