lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060726003924.22967.qmail@web54409.mail.yahoo.com>
Date: Tue, 25 Jul 2006 17:39:23 -0700 (PDT)
From: Cesar <cesarc56@...oo.com>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Cc: 
Subject: MS06-034 lies? IIS 6 can still be owned?

Hi all.

After early getting the details of MS06-034 I thought
it will be cool to build the exploits since there has
been long time without any IIS exploit and our
customers  (see *1) will like it, so I asked the guys
to build the exploits and that I will take care of the
part of elevating privileges since I had some theory
that there was a way to elevate privileges. 
What was funny is that some time later I realized that
if you can upload an asp page then it's pretty simple
to have a remote shell running under the same account
that the exploits would run:

-----shell.asp (got this from xfocus.org)------
<%=server.createobject("wscript.shell").exec("cmd.exe
/c " & request("command")).stdout.readall%>
-------------------------------------------
So I wonder why MS patched the vulnerability if it's
pretty simple to have a remote shell on default
configurations?

Mabye because wscript.shell can be disabled, removed,
etc. or you can't run nor upload .exe on the server,
in these cases the exploit will be handy.

Also MS stated:
-----------------------------
on Mitigating Factors ....

• On IIS 5.0 and IIS 5.1, ASP enabled applications by
default run in the 'Pooled Out of Process'
application, which means they run in DLLHOST.exe,
which is running in the context of the low privilege
IWAM_<machinename> account.
  
• By default, ASP is not enabled on IIS 6.0. If ASP is
enabled, it runs in the context of a W3WP.exe worker
process running as the low privilege 'NetworkService'
account.

on FAQ Workarounds...
-What might an attacker use the vulnerability to do?
An attacker who successfully exploited this
vulnerability could take complete control of the
affected system.

----------------------
That's pretty confusing since they are saying IIS 5 &
6 runs under a low privileged accounts and then they
say an attacker could take complete control...???

My theory on the elevation of privileges was in part
wrong but I could elevate privileges so now the
exploits can also give you a remote shell under an
administrative account which I think this is why MS
patched the vulnerability.
While MS fixed the ASP vulnerability they didn't fixed
a design flaw that allows to elevate privilges if you
can run code under IIS 5 & 6 low privileged accounts
:)

So no matter if you applied the fix, if you let users
to upload an run binaries from ASP pages on default
settings then your server can still be owned.



Cesar.
(*1 http://www.argeniss.com/products.html)

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