Users login

Create an account »


Users login

Home » Hacking News » Privilege Escalation Vulnerability In Microsoft IIS

Privilege Escalation Vulnerability In Microsoft IIS

by platon on August 18th, 2001 A serious vulnerability exists in Microsoft Internet Information Server (IIS) that allows an attacker running as guest to escalate his privileges on the web server system.

Microsoft has created a patch for this vulnerability (MS01-44) that can be downloaded here:

An attacker exploiting this vulnerability can gain full control of the
system, which would allow him to take malicious actions such as gaining access to confidential data, adding users, or crashing the system.

The exploit allows a GUEST user (who has the rights to execute code o the system) to elevate his privileges. Once the exploit is executed, it allows an attacker to run arbitrary code on the machine with SYSTEM privileges. Usually, by using certain well-known attacks, the user can upload the exploit to the IIS virtual directory, and then remotely execute it. Alternatively, anyone with a valid username and password can log into the
system, upload the exploit file into the IIS virtual tree, and then execute it.

IIS supports three different modes of process isolation. These modes control how well the IIS process is isolated from the processes that are being invoked as part of the request processing. Due to a weakness in IIS, several dll files are always executed by the least secure isolation level regardless
of the actual process isolation settings. By adding or replacing one of these dlls with a malicious version, an attacker can run arbitrary code with SYSTEM privileges.

Entercept simulated the vulnerability in its EKAT (Entercept Knowledge Acquisition Team) labs and worked closely with Microsoft’s security group on this issue.

Best practices strongly recommend against ever granting an un-trusted user the ability to put cgi scripts or other executable content onto a Web server. If a server administrator hasn't observed this fairly basic precaution, the server is in grave danger, even in the absence of this vulnerability.

Entercept Security Technologies’ customers running the Web Server agent are safe from this attack. Entercept’s shielding technology provides an additional layer of security by protecting the web server resources and preventing malicious exploitation of the web server. In this case, the shielding prevents replacing or writing any files into the virtual tree. Therefore, the attempt to replace the dll fails, preventing the attack even though the specific vulnerability was unknown.

Entercept’s unique shielding technology prevents the exploitation of this attack with no need for any specific signature. The behavior-based shielding technology was able to prevent the attack long before the exploit was made public.

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »