Vulnerabilities > CVE-2007-0211 - Privilege Escalation vulnerability in Microsoft Windows 2003 Server and Windows XP

047910
CVSS 7.2 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
local
low complexity
microsoft
nessus

Summary

The hardware detection functionality in the Windows Shell in Microsoft Windows XP SP2 and Professional, and Server 2003 SP1 allows local users to gain privileges via an unvalidated parameter to a function related to the "detection and registration of new hardware."

Vulnerable Configurations

Part Description Count
OS
Microsoft
3

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS07-006.NASL
descriptionThe remote version of Windows contains a version of the Windows Shell that contains a vulnerability in the way it performs detection and registration of new hardware. An authenticated user may exploit this vulnerability to elevate his privileges.
last seen2020-06-01
modified2020-06-02
plugin id24330
published2007-02-13
reporterThis script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/24330
titleMS07-006: Vulnerability in Windows Shell Could Allow Elevation of Privilege (928255)
code
#
# Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(24330);
 script_version("1.29");
 script_cvs_date("Date: 2018/11/15 20:50:30");

 script_cve_id("CVE-2007-0211");
 script_bugtraq_id(22481);
 script_xref(name:"MSFT", value:"MS07-006");
 script_xref(name:"MSKB", value:"928255");
 
 script_xref(name:"CERT", value:"240796");

 script_name(english:"MS07-006: Vulnerability in Windows Shell Could Allow Elevation of Privilege (928255)");
 script_summary(english:"Determines the presence of update 928255");

 script_set_attribute(attribute:"synopsis", value:
"Vulnerabilities in the Windows Shell may allow a user to elevate his
privileges.");
 script_set_attribute(attribute:"description", value:
"The remote version of Windows contains a version of the Windows Shell
that contains a vulnerability in the way it performs detection and
registration of new hardware.  An authenticated user may exploit this
vulnerability to elevate his privileges.");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2007/ms07-006");
 script_set_attribute(attribute:"solution", value:"Microsoft has released a set of patches for Windows XP and 2003.");
 script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"true");
 script_set_attribute(attribute:"exploit_framework_core", value:"true");

 script_set_attribute(attribute:"vuln_publication_date", value:"2007/02/13");
 script_set_attribute(attribute:"patch_publication_date", value:"2007/02/13");
 script_set_attribute(attribute:"plugin_publication_date", value:"2007/02/13");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows : Microsoft Bulletins");

 script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
 script_require_keys("SMB/MS_Bulletin_Checks/Possible");
 script_require_ports(139, 445, 'Host/patch_management_checks');
 exit(0);
}


include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS07-006';
kb = "928255";

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);


get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(xp:'2', win2003:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (
  hotfix_is_vulnerable(os:"5.2", sp:0, file:"shell32.dll", version:"6.0.3790.630", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.2", sp:1, file:"shell32.dll", version:"6.0.3790.2867", dir:"\system32", bulletin:bulletin, kb:kb) ||

  hotfix_is_vulnerable(os:"5.1", sp:2, file:"shell32.dll", version:"6.0.2900.3051", dir:"\system32", bulletin:bulletin, kb:kb)
)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_hole();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

Oval

accepted2011-05-09T04:01:27.636-04:00
classvulnerability
contributors
  • nameSudhir Gandhe
    organizationSecure Elements, Inc.
  • nameRobert L. Hollis
    organizationThreatGuard, Inc.
  • nameShane Shaffer
    organizationG2, Inc.
definition_extensions
  • commentMicrosoft Windows XP SP2 or later is installed
    ovaloval:org.mitre.oval:def:521
  • commentMicrosoft Windows XP SP1 (64-bit) is installed
    ovaloval:org.mitre.oval:def:480
  • commentMicrosoft Windows Server 2003 (x86) Gold is installed
    ovaloval:org.mitre.oval:def:165
  • commentMicrosoft Windows Server 2003 SP1 (x86) is installed
    ovaloval:org.mitre.oval:def:565
descriptionThe hardware detection functionality in the Windows Shell in Microsoft Windows XP SP2 and Professional, and Server 2003 SP1 allows local users to gain privileges via an unvalidated parameter to a function related to the "detection and registration of new hardware."
familywindows
idoval:org.mitre.oval:def:224
statusaccepted
submitted2007-02-13T14:38:21
titleVulnerability in Windows Shell Could Allow Elevation of Privilege
version71