any process running in localsystem context(an overflow in inetinfo.exe, for
example) will allow that process to take control of the .asp ffile, and they
CAN be defaced. think of LocalSystem as root on a unix machine. there is
no limitations to what this account can do in usermode, and if somehow, it
is limited via a kmode component, it can typically ust remove the kmode
component, or load it's own kode component to do it's bidding.
Signed,
Ryan Permeh
eEye Digital Security Team
http://www.eEye.com/Retina -Network Security Scanner
http://www.eEye.com/Iris -Network Traffic Analyzer

----- Original Message -----
From: "Pidgorny, Slav" <pidgornsanz.com>
To: "'Ryan Permeh'" <ryaneEye.com>; "'H C'" <keydet89yahoo.com>;
<lynch00msn.com>; <focus-mssecurityfocus.com>
Sent: Tuesday, July 24, 2001 11:52 PM
Subject: RE: Hacked NT/2K box

> Yes. But consider one real-world situation: my ASP files have no access
> assigned for LocalSystem (and execute only for the IUSR). It will be a
> tricky process to deface the site?
>
>
> Kindest,
>
> Svyatoslav Pidgorny
>
> > -----Original Message-----
> > From: Ryan Permeh [mailto:ryaneEye.com]
> > Sent: 25 July 2001 04:06
> > To: Pidgorny, Slav; 'H C'; lynch00msn.com; focus-mssecurityfocus.com
> > Subject: Re: Hacked NT/2K box
> >
> >
> > system level access is enough for everything. it is the
> > highest usermode
> > privledge level availible in nt/2k. you can load drivers
> > (giving you ring0,
> > even above system).
> >
> > SYSTEM > Administrators
> ...
> > Ryan Permeh
> > eEye Digital Security Team
> > http://www.eEye.com/Retina -Network Security Scanner
> > http://www.eEye.com/Iris -Network Traffic Analyzer
>
> > ----- Original Message -----
> > From: "Pidgorny, Slav" <pidgornsanz.com>
> > > A good deal of additional effort is required to either
> > escalate privileges
> > > or disable system security checks if having only system
> > level access.
> ...
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]