Re[2]: The Weakness of Windows Impersonation Model May 16 2006 11:51PM
Brian L. Walche (gsw gentlesecurity com)

thanks for reference David. As advisory notes impersonation
implications are not something new. We would like to stress the fact
of how easy it is to exploit by two notable samples.
- An attacker can reliably elevate a context running on behalf of
Network Service acccount. For example, by default, IIS 6.0 runs Worker
Process as Network Service. So an attacker who able to upload an ASP
script can gain administrative privileges.
- MS SQL service context is elevated up to LocalSystem regardless
account it runs.

These are purely practical exploitations for Windows 2003 in default
configuration without additional pre-requirements. We provide demo
tools exploiting these elevations as a part of our products evaluation

Additionally, we want to stress the obscurity of nearly all "official" manuals
that declare Network Service as non-privileged account, a quote:
?The new Network Service account ? has a greatly reduced
privilege level on the server itself and, therefore, does not have
local administrator privileges.?

In fact, provided easiness of Network Service elevation and some
additional permissions, you may consider Network Service account as
an equivalent of LocalSystem.

Even if Vista would address certain issues, how long we have to wait
for Windows 2003 successor - Vista Server..

Brian L. Walche,
Know the Fact - http://www.gentlesecurity.com/knowthefacts.html
GentleSecurity S.a.r.l.

> Hi Brian,
> I wrote a paper on this subject last year, "Snagging Security Tokens to
> Elevate Privileges"
> (http://www.databasesecurity.com/dbsec-briefs.htm) after
> Tim Mullen and thrashed out a few details at Blackhat last year over a few
> White Russians. The paper discusses the problem in the context of database
> servers and examines the LogonUser() and AcceptSecurityContext() functions.
> I believe Longhorn/Vista will address many of issues that currently affect
> impersonation.
> Cheers,
> David Litchfield
> http://www.databasesecurity.com/
> http://www.ngssoftware.com/

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus