MS Windows Token Kidnapping local provide the right solutions-vulnerability warning-the black bar safety net

2008-10-12T00:00:00
ID MYHACK58:62200820643
Type myhack58
Reporter 佚名
Modified 2008-10-12T00:00:00

Description

Today MS updated security Bulletin

This vulnerability is due inNetworkService or LocalService the following code running, you can access the same in the NetworkService or LocalService processes that run under that certain processes allow elevation of privileges for theLocalSystem it.

For IIS, the default installation is not affected, the affected is your ASP. NET code is Full Trust to run if permissions than Full Trust, it will not be affected. The old Asp code is not affected, only ASP. NET was affected.

For SQL Server, if the user to:administrative permissionsrun the code, you will be affected

For Windows Server 2 0 0 3an attacker canMSDTCget the token to access the others the same token of the process, which may result in providing the right.

Any have theSeImpersonatePrivilegeprocesses are likely to cause mentioned right.

For the server administrator to do some simple adjustments in IIS on the fight against this threat.

| ! |

IIS 6.0 - Configure a Worker Process Identity (WPI) for an application pool in IIS to use a created account in IIS Manager and disable MSDTC

---|---

Perform the following steps:

1.

|

In IIS Manager, expand the local computer, expand Application Pools, right-click the application pool and select Properties.

---|---

2.

|

Click the Identity tab and click Configurable. In the User name and Password boxes, type the user name and password of the account under which you want the worker process to operate.

3.

|

Add the chosen user account to the IIS_WPG group.

Disabling the Distributed Transaction Coordinator will help protect the affected system from attempts to exploit this vulnerability. To disable the Distributed Transaction Coordinator, perform these steps:

1.

|

Click Start, and then click Control Panel. Alternatively, point to Settings, and then click Control Panel.

---|---

2.

|

Double-click Administrative Tools. Alternatively, click Switch to Classic View and then double-click Administrative Tools.

3.

|

Double-click Services.

4.

|

Double-click Distributed Transaction Coordinator.

5.

|

In the Startup type list, click Disabled.

6.

|

Click Stop (if started), and then click OK.

You can also stop and disable the MSDTC service by using the following command at the command prompt:

sc stop MSDTC & sc config MSDTC start= disabled

Impact of Workaround: Managing the additional user accounts created in this workaround results in increased administrative overhead. Depending on the nature of the applications running in this application pool, application functionality may be affected. An example is Windows Authentication; see Microsoft Knowledge Base Article 8 7 1 1 7 9. Disabling MSDTC will prevent applications from using distributed transactions. Disabling MSDTC will prevent IIS 5.1 from running in Windows XP Professional Service Pack 2 and Windows XP Professional Service Pack 3, and IIS 6.0 running in IIS 5.0 compatibility mode. Disabling MSDTC will prevent configuration as well as running of COM+ applications.