Microsoft Windows Server 2003/XP Service SERVICE_CHANGE_CONFIG access control
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 5.3 | $0-$5k | 0.00 |
Summary
A vulnerability was found in Microsoft Windows Server 2003/XP. It has been declared as critical. Affected by this issue is some unknown functionality of the component Service Handler. Such manipulation of the argument SERVICE_CHANGE_CONFIG leads to access control. This vulnerability is documented as CVE-2006-0023. The attack requires being on the local network. Additionally, an exploit exists. It is advisable to implement a patch to correct this issue.
Details
A vulnerability, which was classified as critical, has been found in Microsoft Windows Server 2003/XP (Operating System). Affected by this issue is some unknown processing of the component Service Handler. The manipulation of the argument SERVICE_CHANGE_CONFIG with an unknown input leads to a access control vulnerability. Using CWE to declare the problem leads to CWE-264. Impacted is confidentiality, integrity, and availability. CVE summarizes:
Microsoft Windows XP SP1 and SP2 before August 2004, and possibly other operating systems and versions, uses insecure default ACLs that allow the Authenticated Users group to gain privileges by modifying critical configuration information for the (1) Simple Service Discovery Protocol (SSDP), (2) Universal Plug and Play Device Host (UPnP), (3) NetBT, (4) SCardSvr, (5) DHCP, and (6) DnsCache services, aka "Permissive Windows Services DACLs." NOTE: the NetBT, SCardSvr, DHCP, DnsCache already require privileged access to exploit.
The weakness was released 02/08/2006 by Sudhakar Govindavajhala and Andrew W. Appel as confirmed bulletin (Technet). The advisory is shared for download at microsoft.com. This vulnerability is handled as CVE-2006-0023 since 11/30/2005. The exploitation is known to be easy. Access to the local network is required for this attack to succeed. Required for exploitation is a simple authentication. Technical details as well as a exploit are known. The MITRE ATT&CK project declares the attack technique as T1068.
It is declared as highly functional. The vulnerability scanner Nessus provides a plugin with the ID 21077 (MS06-011: Permissive Windows Services DACLs Could Allow Elevation of Privilege (914798)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Windows : Microsoft Bulletins and running in the context l. The commercial vulnerability scanner Qualys is able to test this issue with plugin 90293 (Windows Services DACLs Privilege Escalation (MS06-011)).
Applying a patch is able to eliminate this problem. The bugfix is ready for download at windowsupdate.microsoft.com. A possible mitigation has been published 2 months after the disclosure of the vulnerability.
The vulnerability is also documented in the databases at X-Force (24463), Tenable (21077), SecurityFocus (BID 16484†), OSVDB (23047†) and Secunia (SA19313†). Once again VulDB remains the best source for vulnerability data.
Product
Type
Vendor
Name
Version
License
Support
- end of life (old version)
Website
- Vendor: https://www.microsoft.com/
- Product: https://www.microsoft.com/en-us/windows
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 5.5VulDB Meta Temp Score: 5.3
VulDB Base Score: 5.5
VulDB Temp Score: 5.3
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Access controlCWE: CWE-264
CAPEC: 🔍
ATT&CK: 🔍
Physical: Partially
Local: Yes
Remote: Partially
Availability: 🔍
Status: Highly functional
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 21077
Nessus Name: MS06-011: Permissive Windows Services DACLs Could Allow Elevation of Privilege (914798)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Context: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: PatchStatus: 🔍
Reaction Time: 🔍
Exposure Time: 🔍
Patch: windowsupdate.microsoft.com
Timeline
11/30/2005 🔍02/02/2006 🔍
02/07/2006 🔍
02/08/2006 🔍
02/11/2006 🔍
02/13/2006 🔍
02/14/2006 🔍
03/14/2006 🔍
03/14/2006 🔍
03/14/2006 🔍
03/20/2006 🔍
06/25/2025 🔍
Sources
Vendor: microsoft.comProduct: microsoft.com
Advisory: microsoft.com
Researcher: Sudhakar Govindavajhala, Andrew W. Appel
Status: Confirmed
Confirmation: 🔍
CVE: CVE-2006-0023 (🔍)
GCVE (CVE): GCVE-0-2006-0023
GCVE (VulDB): GCVE-100-2036
OVAL: 🔍
CERT: 🔍
X-Force: 24463 - Microsoft Windows XP "Authenticated Users" insecure default permissions, Medium Risk
SecurityFocus: 16484
Secunia: 19313 - Nortel Centrex IP Client Manager Windows Privilege Escalation, Less Critical
OSVDB: 23047 - Microsoft Windows SSDP SERVICE_CHANGE_CONFIG Permission Weakness Privilege Escalation
SecurityTracker: 1015765
Vulnerability Center: 10328 - [MS06-011] Microsoft Windows Insecure Default Permissions to Authenticated Users, Medium
Vupen: ADV-2006-0417
scip Labs: https://www.scip.ch/en/?labs.20161013
Entry
Created: 02/13/2006 12:29Updated: 06/25/2025 03:50
Changes: 02/13/2006 12:29 (93), 09/05/2019 13:33 (2), 01/19/2025 19:19 (16), 04/22/2025 19:10 (2), 06/25/2025 03:50 (2)
Complete: 🔍
Cache ID: 216:818:103
Once again VulDB remains the best source for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.