Bugtraq mailing list archives
Re: CmdAsp.asp - What's your exposure?
From: David Litchfield <mnemonix () GLOBALNET CO UK>
Date: Wed, 13 Dec 2000 04:08:46 -0000
CmdAsp.asp - an interactive ASP page command prompt. Check out how vulnerable your IIS web server is to the IUSR_COMPUTER and IWAM_COMPUTER user accounts.
<SNIP>
Part of securing an IIS web server is understanding your exposure to operations performed by IUSR_COMPUTER and IWAM_COMPUTER user accounts and locking them down. The accounts which IIS will execute scripts such as ASP or Perl. These accounts are one of your first defenses in securing your web server.
Actually, in IIS4 processes launched from a wcript.shell object will run as SYSTEM. Any secure install of IIS should've had the wscript.shell ProgID and associated clsid removed from the registry - and wshom.dll - the component that exposes the object deleted. I spoke about this at Blackhat in Amsterdam earlier this year due to the potential damage that could be caused esp. to companies that host others' web sites and allow publishing ASP pages. In IIS 5, any process started by a wscript.shell object will run in the context of the IWAM_* account and, as Maceo pointed out, even this account has the potential to do "bad things" and hence web admins should assess the risk to their boxes, customers sharing their machines and decide whether to remove wscript from the box. Cheers, David Litchfield
Current thread:
- CmdAsp.asp - What's your exposure? Maceo (Dec 13)
- Re: CmdAsp.asp - What's your exposure? David Litchfield (Dec 14)
- <Possible follow-ups>
- Re: CmdAsp.asp - What's your exposure? Maceo (Dec 14)