Sans ISC

[bitman]

FYI...

- http://isc.sans.org/diary.html?storyid=6010
Last Updated: 2009-03-13 03:07:43 UTC - "...Microsoft should really fix this vulnerability and pay more attention to local privilege escalation vulnerabilities. While MS released an advisory with suggested workarounds (available at http://www.microsoft.com/technet/sec...ry/951306.mspx *), I don’t think enough people know about this..."
* Microsoft Security Advisory (951306)
Vulnerability in Windows Could Allow Elevation of Privilege...
Revisions:
• April 17, 2008: Advisory published
• April 23, 2008: Added clarification to impact of workaround for IIS 6.0
• August 27, 2008: Added Windows XP Professional Service Pack 3 as affected software.
• October 9, 2008: Added information regarding the public availability of exploit code.

This is simply fear mongering by someone at the Sans ISC who doesn't really understand how to read an MS Advisory. Per the MS Advisory referenced:

Customers who allow user-provided code to run in an authenticated context, such as within Internet Information Services (IIS) and SQL Server, should review this advisory.

What causes this threat?
Specially crafted code running in the context of the NetworkService or LocalService accounts may gain access to resources in processes that are also running as NetworkService or LocalService. Some of these processes may have the ability to elevate their privileges to LocalSystem, allowing any NetworkService or LocalService processes to elevate their privileges to LocalSystem as well.

How is IIS affected?
User-provided code running in IIS, for example ISAPI filters and extensions, and ASP.NET code running in full trust may be affected by this vulnerability. IIS is not affected in the following scenarios:

• Default Installations of IIS 5.1, IIS 6.0, and IIS 7.0

• ASP.NET configured to run with a trust level lower than Full Trust.

• Classic ASP code


How is SQL Server affected?
SQL Server is affected if a user is granted administrative privileges to load and run code. A user with administrative privileges could execute specially crafted code that could leverage the attack. However, this privilege is not granted by default.

Since neither of these situations are available with a default configuration and in fact neither are even installed on any Windows client configuration, the user would first have to perform these [highly stupid] acts to create an exploitable scenario. In all likelyhood anyone doing this would have created a multitude of much more critical exploitable issues simply by performing either of these installations on a client operating system.

As for these same issues with a Windows Server 2003 OS, an Administrator who allowed a normal user the access required, or in fact any access to such an important resource, should be fired for incompetence. Even if there were a possible reason for such access, the workaround should be perfectly acceptable as a method to protect the server in this case and any Administrator worth paying should be able to perform this.

Be careful, the ISC is great for alerting the general public of obvious exploits and the need to patch or provide temporary workarounds to potentially severe vulnerabilites, but they aren't always as individually knowledgable as they might seem.

Bitman