Re: Web Services

From: Ivan Hernandez (ivan.hernandez@globalsis.com.ar)
Date: 03/07/02


Date: Thu, 07 Mar 2002 17:12:19 -0300
From: Ivan Hernandez <ivan.hernandez@globalsis.com.ar>
To: jmcmaster@appliedsystems.com

That's the output of the scan? well... i have never seen ksh and
cmd.exe!!!! you have not only several security problems, so you got
multiplataform security problems!!!!!! =o)
I think your WebScan has been drinking so try the test again. If it
continues saying the same dump it and try the powerfull and omnisapient
Nessus Scanner (http://www.nessus.org).

Good luck!
Ivan Hernandez

jmcmaster@appliedsystems.com wrote:

>Cerberus WebScan is telling me this about my server, it says its iis/5.0,
>but i have that uninstalled, and all of its services stopped, and have
>apache running on it, and i don't even have these dir's on my server, and i
>don't know if this is a real security problem or not, and the access log
>from apache i will attach to, but it just shows 404 errors when it tried to
>access this files, can anyone explain to me whats going on, or if i should
>even worry ? This is a win2k server w/ sp2, and all the security updates,
>execpt maybe one, with apache 1.3.2.3 win32 version, Thanks.
>
>Web Service
>Web Server Software is Microsoft-IIS/5.0
>Security Issues
><http://www.shadey.com/cgi-bin/>
>Directory listing is allowed of the /cgi-bin/. This allows an attacker to
>browse through scripts and executables in this directory allowing them to
>target and exploit potential weaknesses. Directory browsing should be
>disabled.
><http://www.shadey.com/scripts/>
>Directory listing is allowed of the /scripts/ directory. This allows an
>attacker to browse through scripts and executables allowing them to target
>and exploit potential weaknesses. Directory browsing should be disabled.
><http://www.shadey.com/cgi-bin/sh>
>The UNIX shell interpreter "sh" has been found in the /cgi-bin/. This should
>be removed as it could allow remote attackers to run commands on the web
>server remotely
><http://www.shadey.com/cgi-bin/csh>
>The UNIX C shell interpreter "csh" has been found in the /cgi-bin/. This
>should be removed as it could allow remote attackers to run commands on the
>web server remotely
><http://www.shadey.com/cgi-bin/ksh>
>The UNIX shell interpreter "ksh" has been found in the /cgi-bin/. This
>should be removed as it could allow remote attackers to run commands on the
>web server remotely
><http://www.shadey.com/cgi-bin/cmd.exe?/c>
>The Windows NT shell interpreter "cmd.exe" has been found in the /cgi-bin/.
>This should be removed as it allows remote attackers to run commands on the
>web server remotely.
><http://www.shadey.com/scripts/cmd.exe?/c>
>The Windows NT shell interpreter "cmd.exe" has been found in the /scripts/
>directory. This should be removed as it allows remote attackers to run
>commands on the web server remotely.
><http://www.shadey.com/cgi-bin/cmd32.exe>
>Perl's "cmd32.exe" has been found in the /cgi-bin/. This should be removed
>as it allows remote attackers to run commands on the web server remotely
><http://www.shadey.com/scripts/cmd32.exe>
>Perl's "cmd32.exe" has been found in the /scripts/ directory. This should be
>removed as it allows remote attackers to run commands on the web server
>remotely
><http://www.shadey.com/cgi-bin/perl.exe?-v>
>Perl.exe found in the /cgi-bin. This is highly dangerous as it allows an
>attacker to run system commands. This should be removed as soon as possible.
>
><http://www.shadey.com/scripts/perl.exe?-v>
>Perl.exe found in the /scripts directory. This is highly dangerous as it
>allows an attacker to run system commands. This should be removed as soon as
>possible.
><http://www.shadey.com/scripts/tools/newdsn.exe>
>Newdsn.exe can be used by an a attacker to create files anywhere on your
>disk if they have the NTFS correct file permissions to do so. Newdsn.exe can
>also be used to overwrite the DSNs on existing on-line databases making the
>information contained in the database inaccessible.
>This file, getdrvrs.exe, dsnform.exe and mkilog.exe should be deleted or
>renamed unless there is a strong reason not to do so. In that case, ensure
>that only Administrators may access them.
><http://www.shadey.com/_vti_bin/fpcount.exe?Page=default.htm|Image=3|Digits=
>15>
>Fpcount.exe has been found in the /_vti_bin/ directory. If, when the link
>above is followed , fifteen digits are displayed this version of fpcount.exe
>is from the FrontPage Server Extentions 97 package and it contains a buffer
>overrun that allows remote execution of arbitary code.
>This should be deleted until a copy of the 98 version of FrontPage can be
>obtained.
>http://www.shadey.com/iissamples/issamples/query.asp
><http://www.shadey.com//iissamples/issamples/query.asp>
>The query.asp page is the default sample search page for Index Server on
>IIS4. From here an attacker can perform searches for files of a certain type
>using "#filename=*.exe" or "#filename=*.asp". Ensure that Index Server has
>been configured not to return reults for searches such as these.
>Server exhibits the ::$DATA bug.
>This can allow an attacker to download the source of scripts, such as Active
