Re: MS08-006 under rated?

[Andrey Kolishchak <gsw () gentlesecurity com>]

Dear Cesar,

well, we have an advisory on this http://www.gentlesecurity.com/adv04302006.html
And also have demo that elevates IIS's NetworkService up to LocalSystem.

The exploit targets RpcSs which also runs on behalf of NetworkService
and _always_ (no special actions required) contains token handles for
LocalSystem. The tokens is result of impersonation of privileged
clients heavily using RPCs. The attack just enumerate all handles
in RpcSs process, find those with LocalSystem privileges and
impersonate a thread with that token.

The problem is that there are many other services that run on behalf
of NetworkService or LocalService accounts. And some of these services
have to impersonate privileged clients, such as RpcSs. So you just
break into one of the services and able to compromise all others.

The Microsoft's decision to run RpcSs as NetworkService is, in fact,
weakened the configuration. RpcSs run on behalf of LocalSystem would
be more secure as other NetworkService processes would not be able to
attack it.

The issue with services is partly addressed in Windows Vista where
process objects might be owned by unique service SID, symbolic: NT
Service\ServiceName. However, that is not enabled for all services by
default. Not even all services coming with Vista support unique
service SIDs.
<http://www.gentlesecurity.com/blog/andr/cracking_windows_access_control.pdf>

I guess, you mentioning the same problem and would be interested to
hear more about if that is something new.


But NetworkService is particularly dangerous, even without this
problem. NetworkService has permissions to issue SIO_RCVALL on sockets
and sniff machine's network traffic (note, no additional driver is
required).


 Andrey.

 
> From http://www.microsoft.com/technet/security/Bulletin/MS08-006.mspx
> "A remote code execution vulnerability exists in the way that
> Internet Information Services handles input to ASP Web pages. An
> attacker could exploit the vulnerability by passing malicious input
> to a Web site’s ASP page. An attacker who successfully exploited
> this vulnerability could then perform any actions on the IIS Server
> with the same rights as the Worker Process Identity (WPI), which by
> default is configured with Network Service account privileges."

> And then in Mitigating factors:

> "On supported editions of Windows Server 2003, if IIS is enabled
> and classic ASP is used, an attacker who successfully exploited this
> vulnerability could only obtain Network Service account privileges
> by default. By default, Network Service account privileges have the
> same user rights as an authenticated user."


> The thing is that in Windows XP and Windows 2003 the services
> security architecture has some weaknesses and any process running as
> Local Service or Network Service can execute code as Local System
> (there are other design problems that also allow elevation of
> privileges but this problem is enough for making the point), MS
> knows about this since they have fixed some weaknesses in Windows
> Vista and Windows 2008 (btw: these versions still has some problems)
> Because of these problems in Windows XP and Windows 2003 if you can
> run code from IIS, no matter what account the code is run under (the
> account only needs to have impersonation rights, any account used
> for IIS worker process can impersonate since the account must be
> member of the IIS_WPG group which can impersonate), it always can
> elevate privileges to Local System. On Windows 2008 if you can run
> code under Local Service or Network Service then you also can run
> code as Local System except in some
>  specific (not common) scenarios. Based on all this I wonder why MS
> mentions Network Service account privileges as a mitigating factor
> since Network Service=Local System?


> I'm sorry I can't give technical details at this moment, all
> details will be presented at HITB Dubai.

> This post is not for promoting my presentation, this is just to let
> the people know the truth and that they should try to patch ASAP
> since ASP is still being used in thousands of sites, This is a "pre
> auth remote system compromise" vulnerability.

> BTW: the weaknesses that I'm talking about aren't simple issues
> like impersonating when a user authenticates to IIS, which btw
> hasn't been mentioned in advisory too, ie: an adminsitrator
> authenticates to IIS so the worker process can impersonate it and elevate privileges.
> The weaknesses I'm talking about can be exploited all the time
> without special settings nor user interaction.


> Thanks.

> PD: And yes if you provide hosting on IIS you can have problems, if
> users can upload .asp or .aspx files to your IIS then is not your
> server anymore but I'm not saying nothing new :
> "Law #4: If you allow a bad guy to upload programs to your website, it's not your website any more"
> http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx?mfr=true


> Cesar.


>      
> ____________________________________________________________________________________
> Never miss a thing.  Make Yahoo your home page. 
> http://www.yahoo.com/r/hs
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
> http://lists.immunitysec.com/mailman/listinfo/dailydave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave