Vulnerability Development mailing list archives
Re: dos commands via iis 4 (TFTP)-NETBIOS
From: Paul Cardon <paul () MOQUIJO COM>
Date: Tue, 21 Nov 2000 08:02:07 -0500
Illes Marci wrote:
On Sat, 18 Nov 2000, Paul Cardon wrote:You seem to have completely missed the point even though MadHat explained it clearly. Your suggestion would result in nc.exe connected to a command shell as IUSER_<MACHINE> which has very little privilege. eeyerulez.asp performs a buffer overflow that results in SYSTEM level access to the server. The question you must ask is do you want to be a luser on the system or do you want to 0wn it? -paulHi, IIS runs as SYSTEM user by default. I belive you gain SYSTEM level access, when starting an ncx.exe for example. With system privilege you really own the computer. You can do anything with that box, but nothing with the network. Of course you can switch to some domain user, which is more powerfull in the network.
Not all components of IIS run as SYSTEM. Some pieces do. For example, if you overflow an ISAPI DLLs then your code is executed with system privilege (somebody correct me if this is not always true). ncx.exe does not magically elevate you to SYSTEM level access. It is executed with the privilege of the user that starts it. The Unicode exploit that we have been discussing involves a component of IIS that runs as IUSER_<MACHINE>. This account is created as part of the IIS installation and is much less privileged than SYSTEM. -paul
Current thread:
- Re: dos commands via iis 4 (TFTP), (continued)
- Re: dos commands via iis 4 (TFTP) MadHat (Nov 16)
- Re: dos commands via iis 4 (TFTP) Lincoln Yeoh (Nov 16)
- Re: dos commands via iis 4 (TFTP) Matt Zimmerman (Nov 16)
- Re: dos commands via iis 4 (TFTP) Bluefish (P.Magnusson) (Nov 16)
- Re: dos commands via iis 4 (TFTP) MadHat (Nov 16)
- Re: dos commands via iis 4 (TFTP)-NETBIOS booboo (Nov 16)
- Re: dos commands via iis 4 (TFTP)-NETBIOS MadHat (Nov 16)
- Re: dos commands via iis 4 (TFTP)-NETBIOS booboo (Nov 18)
- Re: dos commands via iis 4 (TFTP)-NETBIOS Paul Cardon (Nov 19)
- Re: dos commands via iis 4 (TFTP)-NETBIOS Illes Marci (Nov 21)
- Re: dos commands via iis 4 (TFTP)-NETBIOS Paul Cardon (Nov 22)
- Re: dos commands via iis 4 (TFTP) Lincoln Yeoh (Nov 16)
- Re: dos commands via iis 4 (TFTP) Robert A. Seace (Nov 11)