MS Windows Token Kidnapping本地提权的解决方案




这个漏洞是由于在NetworkService 或者 LocalService 下运行的代码,可以访问同样是在 NetworkService 或者 LocalService 下运行的进程,某些进程允许提升权限为LocalSystem

对于IIS,默认安装是不受影响的,受影响的是你的ASP.NET代码是以 Full Trust 运行,如果权限低于 Full Trust,也不会受影响。老的Asp 代码不受影响,只有 ASP.NET才受影响。

对于 SQL Server,如果用户以administrative 权限运行代码,则会受影响

对于Windows Server 2003,攻击者可以通过MSDTC获取token访问其他同样token的进程,从而可能造成提权。



IIS 6.0 – Configure a Worker Process Identity (WPI) for an application pool in IIS to use a created account in IIS Manager and disable MSDTC

Perform the following steps:

1.In IIS Manager, expand the local computer, expand Application Pools, right-click the application pool and select Properties.

2.Click the Identity tab and click Configurable. In the User name and Password boxes, type the user name and password of the account under which you want the worker process to operate.

3.Add the chosen user account to the IIS_WPG group.

Disabling the Distributed Transaction Coordinator will help protect the affected system from attempts to exploit this vulnerability. To disable the Distributed Transaction Coordinator, perform these steps:

1.Click Start, and then click Control Panel. Alternatively, point to Settings, and then click Control Panel.

2.Double-click Administrative Tools. Alternatively, click Switch to Classic View and then double-click Administrative Tools.

3.Double-click Services.

4.Double-click Distributed Transaction Coordinator.

5.In the Startup type list, click Disabled.

6.Click Stop (if started), and then click OK.

You can also stop and disable the MSDTC service by using the following command at the command prompt:

sc stop MSDTC & sc config MSDTC start= disabled

Impact of Workaround: Managing the additional user accounts created in this workaround results in increased administrative overhead. Depending on the nature of applications running in this application pool, application functionality may be affected. An example is Windows Authentication; see Microsoft Knowledge Base Article 871179. Disabling MSDTC will prevent applications from using distributed transactions. Disabling MSDTC will prevent IIS 5.1 from running in Windows XP Professional Service Pack 2 and Windows XP Professional Service Pack 3, and IIS 6.0 running in IIS 5.0 compatibility mode. Disabling MSDTC will prevent configuration as well as running of COM+ applications.