Date: 18 April 2008
References: AU-2008.0020
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AA-2008.0093 AUSCERT Advisory
[Win]
IIS Privilege Escalation Vulnerability
18 April 2008
- ---------------------------------------------------------------------------
AusCERT Advisory Summary
------------------------
Product: IIS 7
IIS 6
Publisher: Microsoft
Operating System: Windows Server 2008
Windows Server 2003
Windows Vista
Windows XP
Impact: Administrator Compromise
Increased Privileges
Access: Existing Account
CVE Names: CVE-2008-1436
Member content until: Friday, May 16 2008
Original Bulletin:
http://www.microsoft.com/technet/security/advisory/951306.mspx
OVERVIEW:
Microsoft have advised of a privilege escalation vulnerability in
IIS 6 and IIS 7 which may an authenticated user to take complete
control of an affected system. [1]
According to Microsoft SQL Server versions are also affected if a
user has been granted administrator privileges to load and run code,
however no further details have been provided at this point in time.
IMPACT:
In hosted environments, users may be able to gain complete control
over the hosting server.
MITIGATION:
Several workarounds have been identified by Microsoft:
IIS 6.0 - Configure a Worker Process Identity (WPI) for an application
pool in IIS to use a created account in IIS Manager and disable MSDTC
Perform the following steps:
1. In IIS Manager, expand the local computer, expand
Application Pools, right-click the application pool
and select Properties.
2. Click the Identity tab and click Configurable. In the
User name and Password boxes, type the user name and
password of the account under which you want the worker
process to operate.
3. Add the chosen user account to the IIS_WPG group.
Disabling the Distributed Transaction Coordinator will
help protect the affected system from attempts to exploit
this vulnerability. To disable the Distributed Transaction
Coordinator, perform these steps:
1. Click Start, and then click Control Panel.
Alternatively, point to Settings, and then click
Control Panel.
2. Double-click Administrative Tools. Alternatively, click
Switch to Classic View and then double-click
Administrative Tools.
3. Double-click Services.
4. Double-click Distributed Transaction Coordinator.
5. In the Startup type list, click Disabled.
6. Click Stop (if started), and then click OK.
You can also stop and disable the MSDTC service by using
the following command at the command prompt:
sc stop MSDTC & sc config MSDTC start= disabled
Impact of Workaround: Managing the additional user accounts
created in this workaround results in increased administrative
overhead. Depending on the nature of applications running in
this application pool, application functionality may be affected.
Disabling MSDTC will prevent applications from using distributed
transactions. Disabling MSDTC will prevent IIS 5.1 from running
in Windows XP Professional Service Pack 2 and IIS 6.0 running
in IIS 5.0 compatibility mode. Disabling MSDTC will prevent
configuration as well as running of COM+ applications.
IIS 7.0 - Specify a WPI for an application pool in IIS Manager
1. In IIS Manager, expand the server node, click
Application Pools, right-click the application pool,
and then click Advanced Settings
2. Find the Identity entry, and click the button to open the
Application Pool Identity dialog box.
3. Select the Custom account option and click Set to open
the Set Credentials dialog box. Type in the selected
Account name and Password in the user name and password
text boxes. Retype the Password in the Confirm password
text box, then click OK.
Note Application pool identities are dynamically added to
IIS_WPG group in IIS7 and dont need to be manually added.
Impact of Workaround: Managing the additional user accounts
created in this workaround results in increased
administrative overhead. Depending on the nature of
applications running in this application pool, application
functionality may be affected.
IIS 7.0 - Specify a WPI for an application pool using the Command
Line utility APPCMD.exe
1. From a command prompt, change to the
%systemroot%\system32\inetsrv directory.
2. Execute the APPCMD.exe command using the following
syntax: string is the name of the application pool;
Username string is the user name of the account
assigned to the application pool; Password string is
the password for the account.
appcmd set config /section:applicationPools /
[name='string'].processModel.identityType:SpecificUser /
[name='string'].processModel.userName:string /
[name='string'].processModel.password:string
Note Application pool identities are dynamically added to
IIS_WPG group in IIS 7.0 and dont need to be manually
added.
Impact of Workaround: Managing the additional user accounts
created in this workaround results in increased administrative
overhead. Depending on the nature of applications running in this
application pool, application functionality may be affected.
REFERENCES:
[1] http://www.microsoft.com/technet/security/advisory/951306.mspx
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBSAhA5Sh9+71yA2DNAQJz/wP/S9mYKSCfddnLdqx719py3BxvyUX86l4G
70ie5wTCFjxKsdpblVAJQFxE5XEW9s+zTFyiG6Kqvi0DfBOV4noAOFBAsNV1J7Zj
fAs74aTSrRWCjYTCX6QIi9hjzIN3aCOJrQ7Q4EnaYrxHAcDHHXekCfFQZGtvEEdq
yNRGfkm2UUM=
=C8L6
-----END PGP SIGNATURE-----
|