ENTERCEPT SECURITY ALERT: Privilege Escalation Vulnerability in Microsoft IIS

Type securityvulns
Reporter Securityvulns
Modified 2001-08-16T00:00:00



Date: Aug 15, 2001


This information is distributed by Entercept Security Technologies to alert you of security vulnerabilities and how to prevent/protect against them.

OVERVIEW: A serious vulnerability exists in Microsoft Internet Information Server (IIS) that allows an attacker running as guest to escalate his privileges on the web server system.

Microsoft has created a patch for this vulnerability (MS01-44) that can be downloaded here: http://www.microsoft.com/technet/security/bulletin/MS01-044.asp

POTENTIAL IMPACT: An attacker exploiting this vulnerability can gain full control of the system, which would allow him to take malicious actions such as gaining access to confidential data, adding users, or crashing the system.

DETAILS: The exploit allows a GUEST user (who has the rights to execute code on the system) to elevate his privileges. Once the exploit is executed, it allows an attacker to run arbitrary code on the machine with SYSTEM privileges. Usually, by using certain well-known attacks, the user can upload the exploit to the IIS virtual directory, and then remotely execute it. Alternatively, anyone with a valid username and password can log into the system, upload the exploit file into the IIS virtual tree, and then execute it.

IIS supports three different modes of process isolation. These modes control how well the IIS process is isolated from the processes that are being invoked as part of the request processing. Due to a weakness in IIS, several dll files are always executed by the least secure isolation level regardless of the actual process isolation settings. By adding or replacing one of these dlls with a malicious version, an attacker can run arbitrary code with SYSTEM privileges.

Entercept simulated the vulnerability in its EKAT (Entercept Knowledge Acquisition Team) labs and worked closely with Microsoft’s security group on this issue.

Best practices strongly recommend against ever granting an un-trusted user the ability to put cgi scripts or other executable content onto a Web server. If a server administrator hasn't observed this fairly basic precaution, the server is in grave danger, even in the absence of this vulnerability.

SOLUTIONS/RECOMMENDATIONS: Entercept Security Technologies’ customers running the Web Server agent are safe from this attack. Entercept’s shielding technology provides an additional layer of security by protecting the web server resources and preventing malicious exploitation of the web server. In this case, the shielding prevents replacing or writing any files into the virtual tree. Therefore, the attempt to replace the dll fails, preventing the attack even though the specific vulnerability was unknown.

Entercept’s unique shielding technology prevents the exploitation of this attack with no need for any specific signature. The behavior-based shielding technology was able to prevent the attack long before the exploit was made public.

Microsoft has created a patch for this vulnerability (MS01-44) that can be downloaded, here: http://www.microsoft.com/technet/security/bulletin/MS01-044.asp

Entercept recommends that companies stay current with their patches, and install Web Server Edition to that provides best-of-breed protection and is effective, even when patches are not yet available or have not been deployed.

REFERENCES: * Microsoft Security Bulletin and patch information: http://www.microsoft.com/technet/security/bulletin/MS01-044.asp

    *       Entercept Knowledge Acquisition Team (EKAT)

Entercept Contacts: Elizabeth Hernandez Entercept Security Technologies Phone: (408) 576-6333 Email: ehernandez@entercept.com

Tim Alban Panagraph Technologies Group Phone: (619) 282-6100 Email: talban@panagraph.com

About Entercept Security Technologies Entercept Security Technologies develops server security products that prevent access to server resources before any unauthorized activity occurs. Entercept provides essential protection beyond the firewall by identifying attacks and instantly taking action to stop hacker attacks before they cause damage. The Web Server Edition, the latest Entercept product, offers unique protection for Web servers as well as applications. Entercept Security Technologies (www.entercept.com) is headquartered in San Jose, Calif., and can be reached by calling 408-576-5900, or toll-free at 1-800-599-3200. Entercept's European offices can be reached by calling 44-208-387-5500.