=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2007/VULN364
_____________________________________________________________________

DATE                      : 12/09/2007

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Windows Services for UNIX,
                               Windows Server 2003, Windows Vista.

======================================================================
http://www.microsoft.com/technet/security/bulletin/MS07-053.mspx
______________________________________________________________________

MS07-053 Vulnerability in Windows Services for UNIX Could Allow -
Elevation of Privilege (939778)

Affected Software:
    -Windows Services for UNIX 3.0
    -Windows Services for UNIX 3.5
    -Windows Server 2003 Service Pack 1 and Server 2003 Service Pack 2
    -Windows Server 2003 x64 Edition Service Pack 1 and
     Windows Server 2003 x64 Edition Service Pack 2
    -Windows Vista
    -Windows Vista x64 Edition

Non-Affected Software:
    -Windows Services for UNIX 1.0
    -Windows Services for UNIX 2.0
    -Windows Services for UNIX 2.1
    -Windows Services for UNIX 2.2

Full MS07-053 advisory:
    http://www.microsoft.com/technet/security/bulletin/MS07-053.mspx


Vulnerability Details:
	
Windows Services for UNIX Could Allow Elevation of Privilege - CVE-2007-3036

    An elevation of privilege vulnerability exists in Windows Services for
    UNIX 3.0, Windows Services for UNIX 3.5, and Subsystem for UNIX-based
    Applications where running certain setuid binary files that could allow
    an attacker to gain elevation of privilege. An attacker who successfully
    exploited this vulnerability could gain elevation of privilege. An 
attacker
    could then install programs or view, change, or delete data.

    Default configurations of Windows 2000 Service Pack 4, Windows XP 
Service
    Pack 2, Windows Server 2003 Service Pack 1, and Windows Server 2003 
Service
    Pack 2 do not include Windows Services for UNIX 3.0 and Windows Services
    for UNIX 3.5. Windows Services for UNIX 3.0 and Windows Services for 
UNIX
    3.5. may be optionally installed on Windows 2000 Service Pack 4, Windows
    XP Service Pack 2, Windows Server 2003 Service Pack 1, and Windows 
Server
    2003 Service Pack 2.

    Windows Vista and Windows Server 2003 do not have Subsystem for 
UNIX-based
    Applications enabled by default. Subsystem for UNIX-based 
Applications is
    an optional Windows component for Windows Vista and Windows Server 2003.

======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================