thanks for reference David. As advisory notes impersonation implications are not something new. We would like to stress the fact of how easy it is to exploit by two notable samples. - An attacker can reliably elevate a context running on behalf of Network Service acccount. For example, by default, IIS 6.0 runs Worker Process as Network Service. So an attacker who able to upload an ASP script can gain administrative privileges. - MS SQL service context is elevated up to LocalSystem regardless account it runs. These are purely practical exploitations for Windows 2003 in default configuration without additional pre-requirements. We provide demo tools exploiting these elevations as a part of our products evaluation procedure. Additionally, we want to stress the obscurity of nearly all "official" manuals that declare Network Service as non-privileged account, a quote: “The new Network Service account … has a greatly reduced privilege level on the server itself and, therefore, does not have local administrator privileges.” In fact, provided easiness of Network Service elevation and some additional permissions, you may consider Network Service account as an equivalent of LocalSystem. Even if Vista would address certain issues, how long we have to wait for Windows 2003 successor - Vista Server.. Brian L. Walche, Know the Fact - http://www.gentlesecurity.com/knowthefacts.html GentleSecurity S.a.r.l. www.gentlesecurity.com > Hi Brian, > I wrote a paper on this subject last year, "Snagging Security Tokens to > Elevate Privileges" > (http://www.databasesecurity.com/dbsec-briefs.htm) after > Tim Mullen and thrashed out a few details at Blackhat last year over a few > White Russians. The paper discusses the problem in the context of database > servers and examines the LogonUser() and AcceptSecurityContext() functions. > I believe Longhorn/Vista will address many of issues that currently affect > impersonation. > Cheers, > David Litchfield > http://www.databasesecurity.com/ > http://www.ngssoftware.com/
