|
Temporary Fix for Remote IIS NT AUTHORITY / SYSTEM Shell Spawning Exploits
11/1/99
United Loan Gunmen
Recently, a perl script from Rain Forest Puppy was released, has become a favorite amongst script kiddies. The severity of this script allows remote NT AUTHORITY/SYSTEM level access, and is a major threat, even to highly secured NT networks.
We have come up with 2 ways of thwarting these types of attacks. Since RFP's perl script relies on the use of either cmd.exe or command.com, we feel that a temporary fix of renaming cmd.exe shell or command.com shell to something else. Doing this will mostl likely fool 99% of the script kiddies.
A better temporary idea would be to set permissions of cmd.exe and command.com for NT AUTHORITY/SYSTEM to that of 'No Access' versus 'Full Control'. The most noted problem with this is that of using the Schedule service, which, by default, runs as NT AUTHORITY/SYSTEM. In this case, in order to still use the service, Simply open up Services in the Control Panel. Select Schedule, then click the 'Startup...' button. By default, services are run as the System Account. Select the 'This Account:' radio button, and select a different user to run at services as. If you dont already have a user, create a new account.
NOTE: With NT, we found it is a wise idea to set user access for shells (with NT, cmd and command) be different for services. This means that if netinfo.exe is run as NT AUTHORITY/SYSTEM, don't let NT AUTHORITY/SYSTEM have shell access.
Should the ability to spawn a shell be possible, having permissions set as the above will stop it from happening, even if the hole is still there.
We have only provided a temporary fix, as we have not had much time to spend dealing with RFP's perl script. Look to Microsoft or a third party to provide a real fix.
-United Loan Gunmen. |
