Re: CmdAsp.asp - What's your exposure?

[David Litchfield <mnemonix () GLOBALNET CO UK>]

> CmdAsp.asp - an interactive ASP page command prompt. Check out
> how vulnerable your IIS web server is to the IUSR_COMPUTER and
> IWAM_COMPUTER user accounts.
<SNIP>
> Part of securing an IIS web server is understanding your exposure to
> operations performed by IUSR_COMPUTER and IWAM_COMPUTER user accounts
> and locking them down. The accounts which IIS will execute scripts
> such as ASP or Perl. These accounts are one of your first defenses
> in securing your web server.

Actually, in IIS4 processes launched from a wcript.shell object will run as
SYSTEM. Any secure install of IIS should've had the wscript.shell ProgID and
associated clsid removed from the registry - and wshom.dll - the component
that exposes the object deleted. I spoke about this at Blackhat in Amsterdam
earlier this year due to the potential damage that could be caused esp. to
companies that host others' web sites and allow publishing ASP pages. In IIS
5, any process started by a wscript.shell object will run in the context of
the IWAM_* account and, as Maceo pointed out, even this account has the
potential to do "bad things" and hence web admins should assess the risk to
their boxes, customers sharing their machines and decide whether to remove
wscript from the box.
Cheers,
David Litchfield