Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Windows and IIS

From: Maceo <maceo () DOGMILE COM>
Date: Mon, 29 Jan 2001 11:01:24 -0700
In response to the numerous emails I have received in regards to the
proof of concept code I published for BugtraqID: 1535  (Windows 2000
Services Named Pipe Vulnerability)  I have published two variants
of the original code:

  The PipeUpSAM variation dumps the local SAM database to stdout in the
  standard PwdDump.exe format.  The generated file may then be used with
  any NT MD4 password cracker, such as L0phtCrack.

  The PipeUpAdmin variation adds the current user account to the local
  Administrators group.

The binaries are available at:

  http://www.dogmile.com/files/


Also, in response the numerous emails I have received in regards to
the CmdAsp.asp code that I posted to bugtraq, I have better documented
this escalation of privileges vulnerability.  The details follow, and
can also be found at:

  http://www.dogmile.com/files/#CmdAsp


  -Maceo


-----


CmdAsp

  Author:       Maceo <maceo @ dogmile.com>
  Release:      2000-12-01
  Type:         Local/remote exploit (*See Requirements*)
  Requirements: Ability to create an ASP file in a web directory
  ToolType:     Interactive cmd tool
  OS:           Windows NT/2000 (IIS 4.0 and IIS 5.0)

  Source:  <++ CmdAsp.asp ++>

  DISCUSSION:

  During normal webserver operations IIS, by default, impersonates the
  account IUSR_COMPUTER.  This account has minimal access rights.  However,
  because of the way IIS impersonates accounts, spawned processes inherit
  the original security context.  This can result in escalation of user
  privileges.

  Depending on the setup of an IIS server this escalation will result in
  access to the account IWAM_COMPUTER or SYSTEM.  With IIS 4.0 the account
  depends upon whether or not the web administrator has selected the "run
  in separate memory space" option.  This option is unselected by default
  and allows SYSTEM account escalation.  In IIS 5.0 the setting is called
  Application Protection.  Application Protection "Low" will result in
  SYSTEM access and Medium or High with result in IWAM_COMPUTER access.
  The default setup for IIS 5.0, "Medium", will result in IWAM_COMPUTER
  access.  Further, an IIS 4.0 webserver that was upgraded to IIS 5.0
  with the default settings will allow SYSTEM account escalation.

  It should be noted that since the IWAM_COMPUTER account can change the
  settings of the webserver, escalation to SYSTEM account access is still
  possible.

  DESCRIPTION:

  An interactive command prompt from an ASP file.  This script uses the
  Microsoft scripting object WSCRIPT.SHELL to spawn a cmd.exe process
  which will run with escalated privileges.

  BUGFIX:

  Microsoft has not released an official fix at this time.  To block
  this particular exploit, unregister the windows scripting object:
  C:\> regsvr32.exe /u C:\winnt\system32\wshom.ocx
Previous By Date Next
Previous By Thread Next

Current thread: