View Full Version : Sans ISC

2009-03-13, 17:53

- http://isc.sans.org/diary.html?storyid=6010
Last Updated: 2009-03-13 03:07:43 UTC - "...Microsoft should really fix this vulnerability and pay more attention to local privilege escalation vulnerabilities. While MS released an advisory with suggested workarounds (available at http://www.microsoft.com/technet/security/advisory/951306.mspx *), I don’t think enough people know about this..."
* Microsoft Security Advisory (951306)
Vulnerability in Windows Could Allow Elevation of Privilege...
• April 17, 2008: Advisory published
• April 23, 2008: Added clarification to impact of workaround for IIS 6.0
• August 27, 2008: Added Windows XP Professional Service Pack 3 as affected software.
• October 9, 2008: Added information regarding the public availability of exploit code.


This is simply fear mongering by someone at the Sans ISC who doesn't really understand how to read an MS Advisory. Per the MS Advisory referenced:

Customers who allow user-provided code to run in an authenticated context, such as within Internet Information Services (IIS) and SQL Server, should review this advisory.
What causes this threat?
Specially crafted code running in the context of the NetworkService or LocalService accounts may gain access to resources in processes that are also running as NetworkService or LocalService. Some of these processes may have the ability to elevate their privileges to LocalSystem, allowing any NetworkService or LocalService processes to elevate their privileges to LocalSystem as well.

How is IIS affected?
User-provided code running in IIS, for example ISAPI filters and extensions, and ASP.NET code running in full trust may be affected by this vulnerability. IIS is not affected in the following scenarios:

• Default Installations of IIS 5.1, IIS 6.0, and IIS 7.0

• ASP.NET configured to run with a trust level lower than Full Trust.

• Classic ASP code

How is SQL Server affected?
SQL Server is affected if a user is granted administrative privileges to load and run code. A user with administrative privileges could execute specially crafted code that could leverage the attack. However, this privilege is not granted by default.Since neither of these situations are available with a default configuration and in fact neither are even installed on any Windows client configuration, the user would first have to perform these [highly stupid] acts to create an exploitable scenario. In all likelyhood anyone doing this would have created a multitude of much more critical exploitable issues simply by performing either of these installations on a client operating system.

As for these same issues with a Windows Server 2003 OS, an Administrator who allowed a normal user the access required, or in fact any access to such an important resource, should be fired for incompetence. Even if there were a possible reason for such access, the workaround should be perfectly acceptable as a method to protect the server in this case and any Administrator worth paying should be able to perform this.

Be careful, the ISC is great for alerting the general public of obvious exploits and the need to patch or provide temporary workarounds to potentially severe vulnerabilites, but they aren't always as individually knowledgable as they might seem.


2009-03-13, 21:36
The MS advisory itself references:
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-1436
...which rates it "CVSS v2 Base Score: 9.0 (HIGH)".
IBM's ISS group ( http://xforce.iss.net/xforce/xfdb/41880 ) rates it as "High Risk".

So apparently there are others who think MS shouldn't wait 11 months after issuing an advisory to get a patch out.

Microsoft Security Advisory (951306)
Vulnerability in Windows Could Allow Elevation of Privilege
- http://www.microsoft.com/technet/security/advisory/951306.mspx
Published: April 17, 2008 | Updated: April 14, 2009 - "...We have issued MS09-012 to address this issue..."
- http://www.microsoft.com/technet/security/Bulletin/ms09-012.mspx


2009-03-14, 22:53
OK, now that I've taken the time to read the entire article at the SANS Internet Storm Center written by Bojan Zdrnja called; When web application security, Microsoft and the AV vendors all fail (http://isc.sans.org/diary.html?storyid=6010), I see where the true confusion lies. This isn't an issue with the article itself, it's the choice of excerpts used to represent the article.

Though the article itself is relatively balanced and calls out all of the known contributors involved quite clearly as the following excerpt shows:

The three main actors in this movie were a web application with a security vulnerability, Microsoft’s server class operating systems with an unpatched local privilege escalation vulnerability and the last line of everyone’s defense, the AV vendors.

Unfortunately rather than choosing this or another of the clear summary paragraphs for the posting here, the following partial paragraph excerpt was chosen and then placed within a general thread entitled "Microsoft Alerts".

Last Updated: 2009-03-13 03:07:43 UTC - "...Microsoft should really fix this vulnerability and pay more attention to local privilege escalation vulnerabilities. While MS released an advisory with suggested workarounds (available at http://www.microsoft.com/technet/sec...ry/951306.mspx (http://www.microsoft.com/technet/security/advisory/951306.mspx) *), I don’t think enough people know about this..."

Though this alone could create confusion, the ommitance of the following initial sentence fragment resulted in an even futher distortion of the impact and meaning of the above quote.

This doesn’t mean that other two actors should just sit and do nothing...

So though the writer of the original Sans ISC article is still obviously confused about which vulnerabilities can actually be patched, his overall discussion does better treat the specific segment above within context. He simply doesn't understand that not every vulnerability can be [easily] patched, if at all.

The core issues in the example provided in the article were related to the web application vulnerability (ability to upload files) and then the ability to abuse the specific vulnerability cited in the Microsoft Advisory to gain System priviledge, with the Antivirus issue as a followup sidelight. What isn't mentioned is that for this exploit to succeed, improper configuration of the IIS service would have been required, though the web application itself may have perfomed this during or after installation.

Though SANS Internet Storm Center cited the Microsoft Advisory in a posting shortly after its original release, even they indicated the mitigating circumstances and probable limited range of risk provided by the vulnerability within thier first paragraph.

Microsoft has just put out an advisory for a privilege escalation vulnerability in Windows that affects IIS and potential SQL server (951306). Basically, authenticated users can use this vulnerability to become LocalSystem. This is probably more of a problem for shared hosting environments were clients could upload malicious code to the webserver and run the exploit to gain additional rights. SQL is less of a problem because permissions have to be explicitly given to allow a SQL user to run code

As for the need for Microsoft to provide a patch for the issue this is quite clearly covered by Cesar Cerrudo, who provided much of the original vulnerability detail and even some PoC (Proof of Concept) code, in his response to a comment in a followup article.

Token Kidnapping Windows 2003 PoC exploit (http://nomoreroot.blogspot.com/2008/10/windows-2003-poc-exploit-for-token.html)

Cesar Cerrudo said...
Hi Hamid

Hi haven't had news from MS about these issues, I don't know when they are going to fix them.
I don't think this is a critical flaw. Basically it's an easy way of elevating privileges when you have impersonation rights but without this exploit it's still possible to elevate privileges in certain circunstances just using regular functionality, ie: an administrator authenticates to a service or to IIS and then it's impersonated.

As I stated already in my previous comments, the vulnerability discussed by the Advisory is real, though limited in both scope and easily mitigated by those Administrators who should be responsible. The problem itself, however, can't be 'patched', since as Cesar hints in both his original Token Kidnapping presentation and later in the above response, the core issue is embedded in the design of Windows itself. This means that a redesign of the core Windows kernel is required, which Cesar (in his original research PDF) and I also mentioned is slowly occuring with each new release, primarily to avoid breaking the existing applications that depend on the older design choices.

In summary, the vulnerability is real and yes, those with responsibility for Windows servers should be aware to create secure configuration of their servers. However, it is unlikely we will ever see a patch for this vulnerability, since it's not a simple classic flaw in the programming, but rather a design decision at the core of Windows, which will require time and newer more secure versions of Windows to remove.