John Wiltshire wrote:
>
> The web server runs as system. The processes which service the web requests
> (you do have them running in separate processes if you are that worried,
> don't you?) run as the user which connected via the web. Still, I guess it
> rates up there with an operating system which allows superusers to
> arbitrarily assign their user id without a password. ;-)
>
Yeah, but consider this...
There are ways of coercing not-so-well-written ASP scripts
that make queries in ODBC datasources to execute commands
on the data source. I know this exploit by heart since
I found it out my self, and no, I don't particularily want
to publish code snippets here to convince people that
I know what I'm talking abou.t
If the underlying database is MS Access, your commands
that you fool the server into running, RUN AS THE
LOCAL_SYSTEM USER!
This of course can do anything to the machine, including
re-enabling disabled services or deleting the entire
c:\winnt directory structure.. Or download and install
NetBus (a BackOrifice-like tool that works on NT machines).
Yes, I know there are easy ways of filtering the query string
to block this particular exploit, but face the facts, 75% of
the ASP programmers out there don't do it.
Ack :-(
The sad part here is that there's really no way of filtering
out things like this at the firewall. If evil coder X
creates FormatServerHarddrive.ASP and leaves it on a public web
site.. Well... The above problem is the functional equivalent
of it, and it all looks perfectly legal to the firewall.
(Which of course implies that I shouldn't have posted this
to the firewalls list in the first place. More spam to
the people! :-)
Regards,
Mike
--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 �RNSK�LDSVIK
Phone: +46-(0)660-105 50 Fax: +46-(0)660-122 50
WWW: http://www.enternet.se E-mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
