Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Sounds like the author understands the bug but does not understand why it allows remote code execution (which I don't understand either; once details are released it should be clarified).


That's a good point, because in the example we can clearly see how to check if a system is or not patched and that, using this attack, we can crash a Windows Server.

The remote execution part is completely missing (fortunately), but I was wondering if this gives the admin rights on machine (I have absolutely no experience on Windows Server machines, so I don't know how it works in terms of services, permissions and roles).


I would guess it involves spamming the server with specially crafted requests to fill memory with bytecode. After some trial and error (vast simplification) the request from the article could be used to divert the flow of execution into the bytecode spam, rather than causing DoS. The DoS is likely because flow of execution is being diverted to a random area of memory that doesn't contain anything executable, and so crashes instead.

The heap spraying is the missing puzzle piece from the article.


It would allow the same privileges as the user which is running IIS, usually a "system" account - which equals Administrative privileges.


You two seem to not understand still, please re-read my comment.

The point is this is allowing code execution within the kernel of windows. It doesn't even reach the IIS userland process.


I actually don't because I have no clue how Windows Server works. So this attack hits the kernel and the context is low level, right?


Not sure if I am not clear enough but yes, it 'hits the kernel and the context is low level'. As low as it can get on Windows.


[deleted]


I have trouble understanding what you want to say but I did not say what you quoted me with. Please don't put words in my mouth.

The title was giving people the wrong impression about the severity of the vulnerability. This has nothing to do with "avoid giving people ideas" which would be stupid anyways.


My windows knowledge is rusty and outdated but... do you mean that code runs in ring 0? that "kernel space"?


Yes


IIS has several components. One of them, the vulnerable part here, is running in kernel space. In kernel space you have access to everything.

As far as I know, IIS is the only(bar embedded devices running a single address space OS and various ancient/obsolete toys servers on linux) used in production that handles part of HTTP in kernel space (or ring 0 if you will).


SYSTEM account is far more powerful than Administrator, especially after Win2008


This page makes it sound easy to go from the one to the other:

http://blogs.technet.com/b/askds/archive/2008/10/22/getting-...

(not as easy as earlier versions, but still)


that is from 7 years ago...


Sure. I read est as saying that Administrators are more restricted in Server 2008 than they were in earlier Windows versions. I assumed they were talking about the relatively well known technique of scheduling a cmd shell to run as SYSTEM, which that blog mentions being prevented in Server 2008.

But you would still expect an Administrator account to be able to load files onto the system, so obtaining the SYSTEM shell remains pretty easy.

The distinction between SYSTEM and Administrator was a convenience, and if I understood est correctly, it still is.


Either way you have root level privileges, it's game over...




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: