Dailydave mailing list archives
Re: MS08-006 under rated?
From: Andrey Kolishchak <gsw () gentlesecurity com>
Date: Thu, 14 Feb 2008 14:26:32 +0100
Dear Cesar, well, we have an advisory on this http://www.gentlesecurity.com/adv04302006.html And also have demo that elevates IIS's NetworkService up to LocalSystem. The exploit targets RpcSs which also runs on behalf of NetworkService and _always_ (no special actions required) contains token handles for LocalSystem. The tokens is result of impersonation of privileged clients heavily using RPCs. The attack just enumerate all handles in RpcSs process, find those with LocalSystem privileges and impersonate a thread with that token. The problem is that there are many other services that run on behalf of NetworkService or LocalService accounts. And some of these services have to impersonate privileged clients, such as RpcSs. So you just break into one of the services and able to compromise all others. The Microsoft's decision to run RpcSs as NetworkService is, in fact, weakened the configuration. RpcSs run on behalf of LocalSystem would be more secure as other NetworkService processes would not be able to attack it. The issue with services is partly addressed in Windows Vista where process objects might be owned by unique service SID, symbolic: NT Service\ServiceName. However, that is not enabled for all services by default. Not even all services coming with Vista support unique service SIDs. <http://www.gentlesecurity.com/blog/andr/cracking_windows_access_control.pdf> I guess, you mentioning the same problem and would be interested to hear more about if that is something new. But NetworkService is particularly dangerous, even without this problem. NetworkService has permissions to issue SIO_RCVALL on sockets and sniff machine's network traffic (note, no additional driver is required). Andrey.
From http://www.microsoft.com/technet/security/Bulletin/MS08-006.mspx "A remote code execution vulnerability exists in the way that Internet Information Services handles input to ASP Web pages. An attacker could exploit the vulnerability by passing malicious input to a Web site’s ASP page. An attacker who successfully exploited this vulnerability could then perform any actions on the IIS Server with the same rights as the Worker Process Identity (WPI), which by default is configured with Network Service account privileges."
And then in Mitigating factors:
"On supported editions of Windows Server 2003, if IIS is enabled and classic ASP is used, an attacker who successfully exploited this vulnerability could only obtain Network Service account privileges by default. By default, Network Service account privileges have the same user rights as an authenticated user."
The thing is that in Windows XP and Windows 2003 the services security architecture has some weaknesses and any process running as Local Service or Network Service can execute code as Local System (there are other design problems that also allow elevation of privileges but this problem is enough for making the point), MS knows about this since they have fixed some weaknesses in Windows Vista and Windows 2008 (btw: these versions still has some problems) Because of these problems in Windows XP and Windows 2003 if you can run code from IIS, no matter what account the code is run under (the account only needs to have impersonation rights, any account used for IIS worker process can impersonate since the account must be member of the IIS_WPG group which can impersonate), it always can elevate privileges to Local System. On Windows 2008 if you can run code under Local Service or Network Service then you also can run code as Local System except in some specific (not common) scenarios. Based on all this I wonder why MS mentions Network Service account privileges as a mitigating factor since Network Service=Local System?
I'm sorry I can't give technical details at this moment, all details will be presented at HITB Dubai.
This post is not for promoting my presentation, this is just to let the people know the truth and that they should try to patch ASAP since ASP is still being used in thousands of sites, This is a "pre auth remote system compromise" vulnerability.
BTW: the weaknesses that I'm talking about aren't simple issues like impersonating when a user authenticates to IIS, which btw hasn't been mentioned in advisory too, ie: an adminsitrator authenticates to IIS so the worker process can impersonate it and elevate privileges. The weaknesses I'm talking about can be exploited all the time without special settings nor user interaction.
Thanks.
PD: And yes if you provide hosting on IIS you can have problems, if users can upload .asp or .aspx files to your IIS then is not your server anymore but I'm not saying nothing new : "Law #4: If you allow a bad guy to upload programs to your website, it's not your website any more" http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx?mfr=true
Cesar.
____________________________________________________________________________________ Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- MS08-006 under rated? Cesar (Feb 14)
- Re: MS08-006 under rated? Nicolas RUFF (Feb 14)
- Re: MS08-006 under rated? Andrey Kolishchak (Feb 14)
- Re: MS08-006 under rated? H D Moore (Feb 14)
- <Possible follow-ups>
- Re: MS08-006 under rated? Cesar (Feb 14)
- Re: MS08-006 under rated? Cesar (Feb 14)
- Re: MS08-006 under rated? Andrey Kolishchak (Feb 14)