Re: This is the CORRECTED POST please ignore the one befor same subject MULTIPLE Remote Issues with II5.1 on Windows XP

From: sozni (sozni@xato.net)
Date: 02/12/02


From: sozni <sozni@xato.net>
To: <adonis1@videotron.ca>, BUGTRAQ <bugtraq@securityfocus.com>
Date: Tue, 12 Feb 2002 08:50:45 -0700

I must clear up some issues on this advisory which is located at
http://www.safehack.com/Advisory/IIS5webdir.txt as well as a previous
advisory by the same author, NtWaK0, which is located at
http://www.safehack.com/Advisory/shtmldump.txt

Normally I wouldn't bother commenting on an advisory like this but
when it comes to the FrontPage server extensions, vulnerabilities
often get picked up by others without any verification. Perhaps this
is because so few really understand much about FPSE security.

In this commentary I am going to address the specific issues
mentioned in the original advisory. My conclusions are based on my
experience with FPSE security and actual testing on two separate
Windows XP/IIS 5.1 installations as well as two Windows 2000/IIS 5.0
installations. I can provide specific documentation on my tests if
anyone wishes to validate my research.

The first issue to address is the claim that "_vti_bin/shtml.dll Can
lead to REMOTE Exploit on IIS 5.1" In the advisory located at
http://www.safehack.com/Advisory/shtmldump.txt, the author claims
that by sending the request GET /_vti_bin/shtml.dll that binary data
was returned which incidentally is the binary contents of the
shtml.dll file. In other words, a GET request was made for shtml.dll
and so the server sent the file shtml.dll back to the client. If
this request had been made in a normal web browser, the Save As
dialog box would have popped up, asking where to save shtml.dll.

This situation would occur if the _vti_bin directory did not have
execute permissions and did have read permissions, which is not the
case with a default installation. The author seemed to imply that
the previous malformed requests that were blocked by URLScan were the
cause of the binary contents being returned, but did not state
whether he had tried a successful GET request for shtml.dll before
submitting those URL's.

Nevertheless, even if the two malformed requests caused the binary
contents of shtml.dll to be returned, that would by no means lead to
a compromise of the system. Having the remote web site's shtml.dll
is hardly going to lead to a compromise of a web server. This is NOT
a vulnerability, but likely a misconfigured web server.

This next three issues, addressed in the more recent advisory, are
that certain files in the _vti_pvt directory will reveal information
about the server. However, by default, anonymous users do not have
read or write permissions to the _vti_pvt directory or its contents.
Even if the permissions were manually changed to allow reading of
this file, this is an old issue. Several years ago I had written a
script for RFP's whisker scanner that was later integrated into the
main scan.db. This script snippet is as follows:

# These can be used to learn more about the server
scan () _vti_pvt >> access.cnf
info - Contains HTTP server-specific access control information

scan () _vti_pvt >> service.cnf
info - Contains meta-information about the web

scan () _vti_pvt >> services.cnf
info Contains the list of subwebs.

scan () _vti_pvt >> writeto.cnf
info Contains information about form handler result files

scan () _vti_pvt >> svcacl.cnf
info - File used to store whether subwebs have unique permissions
settings
info - and any IP address restrictions. Can be used to discover
info - information about subwebs

Default permissions were later tightened to prevent this information
leak. This issue is NOT a vulnerability unless the admin explicitly
gives anonymous users access to this file. By default, remote users
do not have access to these files. Again, this is a misconfigured
server.

The final issue is that /iishelp/common/colegal.htm will give access
to other files. The author states that the request GET
/iishelp/common/colegal.htm:../../../../../_vti_pvt/access.cnf will
return the contents of the access.cnf file. The flaw with this is
that colegal.htm is a simply an html file with static content. There
is some client-side javascript for browser support but no server-side
code or server-side includes that would allow that file to access
anything else on the system. In fact, the colegal.htm file is not
even being accessed in that request. IIS will parse all of the ../'s
which will take it to the web root (and ignore the extra ../'s) then
down to the /_vti_pvt directory. If NtWaK0 had his friend look at
his web logs he will see that there was never any request for
colegal.htm. This is NOT a vulnerability.

Even if it was vulnerable, since we know that a direct request to
access.cnf on that misconfigured test server already returns the file
contents, there is no proof that the colegal.htm request was
successful. The proper way to test this is to request a file and get
an access denied error then repeat the test with the exploit to show
that the exploit worked.

In the two advisories I tested, I found nothing that was an actual
vulnerability. All of these issues were likely because the test
server was not configured correctly. Furthermore, none of these
issues are specific to IIS 5.1. Improperly configured FrontPage
Server Extensions will exhibit this behaviour on any platform.

