In response to the numerous emails I have received in regards to the
proof of concept code I published for BugtraqID: 1535 (Windows 2000
Services Named Pipe Vulnerability) I have published two variants
of the original code:
The PipeUpSAM variation dumps the local SAM database to stdout in the
standard PwdDump.exe format. The generated file may then be used with
any NT MD4 password cracker, such as L0phtCrack.
The PipeUpAdmin variation adds the current user account to the local
Administrators group.
The binaries are available at:
http://www.dogmile.com/files/
Also, in response the numerous emails I have received in regards to
the CmdAsp.asp code that I posted to bugtraq, I have better documented
this escalation of privileges vulnerability. The details follow, and
can also be found at:
http://www.dogmile.com/files/#CmdAsp
-Maceo
-----
CmdAsp
Author: Maceo <maceo @ dogmile.com>
Release: 2000-12-01
Type: Local/remote exploit (*See Requirements*)
Requirements: Ability to create an ASP file in a web directory
ToolType: Interactive cmd tool
OS: Windows NT/2000 (IIS 4.0 and IIS 5.0)
Source: <++ CmdAsp.asp ++>
DISCUSSION:
During normal webserver operations IIS, by default, impersonates the
account IUSR_COMPUTER. This account has minimal access rights. However,
because of the way IIS impersonates accounts, spawned processes inherit
the original security context. This can result in escalation of user
privileges.
Depending on the setup of an IIS server this escalation will result in
access to the account IWAM_COMPUTER or SYSTEM. With IIS 4.0 the account
depends upon whether or not the web administrator has selected the "run
in separate memory space" option. This option is unselected by default
and allows SYSTEM account escalation. In IIS 5.0 the setting is called
Application Protection. Application Protection "Low" will result in
SYSTEM access and Medium or High with result in IWAM_COMPUTER access.
The default setup for IIS 5.0, "Medium", will result in IWAM_COMPUTER
access. Further, an IIS 4.0 webserver that was upgraded to IIS 5.0
with the default settings will allow SYSTEM account escalation.
It should be noted that since the IWAM_COMPUTER account can change the
settings of the webserver, escalation to SYSTEM account access is still
possible.
DESCRIPTION:
An interactive command prompt from an ASP file. This script uses the
Microsoft scripting object WSCRIPT.SHELL to spawn a cmd.exe process
which will run with escalated privileges.
BUGFIX:
Microsoft has not released an official fix at this time. To block
this particular exploit, unregister the windows scripting object:
C:\> regsvr32.exe /u C:\winnt\system32\wshom.ocx