Web-Hosting Providers – Beware!
Friday April 18, 2008 at 12:39 pm CST
Posted by Karthik Raman
Late on Thursday Microsoft released an advisory about a new privilege escalation vulnerability affecting IIS and SQL Server on Windows XP, 2003, Vista, and Server 2008.
It’s likely that this is the same flaw discussed by Cesar Cerrudo in his talk, “Token Kidnapping”, at the HITB Security Conference 2008 in Dubai. Cerrudo had discovered a privilege-escalation vulnerability earlier, and said in March, “Design weaknesses can be abused on Windows XP, Vista, Internet Information Services 7 and Windows Server 2003 and 2008”.
So what is known about this flaw? A malicious local user who has authentication could execute specially crafted code to raise his privilege level to LocalSystem. IIS and SQL Server are the main attack vectors. But other vectors are possible, such as Microsoft Distributed Transaction Coordinator (MSDTC) on Windows Server 2003.
While the vulnerability is limited to a local privilege escalation, IIS’s susceptibility is concerning. The Web server is widely used on the Internet, and is a top pick by Web-hosting providers. We might see Web-hosting providers targeted, and — this is scary -– their clients’ Web sites breached. As Microsoft stated in its advisory, “Hosting providers may be at increased risk from this elevation of privilege vulnerability.” However, no exploitation has been observed at this time.
The next Patch Tuesday is May 13. Sysadmins, please heed to Microsoft’s suggested workarounds for IIS until then -– or more to the point, until Microsoft patches this vulnerability.
Finally, a bit of speculation (hat tip to Kevin Beets). One attack vector for this vulnerability uses the SeImpersonateClient privilege. The MSDN page for privilege constants states:
Windows XP/2000: This privilege is not supported. Note that this value is supported starting with Windows Server 2003, Windows XP SP2, and Windows 2000 SP4.
Microsoft did not say that Windows 2000 or Windows 2000 SP4 are vulnerable. But curiously, they did say Windows XP SP2 is. If Service Pack 2 for Windows XP introduced this vulnerability in that operating system, might Service Pack 4 for Windows 2000 not have done the same for Windows 2000?
April 21st, 2008 at 7:58 pm
[…] Web-Hosting Providers – Beware! - McAfee AVERT Labs […]
April 21st, 2008 at 11:12 pm
[…] Full Story I hope you enjoyed reading this article. You may now subscribe to my RSS Feed, scroll down to leave a comment, or get back to the homepage. […]