Re: .printer vulnerability needs execute perms?

[Bronek Kozicki <brok () RUBIKON PL>]

> 1.  Is there any current way of exploiting this vulnerability when
> there is no scripting or execution allowed?

I do not think so. Fault is placed in particular ISAPI extension
msw3prt.dll, which by default is run by means of script mapping. If mapping
for this DLL is not configured, it will not be loaded, and your system is
not affected. But (as it turns out) Windows may enable this mapping
automagically if you have Print Spooler service enabled. Problably safest
way is to not only disable all unused services (Print Spooler in this case),
but also delete unused ISAPI dll-s.

> 2.  Does a default IIS5 install allow scripting or execution?  The
> reason I ask this is because I see this vulnerability as a default
> install problem mainly, and good admins removed that ISAPI scriptmap
> long ago.

IIS5 by default has scripting (i.e. ISAPI mapped extensions) enabled,
execution disabled. Unfortunatelly it also comes with plenty of ISAPI
extensions mapped by default, among them you will find such "celebrities" as
.htr, .htw or .idc . Of course, main strength of IIS (which is ASP) is also
ISAPI and thus to use Active Server Pages you need scripts enabled. However,
its good practice to remove all mapping that you are not going to use.
Especially, if you have no reason to use ASP then (IMHO) you may turn to
some other - eventually much simpler thus safer - HTTP server. If you need
ASP, you should put it's execution separate from inetinfo.exe - as it runs
under LocalSystem account which is definitely not safe. Its achieved by
"high isolation level" (or "high application protection") site setting which
in turn creates COM+ application running under IWAM_(machine) account - you
may change this account to some other as well as manage its priviledges.
This applications process is owner of all ASP scripts threads running for
specific site (however it still unclear to me if it applies to global.asa
too).

> I am analyzing whether an IIS5 server without hotfixes/patches that
> was installed with best practices in mind is still secure, it seems

I do not think that IIS5 without hotfixes/patches is secure. Please, read
carefully
http://www.microsoft.com/technet/security/current.asp?productID=17&servicePa
ckId=1 .

> separate disk partitions and removal of unneeded ISAPI extensions, a
> lot of security is added.  Please email me if you have any input or
> thoughts on this.

That's true, but primary by this means you decrease potential breach effect,
not the breach possibility itself. Its good step, but you still need to
carefully apply hotfixes for this parts of system that remain used (and
vulnerable).


Regards


B.