Temporary Fix for Remote IIS NT AUTHORITY / SYSTEM Shell Spawning Exploits
11/1/99

United Loan Gunmen

Recently, a perl script from Rain Forest Puppy was released, has become
a favorite amongst script kiddies. The severity of this script allows
remote NT AUTHORITY/SYSTEM level access, and is a major threat, even to
highly secured NT networks.

We have come up with 2 ways of thwarting these types of attacks. Since
RFP's perl script relies on the use of either cmd.exe or command.com, we
feel that a temporary fix of renaming cmd.exe shell or command.com shell
to something  else. Doing this will mostl likely fool 99% of the script
kiddies.

A better temporary idea would be to set permissions of cmd.exe and
command.com for NT AUTHORITY/SYSTEM to that of 'No Access' versus 'Full
Control'. The most noted problem with this is that of using the Schedule
service, which, by  default, runs as NT AUTHORITY/SYSTEM. In this case,
in order to still use the  service, Simply open up Services in the
Control Panel. Select Schedule, then  click the 'Startup...' button. By
default, services are run as the System  Account. Select the 'This
Account:' radio button, and select a different user  to run at services
as. If you dont already have a user, create a new account.

NOTE: With NT, we found it is a wise idea to set user access for shells
(with NT, cmd and command) be different for services. This means that if
netinfo.exe is run as NT AUTHORITY/SYSTEM, don't let NT AUTHORITY/SYSTEM
have shell access.

Should the ability to spawn a shell be possible, having permissions set
as the above will stop it from happening, even if the hole is still
there. 

We have only provided a temporary fix, as we have not had much time to
spend dealing with RFP's perl script. Look to Microsoft or a third party
to provide a real fix.

-United Loan Gunmen.