| VID |
28057 |
| Severity |
40 |
| Port |
139,445 |
| Protocol |
TCP |
| Class |
SMB |
| Detailed Description |
The 'Schedule' registry key is writable by users who are not in the Administrators group. The registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Schedule controls the Schedule service. This service allows administrators to schedule batch jobs to occur at specified times. Since the Schedule service normally runs with SYSTEM privileges, this vulnerability can be used to raise a malicious user's privileges to Administrator.
* Note: This check requires an account with Guest or upper privileges which can access the registry of the remote host to scan. Absence of these condition will result in the check not being performed and a False Negative for all vulnerable hosts.
* Platforms Affected:
Windows NT, 2000, XP, 2003, VISTA, 7, 2008, 8, 2012 |
| Recommendation |
Remove write access to the schedule registry key from users who are not in the Administrators group. This requires a modification in the registry as the following steps:
1. Open Registry Editor. (From the Windows system Start menu, select Run, type regedt32, and click OK.)
2. Go to the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Schedule registry key.
3. From the Security menu, select Permissions to display the Registry Key Permissions dialog box.
4. Remove write access according to your administration policy. |
| Related URL |
CVE-1999-0589 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
188 (ISS) |
|
