MS08-006 under rated?

[Cesar <sqlsec () yahoo com>]

From http://www.microsoft.com/technet/security/Bulletin/MS08-006.mspx
"A remote code execution vulnerability exists in the way that Internet Information Services handles input to ASP Web 
pages. An attacker could exploit the vulnerability by passing malicious input to a Web site’s ASP page. An attacker who 
successfully exploited this vulnerability could then perform any actions on the IIS Server with the same rights as the 
Worker Process Identity (WPI), which by default is configured with Network Service account privileges."

And then in Mitigating factors:

"On supported editions of Windows Server 2003, if IIS is enabled and classic ASP is used, an attacker who successfully 
exploited this vulnerability could only obtain Network Service account privileges by default. By default, Network 
Service account privileges have the same user rights as an authenticated user."


The thing is that in Windows XP and Windows 2003 the services security architecture has some weaknesses and any process 
running as Local Service or Network Service can execute code as Local System (there are other design problems that also 
allow elevation of privileges but this problem is enough for making the point), MS knows about this since they have 
fixed some weaknesses in Windows Vista and Windows 2008 (btw: these versions still has some problems) Because of these 
problems in Windows XP and Windows 2003 if you can run code from IIS, no matter what account the code is run under (the 
account only needs to have impersonation rights, any account used for IIS worker process can impersonate since the 
account must be member of the IIS_WPG group which can impersonate), it always can elevate privileges to Local System. 
On Windows 2008 if you can run code under Local Service or Network Service then you also can run code as Local System 
except in some
 specific (not common) scenarios. Based on all this I wonder why MS mentions Network Service account privileges as a 
mitigating factor since Network Service=Local System?


I'm sorry I can't give technical details at this moment, all details will be presented at HITB Dubai.

This post is not for promoting my presentation, this is just to let the people know the truth and that they should try 
to patch ASAP since ASP is still being used in thousands of sites, This is a "pre auth remote system compromise" 
vulnerability.

BTW: the weaknesses that I'm talking about aren't simple issues like impersonating when a user authenticates to IIS, 
which btw hasn't been mentioned in advisory too, ie: an adminsitrator authenticates to IIS so the worker process can 
impersonate it and elevate privileges. 
The weaknesses I'm talking about can be exploited all the time without special settings nor user interaction.


Thanks.

PD: And yes if you provide hosting on IIS you can have problems, if users can upload .asp or .aspx files to your IIS 
then is not your server anymore but I'm not saying nothing new :
"Law #4: If you allow a bad guy to upload programs to your website, it's not your website any more"
http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx?mfr=true


Cesar.


      ____________________________________________________________________________________
Never miss a thing.  Make Yahoo your home page. 
http://www.yahoo.com/r/hs
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave