April 19, 2008

The Good old known IIS 0-day

Microsoft mentioned it publicly , FINALLY !

check this out . Looks pretty interesting , huh ? And I`m sure your mind is so busy of finding the way to elevate to LocalSYSTEM from IIS user ... indeed it looks pretty juicy , specially on hosted environments .
Well , from poor (or good!) people`s point of view , this article is pretty good and useful as it tries to inform them about a known critical problem , and let them apply given workaround .
But from bad ( or hackers/expert) people`s point of view, this is pretty funny and at the same time scary ! Why ? Because this attack vector is semi-publicly ( through few commercial services ) known since early 2006 , and for sure known by various experts in the field even before that date . And guess what ? Recently there has been some discussions about such vector in PUBLIC mailing list , maybe talking about the same flaw ? ;) . These all means bad guys are already using the flaw to own you .
And after all , MS is just releasing an article . The only new thing I learned from this article was that Vista and win2008 are affected too . Thank you MS !

All I can say is , to follow MS workarounds in hope to make you a little more safer . I doubt if MS fix this attack vector soon , as fixing it maybe requires complete redesign of some of affected components , as some of experts mentioned. This ( or mentioned vectors in highlighted thread ) looks like one of those nasty design flaws Microsoft will face many problems while trying to fix .

and if it`s only an exploit that scares you enough to go for a fix as sysadmin :

Yes, this bug is known since at least 2 years ago , and working exploits/techniques for both IIS 5/6 and MS-SQL 2000 are already getting handed/traded/sold limitedly out there !

UPDATED [19 April]:
Some related info about the case , for those looking for even more details.
I also mistakenly included IIS 5.0 as affected (three lines above) while writing . Here I`m correcting it to 5.1/6.0 .


  1. Thanks for the heads-up. It Seems that It's been already announced and presented publicly.

  2. http://securitywatch.eweek.com/flaws/microsoft_belatedly_admits_to_windows_server_2008_token_kidnapping.html