MS Windows Token Kidnapping Local Elevation of Privilege Solution

Author:Thorn

Released yesterdayExpI heard that someone has successively granted permissions to more than 10 webshells.

MS updated todaySecurity notice

This vulnerability is causedNetworkService Or LocalServiceCan access the processes that are also running under NetworkService or LocalService. Some processes allow elevation of permissionLocalSystem.

For IISBy default, the installation is not affected, and your ASP. NET code isFull TrustIf the permission is lower than Full Trust, it will not be affected. The old Asp code is not affected, and only ASP. NET is affected.

For SQL ServerIf you useAdministrative PermissionRunning code will be affected

For the Windows Server 2003Attackers canMSDTCObtaining the token to access other processes with the same token may result in Elevation of Privilege.

AnySeImpersonatePrivilegeMay lead to Elevation of Privilege.

For the server administrator, some simple adjustments can be made to combat this threat on IIS.

Microsoft IIS 6.0-Configure a Worker Process Identity (WPI) for an application pool in IIS to use a created account in IIS Manager and disable MSDTC

Perform the following steps:

1. In IIS Manager, expand the local computer, expandApplication Pools, Right-click the application pool and selectProperties.

2. ClickIdentityTab and clickRetriable. InUser nameAndPasswordBoxes, type the user name and password of the account under which you want the worker process to operate.

3. Add the chosen user account to the IIS_WPG group.

Disabling the Distributed Transaction Coordinator will help protect the affected system from attempts to exploit this vulnerability. To disable the Distributed Transaction Coordinator, perform these steps:

1. ClickStart, And then clickControl Panel. Alternatively, pointSettings, And then clickControl Panel.

2. Double-clickAdministrative Tools. Alternatively, clickSwitch to Classic ViewAnd then double-clickAdministrative Tools.

3. Double-clickServices.

4. Double-clickDistributed Transaction Coordinator.

5. InStartupType list, clickDisabled.

6. ClickStop(If started), and then clickOK.

You can also stop and disable the MSDTC service by using the following command at the command prompt:

SC stop MSDTC & SC config MSDTC start = disabled

Impact of Workaround:Managing the additional user accounts created in this workaround results in increased administrative overhead. Depending on the nature of applications running in this application pool, application functionality may be affected. An example is Windows Authentication; seeMicrosoft Knowledge Base Article 871179. Disabling MSDTC will prevent applications from using distributed transactions. disabling MSDTC will prevent IIS 5.1 from running in Windows XP Professional Service Pack 2 and Windows XP Professional Service Pack 3, and IIS 6.0 running in IIS 5.0 compatibility mode. disabling MSDTC will prevent configuration as well as running of COM + applications.