CVE-2008-1436

Severity

90%

Complexity

80%

Confidentiality

165%

Microsoft Windows XP Professional SP2, Vista, and Server 2003 and 2008 does not properly assign activities to the (1) NetworkService and (2) LocalService accounts, which might allow context-dependent attackers to gain privileges by using one service process to capture a resource from a second service process that has a LocalSystem privilege-escalation ability, related to improper management of the SeImpersonatePrivilege user right, as originally reported for Internet Information Services (IIS), aka Token Kidnapping.

Microsoft Windows XP Professional SP2, Vista, and Server 2003 and 2008 does not properly assign activities to the (1) NetworkService and (2) LocalService accounts, which might allow context-dependent attackers to gain privileges by using one service process to capture a resource from a second service process that has a LocalSystem privilege-escalation ability, related to improper management of the SeImpersonatePrivilege user right, as originally reported for Internet Information Services (IIS), aka Token Kidnapping.

CVSS 2.0 Base Score 9. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (AV:N/AC:L/Au:S/C:C/I:C/A:C).

Overview

First reported 17 years ago

2008-04-21 17:05:00

Last updated 6 years ago

2019-02-26 14:04:00

Affected Software

Microsoft Windows Server 2003

Microsoft Windows Server 2003 Service Pack 2

Microsoft Windows Server 2008 Itanium

Windows Server 2008 for 32-bit Systems

Microsoft Windows Server 2008 x64 (64-bit) (intial release)

Microsoft Windows Vista x64 (64-bit)

Microsoft Windows Vista Service Pack 1 (initial release)

Microsoft Windows XP Service Pack 2

References

http://blogs.technet.com/msrc/archive/2008/04/17/msrc-blog-microsoft-security-advisory-951306.aspx

http://isc.sans.org/diary.html?storyid=4306

http://milw0rm.com/sploits/2008-Churrasco.zip

http://nomoreroot.blogspot.com/2008/10/windows-2003-poc-exploit-for-token.html

29867

Vendor Advisory

http://securitywatch.eweek.com/flaws/microsoft_belatedly_admits_to_windows_server_2008_token_kidnapping.html

http://www.argeniss.com/research/Churrasco.zip

http://www.argeniss.com/research/TokenKidnapping.pdf

http://www.microsoft.com/technet/security/advisory/951306.mspx

20080419 Token Kidnapping (Microsoft Security Advisory 951306) presentation available

20081008 Token Kidnapping Windows 2003 PoC exploit

28833

1019904

TA09-104A

US Government Resource

ADV-2008-1264

Vendor Advisory

ADV-2009-1026

Vendor Advisory

MS09-012

ms-windows-localsystem-privilege-escalation(41880)

oval:org.mitre.oval:def:5891

6705

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.