CVE-2008-1436
published 2008-04-21CVE-2008-1436: Microsoft Windows XP Professional SP2, Vista, and Server 2003 and 2008 does not properly assign activities to the (1) NetworkService and (2) LocalService…
PriorityP274critical9CVSS 2.0
AVNACLAuSCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
36.83%
98.3th percentile
Microsoft Windows XP Professional SP2, Vista, and Server 2003 and 2008 does not properly assign activities to the (1) NetworkService and (2) LocalService accounts, which might allow context-dependent attackers to gain privileges by using one service process to capture a resource from a second service process that has a LocalSystem privilege-escalation ability, related to improper management of the SeImpersonatePrivilege user right, as originally reported for Internet Information Services (IIS), aka Token Kidnapping.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows-nt | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for abuse of SeImpersonatePrivilege on service accounts (NetworkService, LocalService) — a process running under these accounts acquiring SeImpersonatePrivilege and then impersonating a LocalSystem-level token is the core exploitation pattern for Token Kidnapping. ↗
- →Alert on privilege escalation attempts where an authenticated user or service (e.g., IIS worker process) elevates to NetworkService or beyond; monitor IIS-related process trees for unexpected token impersonation. ↗
- →The exploit is publicly known as 'Token Kidnapping' — hunt for process injection or handle duplication from NetworkService/LocalService processes targeting SYSTEM-level tokens. ↗
- ·Affected platforms are specifically Windows XP Professional SP2, Vista, Server 2003, and Server 2008 — exploitation requires an authenticated context (e.g., a compromised service account) and is not a remote unauthenticated vector. ↗
- ·The vulnerability is originally reported in the context of IIS; detection logic should prioritise IIS worker processes (w3wp.exe) as the initial exploitation vector. ↗
CVSS provenance
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vulncheck9.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wr44-5q83-5vf8: Microsoft Windows XP Professional SP2, Vista, and Server 2003 and 2008 does not properly assign activities to the (1) NetworkService and (2) LocalServ
ghsa_unreviewed·2022-05-01
CVE-2008-1436 [HIGH] GHSA-wr44-5q83-5vf8: Microsoft Windows XP Professional SP2, Vista, and Server 2003 and 2008 does not properly assign activities to the (1) NetworkService and (2) LocalServ
Microsoft Windows XP Professional SP2, Vista, and Server 2003 and 2008 does not properly assign activities to the (1) NetworkService and (2) LocalService accounts, which might allow context-dependent attackers to gain privileges by using one service process to capture a resource from a second service process that has a LocalSystem privilege-escalation ability, related to improper management of the SeImpersonatePrivilege user right, as originally reported for Internet Information Services (IIS), aka Token Kidnapping.
VulnCheck
Microsoft Windows XP Professional SP2, Vista, and Server 2003 and 2008 Privilege Escalation
vulncheck·2008·CVSS 9.0
CVE-2008-1436 [CRITICAL] Microsoft Windows XP Professional SP2, Vista, and Server 2003 and 2008 Privilege Escalation
Microsoft Windows XP Professional SP2, Vista, and Server 2003 and 2008 Privilege Escalation
Microsoft Windows XP Professional SP2, Vista, and Server 2003 and 2008 does not properly assign activities to the (1) NetworkService and (2) LocalService accounts, which might allow context-dependent attackers to gain privileges by using one service process to capture a resource from a second service process that has a LocalSystem privilege-escalation ability, related to improper management of the SeImpersonatePrivilege user right, as originally reported for Internet Information Services (IIS), aka Token Kidnapping.
Affected: Microsoft Windows
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
No detection rules found.
http://blogs.technet.com/msrc/archive/2008/04/17/msrc-blog-microsoft-security-advisory-951306.aspxhttp://isc.sans.org/diary.html?storyid=4306http://milw0rm.com/sploits/2008-Churrasco.ziphttp://nomoreroot.blogspot.com/2008/10/windows-2003-poc-exploit-for-token.htmlhttp://secunia.com/advisories/29867http://securitywatch.eweek.com/flaws/microsoft_belatedly_admits_to_windows_server_2008_token_kidnapping.htmlhttp://www.argeniss.com/research/Churrasco.ziphttp://www.argeniss.com/research/TokenKidnapping.pdfhttp://www.microsoft.com/technet/security/advisory/951306.mspxhttp://www.securityfocus.com/archive/1/491111/100/0/threadedhttp://www.securityfocus.com/archive/1/497168/100/0/threadedhttp://www.securityfocus.com/bid/28833http://www.securitytracker.com/id?1019904http://www.us-cert.gov/cas/techalerts/TA09-104A.htmlhttp://www.vupen.com/english/advisories/2008/1264/referenceshttp://www.vupen.com/english/advisories/2009/1026https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-012https://exchange.xforce.ibmcloud.com/vulnerabilities/41880https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5891https://www.exploit-db.com/exploits/6705http://blogs.technet.com/msrc/archive/2008/04/17/msrc-blog-microsoft-security-advisory-951306.aspxhttp://isc.sans.org/diary.html?storyid=4306http://milw0rm.com/sploits/2008-Churrasco.ziphttp://nomoreroot.blogspot.com/2008/10/windows-2003-poc-exploit-for-token.htmlhttp://secunia.com/advisories/29867http://securitywatch.eweek.com/flaws/microsoft_belatedly_admits_to_windows_server_2008_token_kidnapping.htmlhttp://www.argeniss.com/research/Churrasco.ziphttp://www.argeniss.com/research/TokenKidnapping.pdfhttp://www.microsoft.com/technet/security/advisory/951306.mspxhttp://www.securityfocus.com/archive/1/491111/100/0/threadedhttp://www.securityfocus.com/archive/1/497168/100/0/threadedhttp://www.securityfocus.com/bid/28833http://www.securitytracker.com/id?1019904http://www.us-cert.gov/cas/techalerts/TA09-104A.htmlhttp://www.vupen.com/english/advisories/2008/1264/referenceshttp://www.vupen.com/english/advisories/2009/1026https://docs.microsoft.com/en-us/security-updates/securitybulletins/2009/ms09-012https://exchange.xforce.ibmcloud.com/vulnerabilities/41880https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5891https://www.exploit-db.com/exploits/6705
2008-04-21
Published
Exploited in the wild