Re: sudo for windows

From: dcdave (dcdave@att.net)
Date: 07/27/01


Message-ID: <00c101c11665$2e4e5cc0$58782ec8@dcdave>
From: "dcdave" <dcdave@att.net>
To: "H C" <keydet89@yahoo.com>, "Michael Leone" <turgon@mike-leone.com>, "Gustavo Basualdo" <guasaman@hotmail.com>, "Focus on Microsoft Mailing List" <FOCUS-MS@SECURITYFOCUS.COM>
Subject: Re: sudo for windows
Date: Fri, 27 Jul 2001 01:27:09 -0500

Harlan,
I am not sure why there is a problem understanding this. I have just
recently done two similar tests, one where I gained access to an IIS
webserver, and another where the access was to a mailserver at
webserver/mailserver level, got rights to configure, and was able to add
myself as an admin (of IIS), lock out other admins, configure where
directories are(i.e.web root directory changed to c: or
c:\winnt\system32\repair), copy off files with password hashes for
decryption, etc.
Sorry I can't be more specific at this time - not because of 'script
kiddies', but because of confidentiality - these clients read this list,
too, and will not want to be identified or see their problems aired in
detail.
The point is having configuration rights to IIS, etc - not just directory
traversal rights. With directory traversal I can not necessarily change
permissions or copy files, much less reconfigure the whole product, thereby
taking off the boundaries originally imposed. If I can give myself copy and
execute privileges in system32, or repair, what more could I ask?
Cheers,
dcdave

----- Original Message -----
From: "H C" <keydet89@yahoo.com>
To: "dcdave" <dcdave@att.net>; "Michael Leone" <turgon@mike-leone.com>;
"Gustavo Basualdo" <guasaman@hotmail.com>; "Focus on Microsoft Mailing List"
<FOCUS-MS@SECURITYFOCUS.COM>
Sent: Thursday, July 26, 2001 3:21 PM
Subject: Re: sudo for windows

> Dave,
>
> I'd be interested to hear more about this. After all,
> vulnerabilities such as directory transversal don't
> give the attacker access to the COM objects that
> contain the configuration of IIS, ie, the metabase.
>
> How would you go about doing this? What kind of 'fun'
> would you have? Or are you going to fall back on, "if
> I told you, I would be posting where the kiddies can
> see and then they'd be able to do it." Well, you know
> who I am, and I know who you are, and we've sat in the
> same room together before...so what's the story?
>
> Carv
>
> --- dcdave <dcdave@att.net> wrote:
> > If I can configure IIS, even as a guest, I can have
> > sufficient fun on the
> > host box.
> > dcdave
> > ----- Original Message -----
> > From: "H C" <keydet89@yahoo.com>
> > To: "dcdave" <dcdave@att.net>; "Michael Leone"
> > <turgon@mike-leone.com>;
> > "Gustavo Basualdo" <guasaman@hotmail.com>;
> > <focus-ms@securityfocus.com>
> > Sent: Tuesday, June 19, 2001 4:48 PM
> > Subject: Re: sudo for windows
> >
> >
> > >
> > > > The problem I see here is on MS products, once
> > you
> > > > are running and
> > > > configuring IIS, you pretty much have the keys
> > to
> > > > the kingdom (thank you,
> > > > Bill!)
> > >
> > > This seems very odd to me, Dave. Why would you
> > alter
> > > the default installatiion of IIS, and run it under
> > an
> > > Admin-level account? By default, IIS runs as a
> > guest.
> > > This is why the extended Unicode exploited can be
> > > defeated by something as simple as not allowing
> > anyone
> > > other than the Administrator to have executeable
> > > rights to the /scripts/ directory.
> > >
> > > Also, it's not really Bill's fault, is it? I
> > mean,
> > > there is a plethora of information available on
> > how to
> > > secure NT and 2K, as well as IIS 4.0 and 5.0. If
> > > someone wants to run IIS, but doesn't want to
> > invest
> > > any effort into securing it, any compromise of the
> > box
> > > can't really be blamed on Bill.
> > >
> > > Carv
> > >
> > > __________________________________________________
> > > Do You Yahoo!?
> > > Spot the hottest trends in music, movies, and
> > more.
> > > http://buzz.yahoo.com/
> >
> >
>
>
> __________________________________________________
> Do You Yahoo!?
> Make international calls for as low as $.04/minute with Yahoo! Messenger
> http://phonecard.yahoo.com/



Relevant Pages

  • Re: been hit by hacker, servudaemon installed
    ... security patching on iis 4.0 ... security fixes into the new version. ... >install all service packs and patches from Microsoft, ... >>>Windows, Apache, you name it. ...
    (microsoft.public.inetserver.iis.security)
  • Re: been hit by hacker, servudaemon installed
    ... security patching on iis 4.0 ... security fixes into the new version. ... :>install all service packs and patches from Microsoft, ... :>>>Windows, Apache, you name it. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Mac Server Hacked In Less Than 6 Hours
    ... Windows has RAS, and for it is built in since NT 3.1 ... | A typical IIS box and this Mac are not the same thing so the comparison ... IIS has been subject to quite a few bugs and so have ... Security isn't a proprietary attribute. ...
    (sci.crypt)
  • Re: File sharing, major security issue
    ... > windows file sharing for hours with no luck. ... > seem to be set by IIS though, ... don't have a firewall, you need one. ... your logs to know which ISP to complain to. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Cannot view SSI on IIS
    ... > We have a Windows 2000 Server running IIS. ... enable auditing on the server and then enable file ... How to set secure NTFS Permissions on IIS directories and log files - ... IWAM_computername account instead of the IUSR_computername account. ...
    (microsoft.public.inetserver.iis.security)