COMMAND
Reverting the "IUSR-MACHINENAME" Account
SYSTEMS AFFECTED
Win NT 3.5, 3.51, 4.0
PROBLEM
This vulnerability was originally presented on:
www.ntshop.com/security
and this text is their credit.
ISAPI scripts run under the IUSR_MACHINENAME account under IIS,
and thus, inherit the security permissions of this account.
However, if the ISAPI program contains a simple call labelled
RevertToSelf(), you have a big hole. Once that program line is
executed, the ISAPI program reverts it's authority to the
all-powerful SYSTEM account, at which point the program can do
just about anything, including successfully execute system()
calls.
SOLUTION
Don't run ISAPI scripts you don't trust -- be careful with
shareware and freeware. Insist on examining the source code where
ever possible, and compile it yourself before use. And if you
can't, think long and hard before you decide to run the program
blindly. Test the ISAPI programs as best you can on a
standalone, isolated system before implementing them on your
production machines.