Re: Hacked NT/2K box
From: Thor@HammerofGod.comDate: 07/26/01
- Previous message: Robert Wall: "Re: NT/IIS Security basics"
- In reply to: Pidgorny, Slav: "RE: Hacked NT/2K box"
- Next in thread: Pidgorny, Slav: "RE: Hacked NT/2K box"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Thor@HammerofGod.com To: focus-ms@securityfocus.com Message-ID: <00a601c115f9$bedae0e0$af05a8c0@anchorsign.com> Subject: Re: Hacked NT/2K box Date: Thu, 26 Jul 2001 10:37:52 -0700
Posted Public and Private:
Programming effort on whose part? If your question is directed to Ryan
specifically, one would have to assume that he could code it up in his sleep
while dreaming of Winona Ryder at the same time.
Besides- it only has to be coded up once. Take Ryan again as an example:
He discovered (or eEye collectively) the index server ISAPI overrun. There
is not doubt that his exploit code was used by the Evil One behind Code Red,
and that code was then used by other copy cats. It would only be
'difficult' the first time.
Denying access of your .asp pages to LocalSystem does and will not keep your
site from being defaced... We'll just change the permissions back (or
completely bypass ntfs perms with rootkits), trash the dir, change the dir,
make a new site, blah blah blah...
---------------------------------
Attonbitus Deus
Thor@HammerofGod.Com
----- Original Message -----
From: "Pidgorny, Slav" <pidgorns@anz.com>
To: "'Ryan Permeh'" <ryan@eEye.com>; "'H C'" <keydet89@yahoo.com>;
<lynch00@msn.com>; <focus-ms@securityfocus.com>
Sent: Wednesday, July 25, 2001 5:03 PM
Subject: RE: Hacked NT/2K box
> I have no doubt that can be done. The question is how much programming
> effort it will take? It's much easier to shut down the comuter, do any
kind
> of DoS, than taking over the files in the configuration.
>
> BTW, isn't it a good idea to run inetinfo in user context?
>
> Thank you!
>
> Svyatoslav Pidgorny
>
> > -----Original Message-----
> > From: Ryan Permeh [mailto:ryan@eEye.com]
> > Sent: 26 July 2001 02:43
> > To: Pidgorny, Slav; 'H C'; lynch00@msn.com; focus-ms@securityfocus.com
> > Subject: Re: Hacked NT/2K box
> >
> >
> > any process running in localsystem context(an overflow in
> > inetinfo.exe, for
> > example) will allow that process to take control of the .asp
> > ffile, and they
> > CAN be defaced. think of LocalSystem as root on a unix
> > machine. there is
> > no limitations to what this account can do in usermode, and
> > if somehow, it
> > is limited via a kmode component, it can typically ust remove
> > the kmode
> > component, or load it's own kode component to do it's bidding.
> > Signed,
> > Ryan Permeh
> > eEye Digital Security Team
> > http://www.eEye.com/Retina -Network Security Scanner
> > http://www.eEye.com/Iris -Network Traffic Analyzer
> >
> > ----- Original Message -----
> > From: "Pidgorny, Slav" <pidgorns@anz.com>
> >
> >
> > > Yes. But consider one real-world situation: my ASP files
> > have no access
> > > assigned for LocalSystem (and execute only for the IUSR).
> > It will be a
> > > tricky process to deface the site?
> > >
> > >
> > > Kindest,
> > >
> > > Svyatoslav Pidgorny
- Previous message: Robert Wall: "Re: NT/IIS Security basics"
- In reply to: Pidgorny, Slav: "RE: Hacked NT/2K box"
- Next in thread: Pidgorny, Slav: "RE: Hacked NT/2K box"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
