RE: Windows 2000 and NT4 IIS .ASP Remote Buffer Overflow

["Ryan Permeh" <ryan () eeye com>]

In this case, RevertToSelf() will not work.  The bug(design feature) that
allowed this to work often in windows NT is irrelevant as ASP runs in a
SYSTEM context.  In windows 2000 (and beyond)  it was "fixed" so that the
child process of DLLHOST.EXE running at IWAM privs cannot revert to SYSTEM,
as it was spun with lowered SE Privs.  This is also true of most COM objects
hosted at a particular security context within a child DLLHOST.EXE.

Signed,
Ryan Permeh
eEye Digital Security Team
http://www.eEye.com/Retina -Network Security Scanner
http://www.eEye.com/Iris -Network Traffic Analyzer
http://www.eEye.com/SecureIIS -Stop Known and Unknown IIS Vulnerabilities

-----Original Message-----
From: Maximiliano Caceres [mailto:core.lists.exploit-dev () core-sdi com]
Sent: Thursday, April 11, 2002 12:39 PM
To: vuln-dev () securityfocus com
Subject: Re: Windows 2000 and NT4 IIS .ASP Remote Buffer Overflow


Marc Maiffret wrote:
> Windows 2000 and NT4 IIS .ASP Remote Buffer Overflow
>
>
> Severity:
> High (Remote code execution)
> IWAM_MACHINE Privilege Level

I'm missing sthg here. In all MS02-018 code-execution vulnerabilities,
IWAM_MACHINE privilege for the code is presented as a mitigation factor.

Isn't it always possible to get SYSTEM from IUSR_STHG via the
RevertToSelf() call? Is there a way of protecting against this?.

max/
--
Maximiliano Caceres
Product Engineer
CORE SECURITY TECHNOLOGIES

Florida 141 - 2º cuerpo - 7º piso
C1005AAC Buenos Aires - Argentina
Tel/Fax: (54 11) 4878-CORE (2673)
http://www.corest.com


--- for a personal reply use: Maximiliano Caceres
<maximiliano.caceres () corest com>