Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Subject: Re: Another buffer overflow on IIS
From: Marc Maiffret (marcEEYE.COM)
Date: Fri Dec 22 2000 - 05:06:29 CST
| -----Original Message-----
| From: Windows NTBugtraq Mailing List
| [mailto:NTBUGTRAQLISTSERV.NTBUGTRAQ.COM]On Behalf Of Microsoft Security
| Response Center
| Sent: Thursday, December 21, 2000 9:01 PM
| To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
| Subject: Re: Another buffer overflow on IIS
| In order for this ASP code to execute, it must reside on the local
| webserver in question. If the malicious user had the ability to
| upload code to the webserver, "unpleasant things can happen".
| Allowing untrusted users to upload code to a webserver is discussed
| in Rule #4 from the Ten Immutable Laws of Security:
So taking that stance... what are web hosting companies suppose to do about
a person who pays 20 bucks to get an account, uploads a file and takes down
the X number of other people hosted on that same server? Or maybe someone
does not go and buy and account... instead one domain on a server with X
number of domains is incorrectly setup to allow file uploads via a poorly
written ASP script that allows people to upload to that insecure domain...
now, because we have no local security, all of those domains are screwed. I
know that in a Unix environment (if things are setup correctly) someone
getting access to one domain does not have to mean the end of the world for
the rest of the domains in a multi-homed environment.
An IIS server should not so easily fall over if someone gets the ability to
execute as IUSR_MACHINE.... Look at Apache... just because someone breaks in
via Apache (running as "nobody") that does not have to lead to the entire
system being compromised or taken off line.
Chief Hacking Officer
eCompany / eEye
"There was a new API released today.... RevertToSystem()"