Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: li0n (li0n_at_a3sc.co.kr)
Date: Mon Nov 04 2002 - 04:16:56 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    *** A3 Security Consulting: CRK Vulnerability Research ***

    Title : MS IIS out of process privilege elevation
    Reporter : li0n (li0na3sc.co.kr)
    Affected software : IIS 4.0, 5.0, 5.1
    Risk : High
    Local/Remote : Local
    Category : Windows - IIS - Privilege elevation
    Date : June, 25, 2002

    Advisory URL : http://www.li0n.pe.kr/eng/advisory/ms/iis_impersonation.txt

    [1] Summary

    An impersonation vulnerability of dllhost.exe allows a local user to gain
    the SYSTEM privilege.

    This vulnerability arises from the fact that the process of dllhost.exe
    harbors an impersonation
    token of SYSTEM account while processing user's request.
    Because a process of dllhost.exe is executed with IWAM_machinename
    privilege, an attacker can
    manipulate the process's memory space and steal the SYSTEM privilege when
    the process has the
    impersonation token of SYSTEM account. In other words, an attacker can
    execute arbitrary codes
    with SYSTEM privilege through this impersonation.

    [2] Affected software

    Internet Information Services 4.0
    Internet Information Services 5.0
    Internet Information Services 5.1

    [3] Patch


    [4] Testing environments

    Microsoft Windows 2000 advanced server with
      Service pack2
      Security rollup1
      Cumulative Patch for Internet Information Services (Q319733)

    [5] Required Knowledge

    Architecture of Microsoft IIS

    [6] Technical Details

    Microsoft IIS provides two protection modes, in-process mode and
    out-of-process mode.
    If IIS is set to in-process mode, .asp request and ISAPI dlls are executed
    inetinfo.exe process that is running with SYSTEM privilege.
    So, an attacker can obtain SYSTEM privilege easily with some effort to
    control the process
    to serve his purpose.

    On the other hand, if IIS is set to out-of-process mode, .asp request and
    ISAPI dlls are
    executed within dllhost.exe process which is running with IWAM_machinename
    In this case, an attacker can only obtain IWAM_machinename account even if
    he or she is
    successful with the attack. For reference, the default setting for IIS4 is
    in-process and
    the default setting for IIS5 is out-of-process.

    dllhost.exe process calls ole32!CoImpersonateClient function to process
    user's request.
    If CoImpersonateClient function returns successfully, the process becomes
    to harbor an
    impersonation token of SYSTEM account for a moment. Later on, dllhost.exe
    process finishes up
    its impersonated SYSTEM privilege by calling RevertToSelf function to
    destroy SYSTEM privilege
    and returns to IWAM_machinename privilege.

    Because a process of dllhost.exe is executed with IWAM_machinename
    privilege, an attacker can
    manipulate the process's memory space and steal the SYSTEM privilege when
    the process has the
    impersonation token of SYSTEM account.

    For an example, an attacker can make dllhost.exe process call
    MyCoImpersonateClient function
    instead of ole32!CoImpersonateClient function using API hooking technique.
    An attacker can forge
    a MyCoImpersonateClient function and he or she can execute malicious code
    using SYSTEM privilege.

    Another method to execute malicious code is to attach the dllhost.exe
    process to a debugger and
    modify dllhost.exe process's memory contents.

    An attacker can create and assign an arbitrary account to the local
    administrator group
    exploiting this vulnerability and execute programs with administrator

    [7] Exploit Code

    Not included in this advisory on purpose

    [8] Informations

    ** Vendor status **
    Patch Released (MS02-062)

    ** Credit **
    Discovery and exploitation Research : li0na3sc.co.kr
    Advisor : CRK TEAM

    ** Copyright (c) 1999-2002 A3 Security Consulting **
    Permission is hereby granted for the redistribution of this
    It is not to be edited in any way without express consent of A3 Security
    If you wish to reprint the whole or any part of this alert in any other
    excluding electronic medium, please e-mail li0na3sc.co.kr for permission.

    ** Disclaimer **
    The information within this paper may change without notice.
    Use of this information constitutes acceptance for use in an AS IS
    There are NO warranties with regard to this information. In no event shall
    the author
    or an entity where he belongs be liable for any damages whatsoever arising
    out of or
    in connection with the use or spread of this information.
    Any use of this information is at the user's own risk.

    ** Feedback **
    Please send suggestions, updates, and comments to:

    A3 Security Consulting Co., Ltd.
    Official : li0na3sc.co.kr , Private : li0nli0n.pe.kr