Customers who allow user-provided code to run in an authenticated context, such as within Internet Information Services (IIS) and SQL Server, should review this advisory. Hosting providers may be at increased risk from this elevation of privilege vulnerability.
You should also be very stupid to give anyone such full rights on any server that ain't totally theirs and without being sure that you are absolutely sure that they are absolutely sure that they know absolutely everything about absolutely everything that they could be doing on that machine (is that paranoïd enough ?)
The paper that explains this attack against tokens
 | |
Perform the following steps:
1. | In IIS Manager, expand the local computer, expand Application Pools, right-click the application pool and select Properties. |
2. | Click the Identity tab and click Configurable. In the User name and Password boxes, type the user name and password of the account under which you want the worker process to operate. |
3. | Add the chosen user account to the IIS_WPG group. |
Disabling the Distributed Transaction Coordinator will help protect the affected system from attempts to exploit this vulnerability. To disable the Distributed Transaction Coordinator, perform these steps:
1. | Click Start, and then click Control Panel. Alternatively, point to Settings, and then click Control Panel. |
2. | Double-click Administrative Tools. Alternatively, click Switch to Classic View and then double-click Administrative Tools. |
3. | Double-click Services. |
4. | Double-click Distributed Transaction Coordinator. |
5. | In the Startup type list, click Disabled. |
6. | Click Stop (if started), and then click OK. |
You can also stop and disable the MSDTC service by using the following command at the command prompt:
sc stop MSDTC & sc config MSDTC start= disabled
Impact of Workaround: Managing the additional user accounts created in this workaround results in increased administrative overhead. Depending on the nature of applications running in this application pool, application functionality may be affected. An example is Windows Authentication; see Microsoft Knowledge Base Article 871179. Disabling MSDTC will prevent applications from using distributed transactions. Disabling MSDTC will prevent IIS 5.1 from running in Windows XP Professional Service Pack 2 and Windows XP Professional Service Pack 3, and IIS 6.0 running in IIS 5.0 compatibility mode. Disabling MSDTC will prevent configuration as well as running of COM+ applications.
| |
1. | In IIS Manager, expand the server node, click Application Pools, right-click the application pool, and then click Advanced Settings… |
2. | .Find the Identity entry, and click the … button to open the Application Pool Identity dialog box. |
3. | Select the Custom account option and click Set to open the Set Credentials dialog box. Type in the selected Account name and Password in the user name and password text boxes. Retype the Password in the Confirm password text box, then click OK. |
Note Application pool identities are dynamically added to IIS_WPG group in IIS7 and don’t need to be manually added.
Impact of Workaround: Managing the additional user accounts created in this workaround results in increased administrative overhead. Depending on the nature of applications running in this application pool, application functionality may be affected.
| |
1. | From a command prompt, change to the %systemroot%system32inetsrv directory. |
2. | Execute the APPCMD.exe command using the following syntax: string is the name of the application pool; Username string is the user name of the account assigned to the application pool; Password string is the password for the account.
appcmd set config /section:applicationPools /
[name='string'].processModel.identityType:SpecificUser /
[name='string'].processModel.userName:string /
[name='string'].processModel.password:string |
Note Application pool identities are dynamically added to IIS_WPG group in IIS 7.0 and don’t need to be manually added.
Impact of Workaround: Managing the additional user accounts created in this workaround results in increased administrative overhead. Depending on the nature of applications running in this application pool, application functionality may be affected.
Source, Microsoft
attack code Milworm explanation
| 
del.icio.us
|
| 
Digg | 
Facebook
Post a comment