Threat Level: green Handler on Duty: Deborah Hale

SANS ISC: InfoSec Handlers Diary Blog - When web application security, Microsoft and the AV vendors all fail InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

When web application security, Microsoft and the AV vendors all fail

Published: 2009-03-13
Last Updated: 2009-03-13 03:07:43 UTC
by Bojan Zdrnja (Version: 1)
6 comment(s)

I just spent some time analyzing yet another incident and I was actually shocked about how the combination of relatively weak defenses led to a system being completely compromised.

The three main actors in this movie were a web application with a security vulnerability, Microsoft’s server class operating systems with an unpatched local privilege escalation vulnerability and the last line of everyone’s defense, the AV vendors.

The story started more or less like hundreds of recently seen incidents.  A web application had a vulnerability that allowed a remote attacker to upload files to the server.  As the files were not validated, the attacker was able to upload a .NET Webshell. This webshell is known as ASPXSpy, it’s an ASPX program that allows easy control over the compromised server. The attacker can now upload files through the browser and execute them.

However, the attacker still does not have total control over the server as the IIS service runs under an unprivileged account. This is where the local privilege escalation vulnerability comes into play.  The attackers uploaded a local exploit called Churrasco2.  This is a PoC created by a well known researcher Cesar Cerrudo and published back in October 2008.  What makes it even worse is that it work on both Windows Server 2008 and Server 2003.  The exploit creates a backdoor shell after it steals the SYSTEM token.  The program’s usage description says it all:

/Churrasco/-->Usage: Churrasco2.exe ipaddress port

After this, it was game over.  The attacker had a backdoor to the server running as SYSTEM.  The next steps were very obvious and included installation of another Trojan as well as a keylogger.

Finally, the last line of defense, the anti-virus program, failed as well.  Although the AV vendors typically include detection for exploits, it’s clear that they missed this one.  I ran it past VirusTotal and the results where … well … horrible is an understatement – 0 AV programs detected this:

So, what can we learn from this example? The attacks I described are in the wild and are abused.  The first line of defense, in this case the web application’s security, must be made as secure as possible – secure coding standards, penetration tests and whatever else you can do are justified.  As we saw from this example,  other defenses failed.   And the security of your web application depends only on you.

This doesn’t mean that other two actors should just sit and do nothing.  Microsoft should really fix this vulnerability and pay more attention to local privilege escalation vulnerabilities.  While MS released an advisory with suggested workarounds (available at, I don’t think enough people know about this.

Finally, the AV vendors should be more proactive (instead of reactive) and follow exploit research developments so they can add detection for similar exploits early and protect their customers.


6 comment(s)
Diary Archives