OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Jay Woody (jay_woodytnb.com)
Date: Wed May 30 2001 - 17:12:00 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Some directories point to the same drive that the OS is installed on by default. For instance, you put the OS on C and run IIS from D and you think you're safe. You will find that MSADC points to whatever drive the OS is on. All we need is an directory transversel exploit that points to MSADC rather than SCRIPTS and the OS is compromised by default. I'm sure there are more.

    I am not aware of a way to change from the d to c drive in the URL, but I am aware of ways to start at C, even if IIS is on D.

    You are right. This does help DRAMATICALLY, but it doesn't stop 100%.

    JayW

    >>> "Ryan Counts" <webmasterbadsushi.com> 05/29/01 06:33PM >>>
    Here's a question. Why not just have all the web sites running on a
    separate partition from the OS partition? Every vulnerability I've seen
    in IIS relies on the directory structure pretty much being unchanged
    from the OS installation. However, I have yet to see one that allows
    the malicious user to change drives in the URL parameter. Please
    correct me if I'm wrong, but this seems like a relatively simple
    solution, not to mention is eases other maintenance procedures like
    backups, etc.

    Thanks,
    Ryan Counts
    CTO - Netgrowth Inc.

    -----Original Message-----
    From: Ben Greenbaum [mailto:bgreenbaumsecurityfocus.com]
    Sent: Monday, May 28, 2001 5:38 PM
    To: focus-mssecurityfocus.com
    Subject: RE: Why remove default web? (was RE: IIS 5.0)

    > Wouldn't another strategy be to just set the default web site to some
    high
    > numbered port, and not allow that port through the firewall? That
    way,
    > there is no possible way to access the default site.

    That would definitely be another strategy. Many people would describe
    that
    strategy as "bad" :) Why leave an unneeded and vulnerable service
    running
    at all? Putting it behind a firewall helps, sure - until somebody finds
    a
    way through or around your firewall. Then they own that box pretty much
    right away. Switching the port will delay the compromise for as long as
    it takes the attacker to run a port scan.

    I can't think of a legit business reason for leaving it, but I suppose
    if
    it was truly needed for some reason (?) that strategy would be better
    than
    nothing.

    Ben Greenbaum
    Director of Product Development - SIA/VulDB
    SecurityFocus
    http://www.securityfocus.com