Microsoft Source Code Analyzer for SQL Injection 1.3 Improper Permissions Vendor: Microsoft Corp. Product web page: http://www.microsoft.com Affected version: 1.3.30601.30705 summary: Microsoft Source Code Analyzer for SQL Injection is a static code analysis tool for finding SQL Injection vulnerabilities in ASP code. Customers can run the tool on their ASP source code to help identify code paths that are vulnerable to SQL Injection attacks. Desc: The package suffers from an elevation of privileges vulnerability which can be used by a simple user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the "C" flag (Change(write)) for the "Everyone" group, for the binary file msscasi_asp.exe and the package itself, msscasi_asp_pkg.exe. Tested on: Microsoft Windows XP Professional SP3 (EN) Issue discovered by Gjoko 'LiquidWorm' Krstic liquidworm gmail com Advisory ID: ZSL-2011-5003 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5003.php 12.03.2011 ------------------------------------------- C:\Documents and Settings\User101\Desktop\msaspscan>dir Volume in drive C has no label. Volume Serial Number is 7C64-FE80 Directory of C:\Documents and Settings\User101\Desktop\msaspscan 12.03.2011 02:27