<<< Date Index >>>     <<< Thread Index >>>

MS06-034 lies? IIS 6 can still be owned?



Hi all.

After early getting the details of MS06-034 I thought
it will be cool to build the exploits since there has
been long time without any IIS exploit and our
customers  (see *1) will like it, so I asked the guys
to build the exploits and that I will take care of the
part of elevating privileges since I had some theory
that there was a way to elevate privileges. 
What was funny is that some time later I realized that
if you can upload an asp page then it's pretty simple
to have a remote shell running under the same account
that the exploits would run:

-----shell.asp (got this from xfocus.org)------
<%=server.createobject("wscript.shell").exec("cmd.exe
/c " & request("command")).stdout.readall%>
-------------------------------------------
So I wonder why MS patched the vulnerability if it's
pretty simple to have a remote shell on default
configurations?

Mabye because wscript.shell can be disabled, removed,
etc. or you can't run nor upload .exe on the server,
in these cases the exploit will be handy.

Also MS stated:
-----------------------------
on Mitigating Factors ....

? On IIS 5.0 and IIS 5.1, ASP enabled applications by
default run in the 'Pooled Out of Process'
application, which means they run in DLLHOST.exe,
which is running in the context of the low privilege
IWAM_<machinename> account.
  
? By default, ASP is not enabled on IIS 6.0. If ASP is
enabled, it runs in the context of a W3WP.exe worker
process running as the low privilege 'NetworkService'
account.

on FAQ Workarounds...
-What might an attacker use the vulnerability to do?
An attacker who successfully exploited this
vulnerability could take complete control of the
affected system.

----------------------
That's pretty confusing since they are saying IIS 5 &
6 runs under a low privileged accounts and then they
say an attacker could take complete control...???

My theory on the elevation of privileges was in part
wrong but I could elevate privileges so now the
exploits can also give you a remote shell under an
administrative account which I think this is why MS
patched the vulnerability.
While MS fixed the ASP vulnerability they didn't fixed
a design flaw that allows to elevate privilges if you
can run code under IIS 5 & 6 low privileged accounts
:)

So no matter if you applied the fix, if you let users
to upload an run binaries from ASP pages on default
settings then your server can still be owned.



Cesar.
(*1 http://www.argeniss.com/products.html)

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com