DATE: COMMAND SOURCE: AUTHOR: RevertToSelf SYSTEMS AFFECTED Win NT 3.5, 3.51, 4.0 PROBLEM This vulnerability was originally presented on: www.ntshop.com/security and this text is their credit. ISAPI scripts run under the IUSR_MACHINENAME account under IIS, and thus, inherit the security permissions of this account. However, if the ISAPI program contains a simple call labelled RevertToSelf(), you have a big hole. Once that program line is executed, the ISAPI program reverts it's authority to the all-powerful SYSTEM account, at which point the program can do just about anything, including successfully execute system() calls. EXPLOIT SOLUTION Don't run ISAPI scripts you don't trust -- be careful with shareware and freeware. Insist on examining the source code where ever possible, and compile it yourself before use. And if you can't, think long and hard before you decide to run the program blindly. Test the ISAPI programs as best you can on a standalone, isolated system before implementing them on your production machines.