Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:1939
HistoryAug 16, 2001 - 12:00 a.m.

ENTERCEPT SECURITY ALERT: Privilege Escalation Vulnerability in Microsoft IIS

2001-08-1600:00:00
vulners.com
44
JSON

ENTERCEPT SECURITY BULLETIN

Date: Aug 15, 2001

Re: PRIVILEGE ESCALATION VULNERABILITY IN MICROSOFT IIS

This information is distributed by Entercept Security Technologies to alert
you of security vulnerabilities and how to prevent/protect against them.

OVERVIEW:
A serious vulnerability exists in Microsoft Internet Information Server
(IIS) that allows an attacker running as guest to escalate his privileges on
the web server system.

Microsoft has created a patch for this vulnerability (MS01-44) that can be
downloaded here:
http://www.microsoft.com/technet/security/bulletin/MS01-044.asp

POTENTIAL IMPACT:
An attacker exploiting this vulnerability can gain full control of the
system, which would allow him to take malicious actions such as gaining
access to confidential data, adding users, or crashing the system.

DETAILS:
The exploit allows a GUEST user (who has the rights to execute code on the
system) to elevate his privileges. Once the exploit is executed, it allows
an attacker to run arbitrary code on the machine with SYSTEM privileges.
Usually, by using certain well-known attacks, the user can upload the
exploit to the IIS virtual directory, and then remotely execute it.
Alternatively, anyone with a valid username and password can log into the
system, upload the exploit file into the IIS virtual tree, and then execute
it.

IIS supports three different modes of process isolation. These modes control
how well the IIS process is isolated from the processes that are being
invoked as part of the request processing. Due to a weakness in IIS, several
dll files are always executed by the least secure isolation level regardless
of the actual process isolation settings. By adding or replacing one of
these dlls with a malicious version, an attacker can run arbitrary code with
SYSTEM privileges.

Entercept simulated the vulnerability in its EKAT (Entercept Knowledge
Acquisition Team) labs and worked closely with Microsoft’s security group on
this issue.

Best practices strongly recommend against ever granting an un-trusted user
the ability to put cgi scripts or other executable content onto a Web
server. If a server administrator hasn't observed this fairly basic
precaution, the server is in grave danger, even in the absence of this
vulnerability.

SOLUTIONS/RECOMMENDATIONS:
Entercept Security Technologies’ customers running the Web Server agent are
safe from this attack. Entercept’s shielding technology provides an
additional layer of security by protecting the web server resources and
preventing malicious exploitation of the web server. In this case, the
shielding prevents replacing or writing any files into the virtual tree.
Therefore, the attempt to replace the dll fails, preventing the attack even
though the specific vulnerability was unknown.

Entercept’s unique shielding technology prevents the exploitation of this
attack with no need for any specific signature. The behavior-based shielding
technology was able to prevent the attack long before the exploit was made
public.

Microsoft has created a patch for this vulnerability (MS01-44) that can be
downloaded, here:
http://www.microsoft.com/technet/security/bulletin/MS01-044.asp

Entercept recommends that companies stay current with their patches, and
install Web Server Edition to that provides best-of-breed protection and is
effective, even when patches are not yet available or have not been
deployed.

REFERENCES:
* Microsoft Security Bulletin and patch information:
http://www.microsoft.com/technet/security/bulletin/MS01-044.asp

    *       Entercept Knowledge Acquisition Team (EKAT)

Entercept Contacts:
Elizabeth Hernandez
Entercept Security Technologies
Phone: (408) 576-6333
Email: [email protected]

Tim Alban
Panagraph Technologies Group
Phone: (619) 282-6100
Email: [email protected]

About Entercept Security Technologies
Entercept Security Technologies develops server security products that
prevent access to server resources before any unauthorized activity occurs.
Entercept provides essential protection beyond the firewall by identifying
attacks and instantly taking action to stop hacker attacks before they cause
damage. The Web Server Edition, the latest Entercept product, offers unique
protection for Web servers as well as applications. Entercept Security
Technologies (www.entercept.com) is headquartered in San Jose, Calif., and
can be reached by calling 408-576-5900, or toll-free at 1-800-599-3200.
Entercept's European offices can be reached by calling 44-208-387-5500.

JSON