Bugtraq mailing list archives
ISAPI Extension vulnerability allows to execute code as SYSTEM
From: aleph1 () UNDERGROUND ORG (Aleph One)
Date: Mon, 8 Mar 1999 12:54:56 -0800
--ZGiS0Q5IWpPtfppv Content-Type: text/plain; charset=us-ascii --ZGiS0Q5IWpPtfppv Content-Type: message/rfc822 Content-Description: Forwarded message from Fabien Royer <fabienr () BELLATLANTIC NET> Received: (qmail 4091 invoked from network); 8 Mar 1999 20:35:44 -0000 Received: from dfw.nationwide.net (@198.175.15.10) by underground.org with SMTP; 8 Mar 1999 20:35:44 -0000 Received: from VMS.DC.LSOFT.COM (vms.dc.lsoft.com [209.119.1.27]) by dfw.nationwide.net (8.9.0/8.9.0) with ESMTP id NAA18735 for <aleph1 () NATIONWIDE NET>; Mon, 8 Mar 1999 13:20:58 -0600 (CST) Received: from peach (209.119.0.4) by VMS.DC.LSOFT.COM (LSMTP for OpenVMS v1.1a) with SMTP id <2.04CA0AD3 () VMS DC LSOFT COM>; Mon, 8 Mar 1999 14:18:37 -0500 Received: from LISTSERV.NTBUGTRAQ.COM by LISTSERV.NTBUGTRAQ.COM (LISTSERV-TCP/IP release 1.8c) with spool id 64303 for NTBUGTRAQ () LISTSERV NTBUGTRAQ COM; Mon, 8 Mar 1999 14:22:38 -0500 Approved-By: Russ.Cooper () RC ON CA Received: from 199.45.39.157 by PEACH.EASE.LSOFT.COM (SMTPL release 1.0d) with TCP; Mon, 8 Mar 1999 11:29:40 -0500 Received: from teddy (client-151-197-118-94.bellatlantic.net [151.197.118.94]) by smtp-out2.bellatlantic.net (8.9.1/8.9.1) with SMTP id LAA18717 for <NTBUGTRAQ () LISTSERV NTBUGTRAQ COM>; Mon, 8 Mar 1999 11:30:05 -0500 (EST) MIME-Version: 1.0 X-Priority: 3 (Normal) X-MSMail-Priority: Normal Importance: Normal X-Mimeole: Produced By Microsoft MimeOLE V4.72.3155.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Message-ID: <001201be6980$9aaa1240$0b0a0a0a () teddy rippletech com> Date: Mon, 8 Mar 1999 11:27:48 -0500 Reply-To: Fabien Royer <fabienr () BELLATLANTIC NET> Sender: Windows NT BugTraq Mailing List <NTBUGTRAQ () LISTSERV NTBUGTRAQ COM> From: Fabien Royer <fabienr () BELLATLANTIC NET> Subject: ISAPI Extension vulnerability allows to execute code as SYSTEM To: NTBUGTRAQ () LISTSERV NTBUGTRAQ COM There's a vulnerability in IIS (and other WEB servers executing as SYSTEM) that allows to execute an ISAPI extension in the security context of the server itself instead of the security context of IUSR_WHATEVER. How is this possible: when the server loads an ISAPI extension the first time, it calls GetExtensionVersion(). During the call to this function, an attacker can execute any code as SYSTEM. This is a problem if you're an ISP doing hosting with web servers offering ISAPI support (IIS, Apache 1.3.4, etc. ) because any user allowed to place a "CGI" on the server can take over. Of course, this problem is not limited to ISPs. Fabien. --ZGiS0Q5IWpPtfppv--
Current thread:
- Re: Linux /usr/bin/gnuplot overflow, (continued)
- Re: Linux /usr/bin/gnuplot overflow Lars Hecking (Mar 05)
- Re: Linux /usr/bin/gnuplot overflow Hans-Bernhard Broeker (Mar 05)
- Re: Linux /usr/bin/gnuplot overflow Andrea Arcangeli (Mar 05)
- buffer overflow in /usr/bin/cancel Josh A. Strickland (Mar 05)
- Re: Linux /usr/bin/gnuplot overflow -- SuSE hasnt fixed lsof Mario Lorenz (Mar 05)
- Update to Microsoft Security Bulletin (MS99-006) aleph1 () UNDERGROUND ORG (Mar 05)
- More Internet Explorer zone confusion Jim Paris (Mar 05)
- Re: More Internet Explorer zone confusion Walt Armour (Mar 08)
- Re: More Internet Explorer zone confusion Jeremy Nimmer (Mar 08)
- Re: More Internet Explorer zone confusion Jim Paris (Mar 08)
- ISAPI Extension vulnerability allows to execute code as SYSTEM Aleph One (Mar 08)
- Re: More Internet Explorer zone confusion David E. Smith (Mar 08)
- Re: Linux /usr/bin/gnuplot overflow Lars Hecking (Mar 05)
- Little exploit for startup scripts (SCO 5.0.4p). leshka (Mar 07)
- Re: Little exploit for startup scripts (SCO 5.0.4p). Peter van Dijk (Mar 07)
- Re: Little exploit for startup scripts (SCO 5.0.4p). Taneli Leppä (Mar 08)
- Call for Papers: CQRE Detlef Hühnlein (Mar 08)
- Re: Little exploit for startup scripts (SCO 5.0.4p). Jon Coyle (Mar 08)