Re: Frontpage Extensions Remote Command Execution

["Geoincidents" <geoincidents () getinfo org>]

> Looking at the description of the IWAM_machinename account on my system,
it
> is listed as the "Launch Process Account".  IWAM has *no* privileges other
> than those explicitly granted to Guests, Users, or Everyone.

Open usermanager go to groups look in your MTS Trusted group, what do you
see there? IWAM is used to access databases, it's got more than guest. If
you can run an application and you have a command line to \system32 and you
are a network enabled account (like IWAM) then you are just a few steps from
downloading and running any code you want. (I wonder if Brett could try
running tftp for us)

This isn't limited, just because Brett Moore stopped with
C:\WINNT\system32>whoami
IWAM_BLACKHOLE

doesn't mean Marc from eeye wouldn't have turned this into an automated
rooter. The potential is most certainly there, you've got execute, you've
got network access, game over.

Geo.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html