'Interactive logons and MS03-013'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ntbugtraq
Subject:    Interactive logons and MS03-013
From:       brett hill <brett () IISANSWERS ! COM>
Date:       2003-04-17 0:57:01
[Download RAW message or body]

Regarding the bulletin
http://www.microsoft.com/technet/security/bulletin/MS03-013.asp and in
particular the section on mitigating factors that states:
-------------
- A successful attack requires the ability to logon interactively to the
target machine, either directly at the console or through a terminal
session.
- Properly secured servers would be at little risk from this =
vulnerability.
Standard best practices recommend only allowing trusted administrators =
to log onto such systems interactively; without such privileges, an =
attacker could not exploit the vulnerability.
--------------

The statement "A successful attack requires the ability to logon
interactively to the target machine, either directly at the console or
through a terminal session." is potentially misleading. First of all, it is
not clear precisely what is meant by an "interactive" logon. If that refers
to a "local" logon (resulting in membership in the Interactive built in
group), then it would make more sense to say "requires the ability to
authenticate as a local logon" as there are other ways to authenticate to
the server with a local logon type besides those listed (through the console
and terminal services). The bulletin pretty clearly infers that those are
the only methods for achieving such a session.
 
If it is the case that a the only requirement is a "local" logon then users
who authenticate to an IIS servers with Basic authentication are also in the
category of users who could potentially use this exploit. This would also be
true of anonymous authentication when the "Allow IIS to control password"
box is cleared (IIS 5). The default configuration is for this checkbox to be
set, so normally anon users are not an issue for this problem. Of course, in
either case, the user would need the ability to write and execute programs.

-brett hill
 
 

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
Have you discovered a security vulnerability related to Windows or a
commercial product which runs on Windows?

Need assistance crafting the format or translating your advisory to English?

Need to verify it, or having problems contacting the Vendor?

Contact mailto:Advisories@NTBugtraq.com

oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic