Re: dos commands via iis 4 (TFTP)-NETBIOS

[Paul Cardon <paul () MOQUIJO COM>]

Illes Marci wrote:
> On Sat, 18 Nov 2000, Paul Cardon wrote:
>
> > You seem to have completely missed the point even though MadHat
> > explained it clearly.  Your suggestion would result in nc.exe connected
> > to a command shell as IUSER_<MACHINE> which has very little privilege.
> > eeyerulez.asp performs a buffer overflow that results in SYSTEM level
> > access to the server.  The question you must ask is do you want to be a
> > luser on the system or do you want to 0wn it?
> >
> > -paul
> Hi,
>
>  IIS runs as SYSTEM user by default. I belive you gain SYSTEM level
> access, when starting an ncx.exe for example. With system privilege you
> really own the computer. You can do anything with that box, but nothing
> with the network. Of course you can switch to some domain user, which is
> more powerfull in the network.

Not all components of IIS run as SYSTEM.  Some pieces do.  For example,
if you overflow an ISAPI DLLs then your code is executed with system
privilege (somebody correct me if this is not always true).  ncx.exe
does not magically elevate you to SYSTEM level access.  It is executed
with the privilege of the user that starts it.  The Unicode exploit that
we have been discussing involves a component of IIS that runs as
IUSER_<MACHINE>.  This account is created as part of the IIS
installation and is much less privileged than SYSTEM.

-paul