[18919] in bugtraq
Re: Windows and IIS
daemon@ATHENA.MIT.EDU (Jesper M. Johansson)
Thu Feb 1 12:33:05 2001
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <005701c08be0$9aefb5f0$a800a8c0@yggdrasil.bu.edu>
Date: Wed, 31 Jan 2001 18:50:34 -0500
Reply-To: "Jesper M. Johansson" <jjohanss@BU.EDU>
From: "Jesper M. Johansson" <jjohanss@BU.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.10.10101291056200.11074-100000@calvin.dogmile.com>
> Source: <++ CmdAsp.asp ++>
Nice coding job!
> During normal webserver operations IIS, by default, impersonates the
> account IUSR_COMPUTER. This account has minimal access rights.
They're not so minimal. It does have access to cmd.exe, which really means
it has too much, IMHO.
>In IIS 5.0 the setting is called
> Application Protection. Application Protection "Low" will result in
> SYSTEM access and Medium or High with result in IWAM_COMPUTER access.
I can't repro this. I get the code to execute, but I cannot repro the
privilege escalation. No matter what application protection level I set this
at I can't get it to execute as anything other than IUSR. I tried on Windows
2000 Pro SP1 and Server. What configurations did you try this on?
> Microsoft has not released an official fix at this time. To block
> this particular exploit, unregister the windows scripting object:
> C:\> regsvr32.exe /u C:\winnt\system32\wshom.ocx
If the privilege escalation can actually happen, then this might be the best
way to block it. Otherwise, the standard security precaution of ensuring
that IUSR and IWAM cannot run the system binaries would suffice. In my
tests, that was enough to block this code. Of course, anyone who can upload
ASP code to your server can probably take over the server a myriad other
ways, such as writing netcat into the temp directory and then executing it,
so this is probably just a very small piece of that much larger security
problem.
Jesper M. Johansson
