Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:3710
HistoryNov 04, 2002 - 12:00 a.m.

[A3SC] MS IIS out of process privilege elevation vulnerability(A3CR@K-Vul-2002-06-002)

2002-11-0400:00:00
vulners.com
7
JSON

*** A3 Security Consulting: CR@K Vulnerability Research***

Title : MS IIS out of process privilege elevation
vulnerability(A3CR@K-Vul-2002-06-002)
Reporter : li0n ([email protected])
Affected software : IIS 4.0, 5.0, 5.1
Risk : High
Local/Remote : Local
Category : Windows - IIS - Privilege elevation
Date : June, 25, 2002

Advisory URL : http://www.li0n.pe.kr/eng/advisory/ms/iis_impersonation.txt

[1] Summary

An impersonation vulnerability of dllhost.exe allows a local user to gain
the SYSTEM privilege.

This vulnerability arises from the fact that the process of dllhost.exe
harbors an impersonation
token of SYSTEM account while processing user's request.
Because a process of dllhost.exe is executed with IWAM_machinename
privilege, an attacker can
manipulate the process's memory space and steal the SYSTEM privilege when
the process has the
impersonation token of SYSTEM account. In other words, an attacker can
execute arbitrary codes
with SYSTEM privilege through this impersonation.

[2] Affected software

Internet Information Services 4.0
Internet Information Services 5.0
Internet Information Services 5.1

[3] Patch

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-062.asp

[4] Testing environments

Microsoft Windows 2000 advanced server with
Service pack2
Security rollup1
Cumulative Patch for Internet Information Services (Q319733)

[5] Required Knowledge

Architecture of Microsoft IIS
Impersonation

[6] Technical Details

Microsoft IIS provides two protection modes, in-process mode and
out-of-process mode.
If IIS is set to in-process mode, .asp request and ISAPI dlls are executed
within
inetinfo.exe process that is running with SYSTEM privilege.
So, an attacker can obtain SYSTEM privilege easily with some effort to
control the process
to serve his purpose.

On the other hand, if IIS is set to out-of-process mode, .asp request and
ISAPI dlls are
executed within dllhost.exe process which is running with IWAM_machinename
account.
In this case, an attacker can only obtain IWAM_machinename account even if
he or she is
successful with the attack. For reference, the default setting for IIS4 is
in-process and
the default setting for IIS5 is out-of-process.

dllhost.exe process calls ole32!CoImpersonateClient function to process
user's request.
If CoImpersonateClient function returns successfully, the process becomes
to harbor an
impersonation token of SYSTEM account for a moment. Later on, dllhost.exe
process finishes up
its impersonated SYSTEM privilege by calling RevertToSelf function to
destroy SYSTEM privilege
and returns to IWAM_machinename privilege.

Because a process of dllhost.exe is executed with IWAM_machinename
privilege, an attacker can
manipulate the process's memory space and steal the SYSTEM privilege when
the process has the
impersonation token of SYSTEM account.

For an example, an attacker can make dllhost.exe process call
MyCoImpersonateClient function
instead of ole32!CoImpersonateClient function using API hooking technique.
An attacker can forge
a MyCoImpersonateClient function and he or she can execute malicious code
using SYSTEM privilege.

Another method to execute malicious code is to attach the dllhost.exe
process to a debugger and
modify dllhost.exe process's memory contents.

An attacker can create and assign an arbitrary account to the local
administrator group
exploiting this vulnerability and execute programs with administrator
privilege.

[7] Exploit Code

Not included in this advisory on purpose

[8] Informations

Vendor status
Patch Released (MS02-062)

Credit
Discovery and exploitation Research : [email protected]
Advisor : CR@K TEAM

**Copyright (c) 1999-2002 A3 Security Consulting **
Permission is hereby granted for the redistribution of this
alertelectronically.
It is not to be edited in any way without express consent of A3 Security
Consulting.
If you wish to reprint the whole or any part of this alert in any other
medium
excluding electronic medium, please e-mail [email protected] for permission.

Disclaimer
The information within this paper may change without notice.
Use of this information constitutes acceptance for use in an AS IS
condition.
There are NO warranties with regard to this information. In no event shall
the author
or an entity where he belongs be liable for any damages whatsoever arising
out of or
in connection with the use or spread of this information.
Any use of this information is at the user's own risk.

Feedback
Please send suggestions, updates, and comments to:

A3 Security Consulting Co., Ltd.
http://www.a3sc.co.kr/
Official : [email protected] , Private : [email protected]

JSON