Re: Hacked NT/2K box

From: Ryan Permeh (ryan@eEye.com)
Date: 07/25/01


Message-ID: <036f01c11529$3bd93e60$1e01a8c0@eCompany.gov>
From: "Ryan Permeh" <ryan@eEye.com>
To: "Nichola Veitch" <veitchn@hotmail.com>, <pidgorns@anz.com>, <keydet89@yahoo.com>, <lynch00@msn.com>, <focus-ms@securityfocus.com>
Subject: Re: Hacked NT/2K box
Date: Wed, 25 Jul 2001 09:45:37 -0700

depending on your situation, the localsystem account could be a higher
privledge level, not a lower one. localsystem does not grant domain
provledges, but in a situation like this, it sounds like domain admin rights
may be needed, meaning that there is interaction with the domain. a domain
interacting with a compromised system is potentially at a high risk, as the
compromised system may be able to inject, change, replay, etc, etc, etc.
and any cached credentials on the machine owned by the hacker with
localsystem gives the hacker all rights to any of those cached credentials
to use as he pleases.
Signed,
Ryan Permeh
eEye Digital Security Team
http://www.eEye.com/Retina -Network Security Scanner
http://www.eEye.com/Iris -Network Traffic Analyzer

----- Original Message -----
From: "Nichola Veitch" <veitchn@hotmail.com>
To: <ryan@eEye.com>; <pidgorns@anz.com>; <keydet89@yahoo.com>;
<lynch00@msn.com>; <focus-ms@securityfocus.com>
Sent: Wednesday, July 25, 2001 1:15 AM
Subject: Re: Hacked NT/2K box

> A customer of mine is running IIS (not sure yet if 4 or 5). the IIS
service
> account is using the domain admin account. can anyone tell me the
> implications of changing this account to one with less priviledges (should
> it be using the system account???)
>
> Apologies but this is all the info I have at the moment......
>
> Many Thanks.
>
>
> >From: "Ryan Permeh" <ryan@eEye.com>
> >To: "Pidgorny, Slav" <pidgorns@anz.com>, "'H C'" <keydet89@yahoo.com>,
> ><lynch00@msn.com>, <focus-ms@securityfocus.com>
> >Subject: Re: Hacked NT/2K box
> >Date: Tue, 24 Jul 2001 11:06:16 -0700
> >
> >system level access is enough for everything. it is the highest usermode
> >privledge level availible in nt/2k. you can load drivers (giving you
> >ring0,
> >even above system).
> >
> >SYSTEM > Administrators
> >
> >Many(most) services in w2k run in the system context, and much of iis
runs
> >here as well. The main other part of IIS runs as IWAM, in a out of
process
> >COM+ DLL host, by the name of DLLHOST.exe. under nt 4, ALL of inetinfo
> >runs
> >in the system context, meaning any overflow found executes as sytem.
> >Furthermore, if for some reason in nt4 you end up in code that is context
> >switched to a different user, a RevertToSelf call reverts you back to
> >ownership privledges(ie: SYSTEM for inetinfo). This acts differently in
> >w2k, for instaccne, an overflow in a DLLHOST'ed componenet will not
enable
> >you to execute RevertToSelf to gain further privledges. w2k offers a
much
> >more secure architecture, by separating much of the functionality away
from
> >the core inetinfo.exe prorecess. One quick example, our IISHack 1.5(the
> >.asp overflow) resulted in SYSTEM level access in nt, but a similar one
we
> >found in 2k resulted in only IWAM level access.
> >
> >Keep in mind, IWAM access > no access, so even IWAM vulnerabilities could
> >allow you to do things like deface webpages,etc.
> >
> >Also, one more note, since this is an often confiused thing, The unicode
> >and
> >doubledecode vulnerabilities operate in IUSR context, but in nt4 IUSR may
> >be
> >elevated to SYSTEM using RevertToSelf. This is why it is always a good
> >idea
> >to severely limit what IWAM and IUSR can do on your nt boxes by using
file
> >DACL's.
> >
> >file dacls have no effect for SYSTEM level accounts, since a SYSTEM
account
> >has provledges that can take control of any NT usermode object,
effectively
> >changing DACL's and SACL's at will.
> >
> >Signed,
> >Ryan Permeh
> >eEye Digital Security Team
> >http://www.eEye.com/Retina -Network Security Scanner
> >http://www.eEye.com/Iris -Network Traffic Analyzer
> >
> >----- Original Message -----
> >From: "Pidgorny, Slav" <pidgorns@anz.com>
> >To: "'H C'" <keydet89@yahoo.com>; <lynch00@msn.com>;
> ><focus-ms@securityfocus.com>
> >Sent: Monday, July 23, 2001 7:38 PM
> >Subject: RE: Hacked NT/2K box
> >
> >
> > > A good deal of additional effort is required to either escalate
> >privileges
> > > or disable system security checks if having only system level access.
> > > Directory-based security isn't at significant risk if properly
> >implemented.
> > >
> > > Yes, system level access is enough for thongs like bloody Code Red.
> > >
> > > Kindest,
> > >
> > > Svyatoslav Pidgorny
> > >
> > > > -----Original Message-----
> > > > From: H C [mailto:keydet89@yahoo.com]
> > > > Sent: 24 July 2001 12:08
> > > > To: Pidgorny, Slav; 'lynch00@msn.com'; focus-ms@securityfocus.com
> > > > Subject: RE: Hacked NT/2K box
> > > >
> > > >
> > > >
> > > > > Buffer overrun attack will unlikely cause admin
> > > > > level access, rather -
> > > > > system or user level access (depends on the service
> > > > > account of the affected
> > > > > service).
> > > >
> > > > Well, if one can get System level access, why bother
> > > > with Admin?
> > > >
> > > >
> > > >
> > > > __________________________________________________
> > > > Do You Yahoo!?
> > > > Make international calls for as low as $.04/minute with
> > > > Yahoo! Messenger
> > > > http://phonecard.yahoo.com/
> > > >
> > >
> >
>
>
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
>
>



Relevant Pages

  • Re: Hacked NT/2K box
    ... A customer of mine is running IIS. ... account is using the domain admin account. ... >system level access is enough for everything. ... The main other part of IIS runs as IWAM, ...
    (Focus-Microsoft)
  • RE: Hacked NT/2K box
    ... account properties, there is an option to Trust for Delegation. ... >>system level access is enough for everything. ... >>found in 2k resulted in only IWAM level access. ...
    (Focus-Microsoft)
  • Re: Hacked NT/2K box
    ... Subject: Hacked NT/2K box ... system level access is enough for everything. ... The main other part of IIS runs as IWAM, ... you to execute RevertToSelf to gain further privledges. ...
    (Focus-Microsoft)