Potential Security Vulnerability for NetworkService / potential new IIS exploit

Important heads up with regards to a potential privilege escalation issue when running under NetworkService – which we all know is the IIS default.... But also note that it requires native code or full trust .NET.

Hosting Providers with Shared Hosting configurations should pay careful attention to this and ensure that they are running a customised version of medium trust at the very least - https://msdn2.microsoft.com/en-us/library/ms998341.aspx. Also be wary of any custom ISAPI extensions - i.e do a code review.

High level summary:

Processes running under Network Service identity can elevate to Local System on XP, Win2k3, Vista and Win2k8. Additionally, on Win2k3 any process running with an identity that has SeImpersonatePrivilege can elevate to Local System, and this privilege is required by IIS worker process identity. The Elevation of Privilege requires running native user code or full-trust managed code.

Our guidance is of course to move your app move WPI away from NetworkService to a windows account. Additionally on Win2k3, our guidance includes disabling Distributed Transaction Coordinator service (to close the hole where any identity with SeImpersonatePrivilege can elevate).

More information here: https://www.microsoft.com/technet/security/advisory/951306.mspx

Let me know if you have any further questions or require advice.

- jorke

UPDATE (6:23pm 18/4/08):

Check out Ken Schaefer's Blog for the origin of this potential issue.

Technorati Tags: Security Vunerability,NetworkService,IIS,exploit