DATE:  
COMMAND                                            SOURCE: 
                                                   AUTHOR: 
  IIS

SYSTEMS AFFECTED

  Win NT Microsoft Internet Information Server 3.0
  

PROBLEM


    Daragh  Malone  provided  this  information.  It  appears that any
    Active Server Page can create,  read, write or overwrite any  file
    on the system, regardless of security permissions.  Here's how  to
    recreate the  situation.   Share out  the wwwroot  directory to  a
    user, or  use InterDev  and allow  the user  to login  to the web.
    This I would  imagine is all  that you want  the user to  see.  If
    this   user    creates    an   .asp    page,    and   uses     the
    Scripting.FileSystemObject, he has full  control over any file  on
    the machine.

    For example:

    <%
    Set fsMad=CreateObject("Scripting.FileSystemObject")
    Set fileMad=fsMad.CreateTextFile("c:\winnt\mad.txt")
    fileMad.write("Here's a bit of a strange one")
    fileMad.close
    %>

    Neither the  users account  or the  IUSR_machinename account  have
    been granted the write to do this. It seems that the file is  been
    manipulated by the SYSTEM account.

    This is probably by design, but D. Marone gave it here as a
    warning that sharing out wwwroot is in effect sharing out the
    entire filesystem.



EXPLOIT

  

SOLUTION


    I'm sure that MS will make up sometning.