This is the token kidnapping vulnerability that was shown at Hack-in-the-Box last year.
If you don't allow people to upload content to your servers, you're OK If you do have to allow random people to upload content to your web servers (e.g. you're a hosting company) then you can mitigate this by: a) not running your web app pools as Network Service b) not permitting ASP.NET full trust The IIS vuln comes in because the worker process is running as Network Service. Code running in that worker process can then get at other processes running as Network Service, and there are a few of these processes that contain SIDs for higher privileged accounts (LocalSystem) in their security token. This will be fixed in Windows Server 2008 SP2 / Vista SP2 and also in Windows Server 2008 R2 (at least for Windows services. If you have third party services that do this, then you're still going to have a problem). Windows Server 2008 R2 IIS will automatically run all worker processes as separate identities (this is probably the biggest protential breaking change). I'll blog this with some diagrams to make it easier to understand. Cheers Ken ________________________________ From: Ziots, Edward [[email protected]] Sent: Tuesday, 7 April 2009 1:27 AM To: NT System Admin Issues Subject: RE: Windows vulnerability If you don’t put IIS on your workstations by default, and keep local access to your IIS servers tight, then the risk is low in my eyes. Now fi you don’t have those controls in place and mischeavous folks on your network with access, then risk is higher… Z Edward Ziots Network Engineer Lifespan Organization MCSE,MCSA,MCP+I, ME, CCA, Security +, Network + [email protected]<mailto:[email protected]> Phone:401-639-3505 ________________________________ From: James Rankin [mailto:[email protected]] Sent: Monday, April 06, 2009 5:00 AM To: NT System Admin Issues Subject: Windows vulnerability Is anybody worrying about/taking any action over this vulnerability? http://www.microsoft.com/technet/security/advisory/951306.mspx While MS says it is not aware of it being exploited, this fairly-recent ISC entry seems to hint otherwise http://isc.sans.org/diary.html?storyid=6010 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