Advisories such as this without any testing or confirmation by the
vendor are what give security testers a bad name. The author says
that Microsoft was notified but does not mention anything about
getting any response from them. Where the author does not even have
his own copy of IIS for testing, advisories such as these are better
suited for vuln-dev. All of his tests were performed on a single XP
system he did not install and therefore had not control over the
configuration. Unverified vulnerabilities such as these make it
difficult to sift through the ever-increasing amount of security
information we are faced with every day. I do not mean to insult
this author, I certainly commend him for his effort and creativity,
but I do feel like this advisory was irresponsible. Even when I am
absolutely sure of a security issue and have received confirmation
from the vendor, I bounce my ideas off other security experts as a
sanity check before sending anything out to the public. Hopefully
NtWaK0 and others will also do so in the future.

One final note is that the author mentions that a search for
"writeto.cnf" at google.com will return many results. This statement
is true. While not a vulnerability in the FrontPage Server
Extensions, it is a good indication of how many FrontPage webs are
not properly secured. However, keep in mind that many of those sites
are running old versions of FPSE and many of those directory listings
are sites that have FPSE disabled but the files were never removed
from the site. Another more refined search for these servers is to
search for "Index of /_vti_pvt/" (be sure to include the quotes in
the search).

sozni
www.xato.net

On Sun, 10 Feb 2002 21:29:36 -0500, Adonis.No.Spam wrote:
>------BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
> .---------------.
> / NtWaK0 Advisory \ +
>--------------------------------------------------------------------
>-------
>..
>
>: Affected : Windows XP with IIS 5.1 : Type :
>MULTIPLE Remote Issues : Type : Remote/ Local Security
>Issues : Date : 10-02-2002 : Author : NtWaK0 @
>www.SafeHack.com : Credit : NtWaK0 @ www.SafeHack.com : +
>--------------------------------------------------------------------
>-------
>..
>
>+--------------------.
> Remote/Local Expoit \ +----------------------`
>---------------------------------------------
>-------
>..
>
>: +-----------. * * *
>www.SafeHack.com * * * : Disclaimer \ : +-------------`
>------------------------------------------------------
>-------
>..
>
>: This material is presented for informational and entertainment
>purposes : only, and to satisfy the curious. Any activities
>described in this file : which involve vandalism, theft, or any
>other illegal activities are : recounted from third-party
>conversations. I do not condone or encourage : vandalism or theft. I
>do not accept any liability for anything anyone : does with this
>information. So, don't shoot the messenger.
>: Remember: Use a computer in ways that ensure respect for your
>fellows.
>:
>
>: +-------.
>: T.O.C. \ : +---------`
>----------------------------------------------------------
>-------
>..
>
>:
>
>: [ Brief History . . . . . . . . . . . . . . . . . . . . .
>.line 40 ]
>:
>
>: [ The Problem . . . . . . . . . . . . . . . . . . . . . .
>.line 60 ]
>:
>
>: [ The Solution . . . . . . . . . . . . . . . . . . . . . .line
>156 ]
>:
>
>: +-------------.
>: Brief History \ : +---------------`
>----------------------------------------------------
>-------
>..
>I had the chance to play for couple of hours with IIS 5.1 on a
>friend Box, : thanks to Recon. While I was trying some stuff on IIS
>5.1 I MANY problems : with default IIS 5.1 installation and on files
>installed by default.
>:
>
>: This one is not the same as the one reported earlier. The one
>reported : before had to deal with "GET /_vti_bin/shtml.dll".
>: A copy of it can be found at : :
>http://www.safehack.com/Advisory/shtmldump.txt :
>
>: +-------+ : Test OS : +-------+ : Tested on Windows XP with IIS
>5.1 :
>
>:
>
>: Please continue to read for more details.
>:
>
>: +-----------.
>: The Problem \ : +-------------`
>------------------------------------------------------
>-------
>..
>
>:
>>>> 1- Issue <<<
>:
>
>: Identify WEB DIR installation. By sending this "GET
>/_vti_pvt/access.cnf" : you can identify the web installation. As we
>all know this is a helpfull : peace of information if someone is
>going to attack your web site.
>:
>
>:
>>>> Proof-Of-Concept <<<
>: C:\Tool>nc -v -n 67.82.156.211 81 : (UNKNOWN) [67.82.156.211] 81
>(?) open : GET /_vti_pvt/access.cnf : vti_encoding:SR|utf8-nl :
>RealmName:LAMER : InheritPermissions:false :
>PasswordDir:d:\\inetpub\\wwwroot\\_vti_pvt :
>
>: Their is another security issue with this too.
>"InheritPermissions:false" : This will tell security inheritance of
>that folder.
>:
>
>:
>>>> 2- Issue <<<
>:
>>>> Proof-Of-Concept <<<
>:
>
>: C:\Tool>nc -v -n 67.82.156.211 81 : (UNKNOWN) [67.82.156.211] 81
>(?) open : GET /_vti_pvt/botinfs.cnf :
>
>: vti_encoding:SR|utf8-nl : D\:\\Program Files\\Common
>Files\\Microsoft Shared\\Web Server Extensions\\ :
>40\\bots\\vinavbar\\vinavbar.inf:VW|vinavbar :
>
>:
>>>> 3- Issue <<<
>:
>
>:
>>>> Proof-Of-Concept <<<
>: C:\Tool>nc -v -n 67.82.156.211 81 : (UNKNOWN) [67.82.156.211] 81
>(?) open : GET /_vti_pvt/bots.cnf : vti_encoding:SR|utf8-nl :
>vinavbar:VW|D:\\\\Program\\ Files\\\\Common\\ Files\\\\Microsoft\\
>Shared : \\\\Web\\ Server\\
>Extensions\\\\40\\\\bots\\\\vinavbar\\\\vinavbar.inf : vinavbar E I
>info N D:\\\\Program\\ Files\\\\Common\\ Files\\\\Microsoft : \\
>Shared\\\\Web\\ Server\\ Extensions\\\\40\\\\bots\\\\vinavbar :
>\\\\fp4Avnb.dll :
>
>:
>>>> 4- Issue <<<
>: Using GET /iishelp/common/colegal.htm you can access other files.
>under the : web structure. I did not have chance to test it on file
>above the : web structure. Like I said I do not run IIS 5.1 but a
>friend does.
>: One of these days I am going to buy more memory for some of my
>old box and : slap on it IIS 5.1 to be able to do better test.
>:
>
>:
>>>> Proof-Of-Concept <<<
>: C:\Tool>nc -v -n 67.82.156.211 81 : (UNKNOWN) [67.82.156.211] 81
>(?) open : GET
>/iishelp/common/colegal.htm:../../../../../_vti_pvt/access.cnf :
>vti_encoding:SR|utf8-nl : RealmName:LAMER : InheritPermissions:false
>: PasswordDir:d:\\inetpub\\wwwroot\\_vti_pvt :
>
>: writeto.cnf [Extracted From]
>:
>http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/
>: prodtechnol/office/reskit/fp98serk/appendixes/A_SPFILE.asp :
>
>: Back links for files that can be written to by users of the web,
>such as : Save Results Form handler result files. Files that can be
>written to by : users of the web have a looser security setting than
>regular web content.
>:
>
>:
>
>: C:\Tool>nc -v -n 67.82.156.211 81 : (UNKNOWN) [67.82.156.211] 81
>(?) open : GET
>/iishelp/common/colegal.htm:../../../../../_vti_bin/_vti_adm/admin.dl

