DATE:  
COMMAND                                            SOURCE: 
                                                   AUTHOR: 
  IIS


SYSTEMS AFFECTED

  Win NT Microsoft Internet Information Server 3.0

  

PROBLEM


    Daragh  Malone  provided  this  information.  It  appears that any

    Active Server Page can create,  read, write or overwrite any  file

    on the system, regardless of security permissions.  Here's how  to

    recreate the  situation.   Share out  the wwwroot  directory to  a

    user, or  use InterDev  and allow  the user  to login  to the web.

    This I would  imagine is all  that you want  the user to  see.  If

    this   user    creates    an   .asp    page,    and   uses     the

    Scripting.FileSystemObject, he has full  control over any file  on

    the machine.



    For example:



    <%

    Set fsMad=CreateObject("Scripting.FileSystemObject")

    Set fileMad=fsMad.CreateTextFile("c:\winnt\mad.txt")

    fileMad.write("Here's a bit of a strange one")

    fileMad.close

    %>



    Neither the  users account  or the  IUSR_machinename account  have

    been granted the write to do this. It seems that the file is  been

    manipulated by the SYSTEM account.



    This is probably by design, but D. Marone gave it here as a

    warning that sharing out wwwroot is in effect sharing out the

    entire filesystem.





EXPLOIT

  

SOLUTION


    I'm sure that MS will make up sometning.