I work with a company that has a financial services vendor that ships their customized IIS4 systems with everyone/full control on C: or else it "breaks the application". Of course, these perms reach the winnt/system32 dir, but I used cacls to restrict winnt/system32/*.exe from the IUSR account with success. The only thing funky about this solution, is that when cmd.exe is restricted in such a manner, the user (if using IE) receives a challenge-response, allowing at least some attempt to brute force the admin account (vendor sets very weak default passwords). This particular vendor supplies a lot of credit unions. They are currently testing the MS patch to determine if it will function properly on their customized version of IIS 4. The system is designed to run behind a decent firewall such as the Cisco PIX, and I feel that this fact has created a false sense of "black box" security. The defense-in-depth posture of this company is somewhat weak, but one of their managers shows a lot of promise in terms of tightening the companys security stance. It seems that most of the exploit code and examples focuses on using cmd.exe. In this particular "everyone/full control" scenario, there are various other executables are available such as route, net, tftp, findstr, netstat, tracerte, ipconfig, ping, etc. that can receive parameters and for some (tftp, ftp, telnet, ping) open up a back-channel in a stateful firewall unless outgoing packets are filtered. It appears that routes can be modified as well but I was not successful in my particular test. Like unicode and other exploits of this nature, it seems pretty easy for an attacker to set up a tftp server and craft a command line to retrieve something like netcat or a trojan from an external site and store it in a writeable area. Internal networks could really be screwed, esp with something like Sir Dystics SMBrelay being used. I won't reveal any more information at this point about the particular vendor, until they release their results or their own customized patch. I am expecting some type of result from them within 12 hours of this message. This vendors security notification service has been pretty slow in the past, but attackers don't wait. If you are a credit union with an in-house home banking service, please contact me and we can discuss further if necessary. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= | Curt R. Wilson * Netw3 Consulting * www.netw3.com | | Internet Security, Networking, PC tech, WWW hosting | | Netw3 Security Reading Room : www.netw3.com/documents.html | | Serving Southern Illinois locally and the world virtually | | netw3at_private 618-303-NET3 | =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
This archive was generated by hypermail 2b30 : Thu May 17 2001 - 07:32:33 PDT