>l : MZ ? ? + @a ??? -!+?L-!This program cannot be run in
>DOS mode.
>: $ -
>
>Q+Q?Q?Q?3,U?寮5T?Q>F?T9P?寮4S?寮;U?RichQ?

> : PE L?? _; a ?!??? ? 0 c? ? g ? ? ?
> ?
>: P ? - ? ? ? ? ? ? ? (? P 0
>P?
>:
>
>:
>
>:
>
>: C:\Tool>nc -v -n 67.82.156.211 81 : (UNKNOWN) [67.82.156.211] 81
>(?) open : GET /_vti_pvt/linkinfo.cnf : vti_encoding:SR|utf8-nl :
>javascript\:loadhelpfront();:localstart.asp :
>javascript\:activate(<%=iver%>);:localstart.asp :
>http\://www.safehack.com:index.htm :
>/iishelp/common/colegal.htm:localstart.asp :
>
>:
>
>:
>
>: NOTE: A search on google for "writeto.cnf" Returned alarmed
>results :
>http://www.google.com/search?q=writeto.cnf&hl=en&btnG=Google+Search&m

>eta= :
>
>:
>
>: +------------.
>: The Solution \ : +--------------`
>-----------------------------------------------------
>-------
>..
>No idea. Vendor was informed.
>: If you are going to use the founded issues, credit must be given
>to the : author. NtWaK0 @ www.safehack.com : +
>--------------------------------------------------------------------
>-------
>..
>
>-----BEGIN PGP SIGNATURE-----
>Version: PGP 7.1
>
>iQA/AwUBPGcsA/PoW9fFNsN8EQJ3iwCfeLCNw3XWJS7c7bPG1pkqgM06ihEAoOdV
>w0aAHeJqCi7MoCs62m5AR8dm =u7kB -----END PGP SIGNATURE-----
>
>
>_____________________________________________________________________

>___ The only secure computer is one that's unplugged, locked in a
>safe, and buried 20 feet under the ground in a secret location...
>and i'm not even too sure about that one"--Dennis Huges, FBI.
>
>____________________________________________________________.________

>___ Live Well Do Good www.SafeHack.com | Je
>Pense, Donc Je Suis \(|)/ I know
>I ain't perfect, but i'm 99 point 9 percent :) --(")--
>RFCs are meant to be read and followed:) /`\
>NtWaK0
>_____________________________________________________________________

>___ Connect yourself to the main computer and let me take you to a
>cybernetic ride. Are you connected to the right cybernet? If you
>are, finally you are connected to my brain.
>
>_____________________________________________________________________

>___ -=- Use a computer in a ways that ensure respect for your fellow
>-=-
>
>