Re: Frontpage no password privileges escalation?

From: thomas springer (tuevsec@gmx.net)
Date: Thu Oct 05 2006 - 05:17:15 EDT

• Next message: s-williams@nyc.rr.com: "Re: Informing Companies about security vulnerabilities..."
• Previous message: mailing lists: "Re: Ps. Informing Companies about security vulnerabilities..."
• In reply to: 09sparky@gmail.com: "Frontpage no password privileges escalation?"
• Next in thread: 09sparky@gmail.com: "Re: Re: Frontpage no password privileges escalation?"
• Maybe reply: 09sparky@gmail.com: "Re: Re: Frontpage no password privileges escalation?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

sparky,

usually you'll upload some kind of asp-admin-tool (like tool25.dat in
php, i found a few of them hanging around on some servers).
then you're going to upload tools/exploits to get a administrator- or
system-shell via a local exploit - most webservers are missing one or
another patch for local exploits. there is a ton of local non-ie
exploits running well with unpatched windows-machines.
then grab a sam and use JtR to get the local admins password. you might
go with this account (password won't change, usually) or create a new
user and do a "user localgroup admins add"
i'd recommend to delete all tools after having an account, then you
might leave a little asp-shell that will wait for commands, running then
under runas. If you're smart, you'll implement this with a few lines as
"addon" to one or more exisiting asp-scripts, so they will not notice
you when they're looking in their logs.

but, to be honest: why would somebody invest hours in doing stuff like this?
whatever hack i have seen in the last years: some replace your
index.html (for fame), others (most) will install some kind of
bot-software (for money).

tom

09sparky@gmail.com wrote:
> Does anyone know if there is a way to gain root/admin access to a system if you are able to connect to Microsoft FrontPage with No password set on the web server? It is running "Microsoft IIS web server 5.0". The system has been clearly compromised, but I want to see if there were any additional attack vectors that the hackers have performed, to compromise the rest of the system. The obvious recommendation to the client is to re-image the whole machine (after forensic investigation - if necessary), but any suggestions for escalating privileges?
>
> Thanks,
> 09Sparky
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
> ------------------------------------------------------------------------
>
>
>

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

• Next message: s-williams@nyc.rr.com: "Re: Informing Companies about security vulnerabilities..."
• Previous message: mailing lists: "Re: Ps. Informing Companies about security vulnerabilities..."
• In reply to: 09sparky@gmail.com: "Frontpage no password privileges escalation?"
• Next in thread: 09sparky@gmail.com: "Re: Re: Frontpage no password privileges escalation?"
• Maybe reply: 09sparky@gmail.com: "Re: Re: Frontpage no password privileges escalation?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:06 EDT