In this case, RevertToSelf() will not work. The bug(design feature) that allowed this to work often in windows NT is irrelevant as ASP runs in a SYSTEM context. In windows 2000 (and beyond) it was "fixed" so that the child process of DLLHOST.EXE running at IWAM privs cannot revert to SYSTEM, as it was spun with lowered SE Privs. This is also true of most COM objects hosted at a particular security context within a child DLLHOST.EXE. Signed, Ryan Permeh eEye Digital Security Team http://www.eEye.com/Retina -Network Security Scanner http://www.eEye.com/Iris -Network Traffic Analyzer http://www.eEye.com/SecureIIS -Stop Known and Unknown IIS Vulnerabilities -----Original Message----- From: Maximiliano Caceres [mailto:core.lists.exploit-dev@core-sdi.com] Sent: Thursday, April 11, 2002 12:39 PM To: vuln-devat_private Subject: Re: Windows 2000 and NT4 IIS .ASP Remote Buffer Overflow Marc Maiffret wrote: > Windows 2000 and NT4 IIS .ASP Remote Buffer Overflow > > > Severity: > High (Remote code execution) > IWAM_MACHINE Privilege Level > I'm missing sthg here. In all MS02-018 code-execution vulnerabilities, IWAM_MACHINE privilege for the code is presented as a mitigation factor. Isn't it always possible to get SYSTEM from IUSR_STHG via the RevertToSelf() call? Is there a way of protecting against this?. max/ -- Maximiliano Caceres Product Engineer CORE SECURITY TECHNOLOGIES Florida 141 - 2º cuerpo - 7º piso C1005AAC Buenos Aires - Argentina Tel/Fax: (54 11) 4878-CORE (2673) http://www.corest.com --- for a personal reply use: Maximiliano Caceres <maximiliano.caceresat_private>
This archive was generated by hypermail 2b30 : Thu Apr 11 2002 - 19:59:35 PDT