Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: (Asp.Net Full Trust Vulnerabilities) RE: Apache VS IIS Security model question
From: "Ken Schaefer" <ken () adOpenStatic com>
Date: Fri, 17 Sep 2004 09:39:54 +1000

Hi Dinis,

I've looked over some of your materials - thanks for the links.

However I am still unsure how an ASP.NET application, running in Full Trust, 
can circumvent NTFS permissions. Given the following situation, how would 
this be accomplished?

a) Windows 2003 / IIS 6.0 running in Worker Process Isolation Mode
b) Each client of the server (say, each department of a company, or each 
customer of a hosting company) has their own website
c) Each website is placed into its own custom application pool
d) Each application pool has it's own custom identity, placed into IIS_WPG
e) Each website uses its own custom "anonymous user" account - ACLs are 
secured in the metabase for each website, ACLs are set for each website's 
folders/files

The points below:
1) presupposes that administrators setting up the server have left stuff 
lying around, and un-ACLed
2) can't be done as far as I can tell
3) can't be done as far as I can tell
4) depends on the privileges of the process account - you probably can't do 
much unless you attempt to run something that exploits Windows, or SQL 
Server or other product
5) etc etc etc doesn't count as an exploitable vector in my book.

Thanks


Cheers
Ken

----- Original Message ----- 
From: "Dinis Cruz" <dinis () ddplus net>
Subject: (Asp.Net Full Trust Vulnerabilities) RE: Apache VS IIS Security 
model question


: If the code is running with full trust it can call RevertToSelf() and 
change
: the current Asp.Net (Thread) Identity into the Process' Identity (which
: belongs to the IIS_WPG).
:
: Once this is done:
:
:  1) You can probably already bypass several NTFS restrictions and see 
other
: website's data (and other sensitive information usually left on the 
server)
:
:  2) You can read (from the Metabase) other website's Anonymous and
: Application Pool Account details (Username and Password), use that
: information to impersonate those users (which you can with Full Trust) and
: access other website's data
:
:  3) If other websites share the same application pool, you can search the
: current w3wp process for their security tokens, use those tokens to
: impersonate those users (no need to know their password) and access
: website's data
:
:  4) You can upload to the server an exploit and execute it. With full 
trust
: it is almost impossible to stop the upload and execution of a malicious
: .EXE. The only defence could be if the Anti-Virus installed on the server 
is
: able to detect the Malware (although this limitation could be easily
: bypassed by any half-decent malicious attacker with access to the 
exploit's
: source code)
:
:  5) etc, etc, etc..... There any many more attack vectors, but these 
should
: be enough to make my point
:
: Note that even if the attacker is only able to gain read access to another
: website's data, most likely he/she will be able to retrieve the Database
: Connection String and gain FULL access to that website's database.
:
: If this is news for you (i.e. how dangerous Full Trust Asp.Net can be), 
then
: I would recommend that you take a good look at the work I have done over 
the
: last year at OWASP (Open Web Application Security Project), namely Open
: Source tools: ANSA (Asp.Net Security Analyser) and SAM'SHE (Security
: Analyser for Microsoft's Shared Hosting Environment).
:
: Some links:
:
: - OWASP .NET section: http://www.owasp.org/software/dotnet.html
:
: - Post with Links to some of my online posts (Security issues with Asp.Net
: in Shared Hosting Environments, OWASP .Net tools and OWASP AppSec
: Presentation):
: 
http://sourceforge.net/mailarchive/forum.php?thread_id=5203278&forum_id=2475
: 4
: - presentation that I did last June at the OWASP AppSec NYC 2004 
conference
: entitled "Full Trust Asp.Net (in)Security / Secure Asp.Net Web Application
: Development":
:
: -
: 
http://prdownloads.sourceforge.net/owasp/AppSec2004-Dinis_Cruz-Full_Trust_As
: p.Net_Security_Issues.ppt?download (main PPT)
:
: -
: 
http://prdownloads.sourceforge.net/owasp/AppSec2004-Dinis_Cruz-Full_Trust_Vi
: deos.zip?download (the support videos: "ANBS - SamShe.avi", "ANBS - XML
: database and Metabase explorer.avi", "IIS Security Token 
Vulnerability.avi",
: "ANSA - Run tests individually.avi", "ANSA - Security Analyser.avi")
:
: Best Regards
:
: Dinis Cruz
: .Net Security Consultant
: DDPlus
: > -----Original Message-----
: > From: Ken Schaefer [mailto:ken () adopenstatic com]
: > Sent: 14 September 2004 03:10
: > To: webappsec () securityfocus com; pen-test () securityfocus com
: > Subject: RE: Apache VS IIS Securiyt model question
: >
: > I'm pretty sure that Mike is talking about NTFS permissions (and Windows
: > users and groups). Can you point us to how ASP.NET code running as fully
: > trusted gets around that?
: >
: > Cheers
: > Ken
: >
: >  -------- Original Message --------
: > > From: "Dinis Cruz" <dinis () ddplus net>
: > > Subject: RE: Apache VS IIS Securiyt model question
: > >
: > > Please note that these security settings will only be relevant (in 
IIS)
: > in a
: > > Partially Trusted Website (i.e. the Asp.Net code is NOT running with
: > Full
: > > Trust).
: > >
: > > If the code is running with Full Trust, then most likely those 
security
: > > permissions will be easily bypassed.
: > >
: > > Dinis Cruz
: > > .Net Security Consultant
: > > DDPlus
: > >
: > > > -----Original Message-----
: > > > From: mthompson [mailto:mthompson () brinkster com]
: > > > Sent: 11 September 2004 01:56
: > > > To: webappsec () securityfocus com; pen-test () securityfocus com
: > > > Subject: Apache VS IIS Securiyt model question
: > > >
: > > > Hello,
: > > >
: > > > I am doing research and I am stuck.
: > > >
: > > > Pitch: In IIS there is the ability to set permissions on a per 
website
: > > > basis. In other words the ability to limit access to files and
: > > > directories based on the users credentials that the website is 
running
: > > > under. Additionally, you would in turn add this user to a group and
: > > > apply group permissions to an object that needed to be accessed by
: > more
: > > > than one site.
: > > >
: > > > Question: Is there a similar security model for apache that would
: > allow
: > > > credentials from a user to run a virtual website and access files 
only
: > > > for a specific virtual site.
: > > >
: > > > Also, does any one have a diagram of the apache process?


------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. All of our class sizes are
guaranteed to be 12 students or less to facilitate one-on-one interaction
with one of our expert instructors. Check out our Advanced Hacking course,
learn to write exploits and attack security infrastructure. Attend a course
taught by an expert instructor with years of in-the-field pen testing
experience in our state of the art hacking lab. Master the skills of an
Ethical Hacker to better assess the security of your organization.

http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault