Bugtraq mailing list archives
Re[2]: The Weakness of Windows Impersonation Model
From: "Brian L. Walche" <gsw () gentlesecurity com>
Date: Wed, 17 May 2006 01:51:01 +0200
thanks for reference David. As advisory notes impersonation implications are not something new. We would like to stress the fact of how easy it is to exploit by two notable samples. - An attacker can reliably elevate a context running on behalf of Network Service acccount. For example, by default, IIS 6.0 runs Worker Process as Network Service. So an attacker who able to upload an ASP script can gain administrative privileges. - MS SQL service context is elevated up to LocalSystem regardless account it runs. These are purely practical exploitations for Windows 2003 in default configuration without additional pre-requirements. We provide demo tools exploiting these elevations as a part of our products evaluation procedure. Additionally, we want to stress the obscurity of nearly all "official" manuals that declare Network Service as non-privileged account, a quote: “The new Network Service account … has a greatly reduced privilege level on the server itself and, therefore, does not have local administrator privileges.” In fact, provided easiness of Network Service elevation and some additional permissions, you may consider Network Service account as an equivalent of LocalSystem. Even if Vista would address certain issues, how long we have to wait for Windows 2003 successor - Vista Server.. Brian L. Walche, Know the Fact - http://www.gentlesecurity.com/knowthefacts.html GentleSecurity S.a.r.l. www.gentlesecurity.com
Hi Brian, I wrote a paper on this subject last year, "Snagging Security Tokens to Elevate Privileges" (http://www.databasesecurity.com/dbsec-briefs.htm) after Tim Mullen and thrashed out a few details at Blackhat last year over a few White Russians. The paper discusses the problem in the context of database servers and examines the LogonUser() and AcceptSecurityContext() functions. I believe Longhorn/Vista will address many of issues that currently affect impersonation. Cheers, David Litchfield http://www.databasesecurity.com/ http://www.ngssoftware.com/
Current thread:
- The Weakness of Windows Impersonation Model Brian L. Walche (May 16)
- Re: The Weakness of Windows Impersonation Model David Litchfield (May 17)
- Re[2]: The Weakness of Windows Impersonation Model Brian L. Walche (May 17)
- Re[2]: The Weakness of Windows Impersonation Model Brian L. Walche (May 17)
- Re: Re[2]: The Weakness of Windows Impersonation Model Cesar (May 31)
- Re: The Weakness of Windows Impersonation Model David Litchfield (May 17)