Windows, IIS at risk from 'token kidnapping'

Windows, IIS at risk from 'token kidnapping'

Summary: Hosting providers and IT professionals have been warned of a threat posed to Microsoft IIS Web servers through exploitation of vulnerabilities in Microsoft operating systems.

SHARE:
TOPICS: Windows, Microsoft
0

Hosting providers and IT professionals have been warned of a threat posed to Microsoft IIS Web servers through exploitation of vulnerabilities in Microsoft operating systems.

The vulnerability, known as "token kidnapping", is a technique for the elevation of privileges on Windows operating systems. The proof-of-concept for the technique was developed by Cesar Cerrudo, chief executive of security company Argeniss. It exploits weaknesses that affect Windows Server 2003 and 2008, as well as Windows XP and Vista.

The technique works by elevating privileges through exploiting accounts on IIS servers that have rights to impersonate a client after authentication, Cerrudo told ZDNet.com.au sister site ZDNet.co.uk. Impersonation is the ability of a thread to execute using different security information than the process that owns the thread. The accounts can be exploited by "kidnapping" the token, an object that describes the security context of a process or thread.

"On Windows XP and Server 2003 it's possible to elevate privileges from any Windows account that has impersonation rights," wrote Cerrudo. "Usually Windows services and Internet Information Services Web sites have this privilege. This means that in these operating systems if a user can upload an ASP [active server pages] or ASP.NET Web page and run it then the user can fully compromise the operating system."

While with Windows Vista and Windows Server 2008 it's only possible to elevate privileges from network service and local service Windows accounts, Cerrudo claimed that Windows services and Internet Information Services Web sites usually run under these accounts, leaving systems open to attack.

The vulnerabilities can be "easily exploited" said Cerrudo. To mitigate risks he said, ASP.NET should not be run in full-trust mode on IIS 6, and if ASP is enabled then users should not be allowed to execute binaries.

On IIS 7, ASP.NET should not be run in full-trust mode, while Web sites and services should not be run under network service or local service accounts. "It's preferable to use regular user accounts to run services and Web sites," Cerrudo added.

Cerrudo presented a paper detailing "token kidnapping" at the Microsoft BlueHat security event earlier in May.

Topics: Windows, Microsoft

Tom Espiner

About Tom Espiner

Tom is a technology reporter for ZDNet.com. He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

0 comments
Log in or register to start the discussion