Dailydave mailing list archives
MS08-006 under rated?
From: Cesar <sqlsec () yahoo com>
Date: Wed, 13 Feb 2008 15:41:43 -0800 (PST)
From http://www.microsoft.com/technet/security/Bulletin/MS08-006.mspx "A remote code execution vulnerability exists in the way that Internet Information Services handles input to ASP Web pages. An attacker could exploit the vulnerability by passing malicious input to a Web site’s ASP page. An attacker who successfully exploited this vulnerability could then perform any actions on the IIS Server with the same rights as the Worker Process Identity (WPI), which by default is configured with Network Service account privileges." And then in Mitigating factors: "On supported editions of Windows Server 2003, if IIS is enabled and classic ASP is used, an attacker who successfully exploited this vulnerability could only obtain Network Service account privileges by default. By default, Network Service account privileges have the same user rights as an authenticated user." The thing is that in Windows XP and Windows 2003 the services security architecture has some weaknesses and any process running as Local Service or Network Service can execute code as Local System (there are other design problems that also allow elevation of privileges but this problem is enough for making the point), MS knows about this since they have fixed some weaknesses in Windows Vista and Windows 2008 (btw: these versions still has some problems) Because of these problems in Windows XP and Windows 2003 if you can run code from IIS, no matter what account the code is run under (the account only needs to have impersonation rights, any account used for IIS worker process can impersonate since the account must be member of the IIS_WPG group which can impersonate), it always can elevate privileges to Local System. On Windows 2008 if you can run code under Local Service or Network Service then you also can run code as Local System except in some specific (not common) scenarios. Based on all this I wonder why MS mentions Network Service account privileges as a mitigating factor since Network Service=Local System? I'm sorry I can't give technical details at this moment, all details will be presented at HITB Dubai. This post is not for promoting my presentation, this is just to let the people know the truth and that they should try to patch ASAP since ASP is still being used in thousands of sites, This is a "pre auth remote system compromise" vulnerability. BTW: the weaknesses that I'm talking about aren't simple issues like impersonating when a user authenticates to IIS, which btw hasn't been mentioned in advisory too, ie: an adminsitrator authenticates to IIS so the worker process can impersonate it and elevate privileges. The weaknesses I'm talking about can be exploited all the time without special settings nor user interaction. Thanks. PD: And yes if you provide hosting on IIS you can have problems, if users can upload .asp or .aspx files to your IIS then is not your server anymore but I'm not saying nothing new : "Law #4: If you allow a bad guy to upload programs to your website, it's not your website any more" http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx?mfr=true Cesar. ____________________________________________________________________________________ Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- MS08-006 under rated? Cesar (Feb 14)
- Re: MS08-006 under rated? Nicolas RUFF (Feb 14)
- Re: MS08-006 under rated? Andrey Kolishchak (Feb 14)
- Re: MS08-006 under rated? H D Moore (Feb 14)
- <Possible follow-ups>
- Re: MS08-006 under rated? Cesar (Feb 14)
- Re: MS08-006 under rated? Cesar (Feb 14)
- Re: MS08-006 under rated? Andrey Kolishchak (Feb 14)