|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Showcode.asp
From: Jonathan Cook (JCook
FOOTHILLTRANSIT.ORG)Date: Wed May 17 2000 - 12:08:54 CDT
- Next message: JULIAN LINTON: "Re: Showcode.asp"
- Previous message: David McKenzie: "MS Proxy vulnerable to Port Scans?"
- Maybe in reply to: Seth Georgion: "Showcode.asp"
- Next in thread: JULIAN LINTON: "Re: Showcode.asp"
- Maybe reply: Jonathan Cook: "Re: Showcode.asp"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
I don't know exact methods for taking over a server, but I've been able to
track down databases which store customers' credit card numbers with my own
version of a "showcode" exploit (on an improperly configured IIS).
I think the idea is that if an IUSR account has read permissions in the
system directory, that a malicious user could get a hexdump of the SAM file
and run it through L0phtcrack offline, thereby gaining administrative access
to the server.
The bottom line is that the IUSR account for a website must ONLY have
permissions to files on that site. Using the same account for multiple
non-related sites is insecure, as well as leaving any NTFS permissions in
place for "Everyone" or to the IUSR account in non-web shares. Because of
the FileSystemObject, users are not restricted to the IIS folders, you must
use NTFS permissions to accomplish this restriction...
Also, on a related note, I've read about exploits which cause instances of
MS Office applications (if installed) to be spawned (creating an instance of
the object from within ASP), giving attackers the ability to run any VBA
code (which if I'm not way off base, includes process handling -- and
certainly includes file-copying...) So be careful what you install on a
webserver.
Jonathan
> -----Original Message-----
> From: Seth Georgion [mailto:sysadminSASSPRODUCTIONS.COM]
> Sent: Tuesday, May 16, 2000 8:33 AM
> To: FOCUS-MSSECURITYFOCUS.COM
> Subject: [FOCUS-MS] Showcode.asp
>
>
> Sorry to bring this up again but in light of the new article
> on Security Focus...
>
> If I was running showcode.asp, or any of the variants,
> besides connection strings in ASP scripts, what is it that
> anybody could really see. The article repeatedly mentions the
> tons of servers cracked and how easy it is to crack a system
> running showcode but how easy is it really? I mean what file
> is he referring to that anybody can get with Showcode and
> thus completely take over a server?
>
- Next message: JULIAN LINTON: "Re: Showcode.asp"
- Previous message: David McKenzie: "MS Proxy vulnerable to Port Scans?"
- Maybe in reply to: Seth Georgion: "Showcode.asp"
- Next in thread: JULIAN LINTON: "Re: Showcode.asp"
- Maybe reply: Jonathan Cook: "Re: Showcode.asp"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]