Re: sudo for windows

From: H C (keydet89@yahoo.com)
Date: 07/26/01 

Message-ID: <20010726202140.5850.qmail@web14606.mail.yahoo.com>
Date: Thu, 26 Jul 2001 13:21:40 -0700 (PDT)
From: H C <keydet89@yahoo.com>
Subject: Re: sudo for windows
To: dcdave <dcdave@att.net>, Michael Leone <turgon@mike-leone.com>, Gustavo Basualdo <guasaman@hotmail.com>, Focus on Microsoft Mailing List <FOCUS-MS@SECURITYFOCUS.COM>

Dave,

I'd be interested to hear more about this. After all,
vulnerabilities such as directory transversal don't
give the attacker access to the COM objects that
contain the configuration of IIS, ie, the metabase.

How would you go about doing this? What kind of 'fun'
would you have? Or are you going to fall back on, "if
I told you, I would be posting where the kiddies can
see and then they'd be able to do it." Well, you know
who I am, and I know who you are, and we've sat in the
same room together before...so what's the story?

Carv

--- dcdave <dcdave@att.net> wrote:
> If I can configure IIS, even as a guest, I can have
> sufficient fun on the
> host box.
> dcdave
> ----- Original Message -----
> From: "H C" <keydet89@yahoo.com>
> To: "dcdave" <dcdave@att.net>; "Michael Leone"
> <turgon@mike-leone.com>;
> "Gustavo Basualdo" <guasaman@hotmail.com>;
> <focus-ms@securityfocus.com>
> Sent: Tuesday, June 19, 2001 4:48 PM
> Subject: Re: sudo for windows
>
>
> >
> > > The problem I see here is on MS products, once
> you
> > > are running and
> > > configuring IIS, you pretty much have the keys
> to
> > > the kingdom (thank you,
> > > Bill!)
> >
> > This seems very odd to me, Dave. Why would you
> alter
> > the default installatiion of IIS, and run it under
> an
> > Admin-level account? By default, IIS runs as a
> guest.
> > This is why the extended Unicode exploited can be
> > defeated by something as simple as not allowing
> anyone
> > other than the Administrator to have executeable
> > rights to the /scripts/ directory.
> >
> > Also, it's not really Bill's fault, is it? I
> mean,
> > there is a plethora of information available on
> how to
> > secure NT and 2K, as well as IIS 4.0 and 5.0. If
> > someone wants to run IIS, but doesn't want to
> invest
> > any effort into securing it, any compromise of the
> box
> > can't really be blamed on Bill.
> >
> > Carv
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Spot the hottest trends in music, movies, and
> more.
> > http://buzz.yahoo.com/
>
>

__________________________________________________
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/

Relevant Pages

  • Re: sudo for windows
    ... Subject: sudo for windows ... I am not sure why there is a problem understanding this. ... one where I gained access to an IIS ...
    (Focus-Microsoft)
  • Re: sudo for windows
    ... Subject: sudo for windows ... If I can configure IIS, even as a guest, I can have sufficient fun on the ... IIS runs as a guest. ...
    (Focus-Microsoft)
  • Re: been hit by hacker, servudaemon installed
    ... security patching on iis 4.0 ... security fixes into the new version. ... >install all service packs and patches from Microsoft, ... >>>Windows, Apache, you name it. ...
    (microsoft.public.inetserver.iis.security)
  • Re: been hit by hacker, servudaemon installed
    ... security patching on iis 4.0 ... security fixes into the new version. ... :>install all service packs and patches from Microsoft, ... :>>>Windows, Apache, you name it. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Mac Server Hacked In Less Than 6 Hours
    ... Windows has RAS, and for it is built in since NT 3.1 ... | A typical IIS box and this Mac are not the same thing so the comparison ... IIS has been subject to quite a few bugs and so have ... Security isn't a proprietary attribute. ...
    (sci.crypt)