Title: Windows Web Security: Why you DON'T run IIS AppPools with user accounts that have elevated rights to a domain.
Description: Windows AppPool account passwords are exposable as clear-text to a local Administrator of an IIS server.
Vulnerability: If your IIS machine is compromised and an AppPool running on that machine is running with a domain account that has elevated user rights, the attacker simply needs to run a PowerShell command to see the username and password of an account with domain credentials. This also applies in an administratively segregrated environment where you have an Administrator of an IIS server who should not have domain-level rights.
Requirements: at least IIS 7/Windows 2008 R2 if not before. I haven't tested this on previous versions but should still be testable via the root\MicrosoftIISv2 namespace.
Proof of Concept:
You can see the AppPool Name as well as the configured domain username and password. This was run using a local Administrator account on an IIS server.
Description: Windows AppPool account passwords are exposable as clear-text to a local Administrator of an IIS server.
Vulnerability: If your IIS machine is compromised and an AppPool running on that machine is running with a domain account that has elevated user rights, the attacker simply needs to run a PowerShell command to see the username and password of an account with domain credentials. This also applies in an administratively segregrated environment where you have an Administrator of an IIS server who should not have domain-level rights.
Requirements: at least IIS 7/Windows 2008 R2 if not before. I haven't tested this on previous versions but should still be testable via the root\MicrosoftIISv2 namespace.
Proof of Concept:
You can see the AppPool Name as well as the configured domain username and password. This was run using a local Administrator account on an IIS server.
