Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1999_1

Bugtraq archives for 1st quarter (Jan-Mar) 1999: ISAPI Extension vulnerability allows to execute code as SYSTEM

ISAPI Extension vulnerability allows to execute code as SYSTEM

Aleph One (aleph1UNDERGROUND.ORG)
Mon, 8 Mar 1999 12:54:56 -0800

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Paul Leach: "Re: More Internet Explorer zone confusion"
Previous message: Jim Paris: "Re: More Internet Explorer zone confusion"

--ZGiS0Q5IWpPtfppv
Content-Type: text/plain; charset=us-ascii



--ZGiS0Q5IWpPtfppv
Content-Type: message/rfc822
Content-Description: Forwarded message from Fabien Royer <fabienrBELLATLANTIC.NET>

Received: (qmail 4091 invoked from network); 8 Mar 1999 20:35:44 -0000
Received: from dfw.nationwide.net (198.175.15.10)
  by underground.org with SMTP; 8 Mar 1999 20:35:44 -0000
Received: from VMS.DC.LSOFT.COM (vms.dc.lsoft.com [209.119.1.27])
	by dfw.nationwide.net (8.9.0/8.9.0) with ESMTP id NAA18735
	for <aleph1NATIONWIDE.NET>; Mon, 8 Mar 1999 13:20:58 -0600 (CST)
Received: from peach (209.119.0.4) by VMS.DC.LSOFT.COM (LSMTP for OpenVMS v1.1a) with SMTP id <2.04CA0AD3VMS.DC.LSOFT.COM>; Mon, 8 Mar 1999 14:18:37 -0500
Received: from LISTSERV.NTBUGTRAQ.COM by LISTSERV.NTBUGTRAQ.COM
          (LISTSERV-TCP/IP release 1.8c) with spool id 64303 for
          NTBUGTRAQLISTSERV.NTBUGTRAQ.COM; Mon, 8 Mar 1999 14:22:38 -0500
Approved-By: Russ.CooperRC.ON.CA
Received: from 199.45.39.157 by PEACH.EASE.LSOFT.COM (SMTPL release 1.0d) with
          TCP; Mon, 8 Mar 1999 11:29:40 -0500
Received: from teddy (client-151-197-118-94.bellatlantic.net [151.197.118.94])
          by smtp-out2.bellatlantic.net (8.9.1/8.9.1) with SMTP id LAA18717 for
          <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>; Mon, 8 Mar 1999 11:30:05 -0500
          (EST)
MIME-Version: 1.0
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
Importance: Normal
X-Mimeole: Produced By Microsoft MimeOLE V4.72.3155.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding:  7bit
Message-ID:  <001201be6980$9aaa1240$0b0a0a0ateddy.rippletech.com>
Date:         Mon, 8 Mar 1999 11:27:48 -0500
Reply-To: Fabien Royer <fabienrBELLATLANTIC.NET>
Sender: Windows NT BugTraq Mailing List <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>
From: Fabien Royer <fabienrBELLATLANTIC.NET>
Subject:      ISAPI Extension vulnerability allows to execute code as SYSTEM
To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM

There's a vulnerability in IIS (and other WEB servers executing as SYSTEM)
that allows to execute an ISAPI extension in the security context of the
server itself instead of the security context of IUSR_WHATEVER. How is this
possible: when the server loads an ISAPI extension the first time, it calls
GetExtensionVersion(). During the call to this function, an attacker can
execute any code as SYSTEM. This is a problem if you're an ISP doing hosting
with web servers offering ISAPI support (IIS, Apache 1.3.4, etc. ) because
any user allowed to place a "CGI" on the server can take over. Of course,
this problem is not limited to ISPs.
Fabien.


--ZGiS0Q5IWpPtfppv--

Next message: Paul Leach: "Re: More Internet Explorer zone confusion"
Previous message: Jim Paris: "Re: More Internet Explorer zone confusion"