Microsoft Source Code Analyzer for SQL Injection 1.3 Improper Permissions

Title: Microsoft Source Code Analyzer for SQL Injection 1.3 Improper Permissions
Advisory ID: ZSL-2011-5003
Type: Local
Impact: Privilege Escalation
Risk: (3/5)
Release Date: 16.03.2011
Summary
Microsoft Source Code Analyzer for SQL Injection is a static code analysis tool for finding SQL Injection vulnerabilities in ASP code. Customers can run the tool on their ASP source code to help identify code paths that are vulnerable to SQL Injection attacks.
Description
The package suffers from an elevation of privileges vulnerability which can be used by a simple user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the "C" flag (Change(write)) for the "Everyone" group, for the binary file msscasi_asp.exe and the package itself, msscasi_asp_pkg.exe.
Vendor
Microsoft Corporation - http://www.microsoft.com
Affected Version
1.3.30601.30705
Tested On
Microsoft Windows XP Professional SP3 (EN)
Vendor Status
[12.03.2011] Vendor is informed about the issue.
[14.03.2011] Vendor decides not to track the issue stating that it is not a security issue and that the tool is in its BETA stage.
PoC
msscasi_asp.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://support.microsoft.com/kb/954476
[2] http://www.microsoft.com/downloads/en/details.aspx?FamilyId=58A7C46E-A599-4FCB-9AB4-A4334146B6BA&displaylang=en
[3] http://packetstormsecurity.org/files/99394
[4] http://www.exploit-db.com/exploits/16991/
[5] http://securityreason.com/exploitalert/10147
[6] http://xforce.iss.net/xforce/xfdb/66137
[7] http://www.hackerv.com/security/109.html
Changelog
[16.03.2011] - Initial release
[17.03.2011] - Added reference [4] and [5]
[22.03.2011] - Added reference [6] and [7]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk