In no event shall the author or an entity where he belongs be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. There are NO warranties with regard to this information. Use of this information constitutes acceptance for use in an AS IS condition. The information within this paper may change without notice. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please e-mail for permission. It is not to be edited in any way without express consent of A3 Security Consulting. ** Copyright (c) 1999-2002 A3 Security Consulting ** Permission is hereby granted for the redistribution of this alertelectronically.
Inetinfo exploit code#
An attacker can forge a M圜oImpersonateClient function and he or she can execute malicious code using SYSTEM privilege.Īnother method to execute malicious code is to attach the dllhost.exe process to a debugger and modify dllhost.exe process's memory contents.Īn attacker can create and assign an arbitrary account to the local administrator group exploiting this vulnerability and execute programs with administrator privilege.ĭiscovery and exploitation Research : : TEAM Later on, dllhost.exe process finishes up its impersonated SYSTEM privilege by calling RevertToSelf function to destroy SYSTEM privilege and returns to IWAM_machinename privilege.īecause a process of dllhost.exe is executed with IWAM_machinename privilege, an attacker can manipulate the process's memory space and steal the SYSTEM privilege when the process has the impersonation token of SYSTEM account.įor an example, an attacker can make dllhost.exe process call M圜oImpersonateClient function instead of ole32!CoImpersonateClient function using API hooking technique. If CoImpersonateClient function returns successfully, the process becomes to harbor an impersonation token of SYSTEM account for a moment. For reference, the default setting for IIS4 is in-process and the default setting for IIS5 is out-of-process.ĭllhost.exe process calls ole32!CoImpersonateClient function to process user's request. In this case, an attacker can only obtain IWAM_machinename account even if he or she is successful with the attack. asp request and ISAPI dlls are executed within dllhost.exe process which is running with IWAM_machinename account.
On the other hand, if IIS is set to out-of-process mode. So, an attacker can obtain SYSTEM privilege easily with some effort to control the process to serve his purpose. asp request and ISAPI dlls are executed within inetinfo.exe process that is running with SYSTEM privilege. Microsoft IIS provides two protection modes, in-process mode and out-of-process mode.
Inetinfo exploit Patch#
Microsoft Windows 2000 advanced server withĬumulative Patch for Internet Information Services (Q319733) In other words, an attacker can execute arbitrary codes with SYSTEM privilege through this impersonation. Because a process of dllhost.exe is executed with IWAM_machinename privilege, an attacker can manipulate the process's memory space and steal the SYSTEM privilege when the process has the impersonation token of SYSTEM account. This vulnerability arises from the fact that the process of dllhost.exe harbors an impersonation token of SYSTEM account while processing user's request.
Inetinfo exploit software#
Title : MS IIS out of process privilege : li0n software : IIS 4.0, 5.0, 5.1Ĭategory : Windows - IIS - Privilege elevationĪn impersonation vulnerability of dllhost.exe allows a local user to gain the SYSTEM privilege.
*** A3 Security Consulting: Vulnerability Research ***
0 kommentar(er)
