Windows, IIS at risk from 'token kidnapping'

Summary:Hosting providers and IT professionals have been warned of a threat posed to Microsoft IIS Web servers through exploitation of vulnerabilities in Microsoft operating systems.

Hosting providers and IT professionals have been warned of a threat posed to Microsoft IIS Web servers through exploitation of vulnerabilities in Microsoft operating systems.

The vulnerability, known as "token kidnapping", is a technique for the elevation of privileges on Windows operating systems. The proof-of-concept for the technique was developed by Cesar Cerrudo, chief executive of security company Argeniss. It exploits weaknesses that affect Windows Server 2003 and 2008, as well as Windows XP and Vista.

The technique works by elevating privileges through exploiting accounts on IIS servers that have rights to impersonate a client after authentication, Cerrudo told ZDNet.com.au sister site ZDNet.co.uk. Impersonation is the ability of a thread to execute using different security information than the process that owns the thread. The accounts can be exploited by "kidnapping" the token, an object that describes the security context of a process or thread.

"On Windows XP and Server 2003 it's possible to elevate privileges from any Windows account that has impersonation rights," wrote Cerrudo. "Usually Windows services and Internet Information Services Web sites have this privilege. This means that in these operating systems if a user can upload an ASP [active server pages] or ASP.NET Web page and run it then the user can fully compromise the operating system."

While with Windows Vista and Windows Server 2008 it's only possible to elevate privileges from network service and local service Windows accounts, Cerrudo claimed that Windows services and Internet Information Services Web sites usually run under these accounts, leaving systems open to attack.

The vulnerabilities can be "easily exploited" said Cerrudo. To mitigate risks he said, ASP.NET should not be run in full-trust mode on IIS 6, and if ASP is enabled then users should not be allowed to execute binaries.

On IIS 7, ASP.NET should not be run in full-trust mode, while Web sites and services should not be run under network service or local service accounts. "It's preferable to use regular user accounts to run services and Web sites," Cerrudo added.

Cerrudo presented a paper detailing "token kidnapping" at the Microsoft BlueHat security event earlier in May.

Topics: Windows, Microsoft

About

Tom is a technology reporter for ZDNet.com, writing about all manner of security and open-source issues.Tom had various jobs after leaving university, including working for a company that hired out computers as props for films and television, and a role turning the entire back catalogue of a publisher into e-books.Tom eventually found tha... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.