New MS Vulnerability - Web-Hosting Providers Beware!

Late on Thursday Microsoft released an advisory about a new privilege escalation vulnerability affecting IIS and SQL Server on Windows XP, 2003, Vista, and Server 2008.

It’s likely that this is the same flaw discussed by Cesar Cerrudo in his talk, “Token Kidnapping”, at the HITB Security Conference 2008 in Dubai. Cerrudo had discovered a privilege-escalation vulnerability earlier, and said in March, “Design weaknesses can be abused on Windows XP, Vista, Internet Information Services 7 and Windows Server 2003 and 2008”.

So what is known about this flaw? A malicious local user who has authentication could execute specially crafted code to raise his privilege level to LocalSystem. IIS and SQL Server are the main attack vectors. But other vectors are possible, such as Microsoft Distributed Transaction Coordinator (MSDTC) on Windows Server 2003.

While the vulnerability is limited to a local privilege escalation, IIS’s susceptibility is concerning. The Web server is widely used on the Internet, and is a top pick by Web-hosting providers. We might see Web-hosting providers targeted, and — this is scary -– their clients’ Web sites breached. As Microsoft stated in its advisory, “Hosting providers may be at increased risk from this elevation of privilege vulnerability.” However, no exploitation has been observed at this time.L33tdawg: This is indeed the same issue that Cesar talked about at the conference. The folks at MS have asked us to hold off on publishing the exploit code (for obvious reasons) however the presentation materials from the conf will be released tomorrow (Monday).