>Sever pages or Perl scripts. This problem is fixed with service pack 4 or a
>post SP3 hotfix can be downloaded the Microsoft web site.
><http://www.shadey.com/samples/search/queryhit.htm>
>The queryhit.htm page is the default sample search page for Index Server
>1.1. From here an attacker can perform searches for files of a certain type
>using "#filename=*.exe" or "#filename=*.asp". Ensure that Index Server has
>been configured not to return reults for searches such as these.
><http://www.shadey.com/iissamples/exair/search/advsearch.asp>
>The sample ExAir site contains a number of scripts that can cause a
>temporary situation where the inetinfo.exe process consumes 100 percent of
>the processor time for 90 secs. This only happens if the Index Server ISAPI
>dlls have not been loaded into memory. If they are not and this page or
>query.asp or search.asp Are accessed directly the script will loop.
>The solution to this problem is to remove these files.
>http://www.shadey.com/iisadmpwd/aexp2.htr
><http://www.shadey.com/iisadmpwd/aexp3.htr>
>From here an attacker can launch password attacks against the local machine
>or or proxied attacks against other machines on the network. More
>information can be found here
><http://www.infowar.co.uk/mnemonix/iispassproxy.htm>
><http://www.shadey.com/scripts/repost.asp>
>Microsoft's Site Server 2.0 is installed. This allows users to upload files
>to the /users directory. Even if it doesn't exist any valid user can create
>the diectory via the web and the default NTFS permissions given to this
>directory give the Everybody Group the "Change" permission - which allows
>anybody to create, modify or delete files in that directory. Added to this
>IIS gives the "Write" permission allowing users to use the HTTP PUT
>REQUEST_METHOD to place content on the web site via the HTTP protocol.
>Because of the defaults, if anonymous access is granted to the site anybody
>can do this. Ensure that, if the directory exists the Anonymous Internet
>Account is given only read access to this directory. Remove change
>permissions for the Everybody Group and assign permissions per user.
><http://www.shadey.com/iissamples/exair/howitworks/codebrws.asp>
>This sample script should be removed. It allows attackers to access files on
>the same volume as the IIS install outside of the web file system.
><http://www.shadey.com/msadc/samples/selector/showcode.asp>
>This sample script should be removed. It allows attackers to access files on
>the same volume as the IIS install outside of the web file system.
><http://www.shadey.com/search?>
>The search engine on Netscape Enterprise Server 3.5.x is enabled by default.
>It is possible, by using specially formed search requests to obtain the
>source scripts. The search engine and collections indexed should be checked
>carefully to see if this problem exists on this site. If the search
>functionality is not needed it should be disabled from the administration
>pages.
><http://www.shadey.com/index.html>
>By appending to the end of a file on Windows NT with Netscape Enterprise
>3.5.x it accesses the raw data and consequently allows downloading of script
>source. There is a patch available to resolve this issue.
><http://www.shadey.com/scripts/rguest.exe>
>rguest.exe (Webcom CGI guestbook) has a vulnerability that allows files
>anywhere on the file system to be read. It is suggested that wguest.exe be
>removed.
><http://www.shadey.com/cgi-bin/rguest.exe>
>rguest.exe (Webcom CGI guestbook) has a vulnerability that allows files
>anywhere on the file system to be read. It is suggested that rguest.exe be
>removed.
><http://www.shadey.com/scripts/wguest.exe>
>wguest.exe (Webcom CGI guestbook) has a vulnerability that allows files
>anywhere on the file system to be read. It is suggested that wguest.exe be
>removed.
><http://www.shadey.com/cgi-bin/wguest.exe>
>wguest.exe (Webcom CGI guestbook) has a vulnerability that allows files
>anywhere on the file system to be read. It is suggested that wguest.exe be
>removed.
><http://www.shadey.com/cgi-bin/get32.exe>
>On Alibaba web servers this CGI program can be used to run commands. It
>should be removed or updated.
><http://www.shadey.com/cgi-bin/alibaba.pl>
>This script can be exploited to allow commands to be run on the server
>remotely. It should be removed or updated.
><http://www.shadey.com/cgi-bin/tst.bat>
>tst.bat can be exploited to run commands on the server remotely. It should
>be removed.
><http://www.shadey.com/cgi-win/uploader.exe>
>uploader.exe can be exploited to allow attackers to upload files remotely.
>Ensure you are not vulnerable and if you are update it or remove it.
><http://www.shadey.com/cgi-bin/FormHandler.cgi>
>FormHandler.cgi uses physical paths for web form templates. An attacker can
>locally (ie on their machine) modify the form and gain access to sensitive
>files such as /etc/passwd. This should be updated to prevent this.
><http://www.shadey.com/cgi-bin/testcgi>
>Some early versions of testcgi have a vulnerability where *NIX shell
>metacharacters can be fed in and reveal directory listings etc. testcgi
>should be removed anyway as it gives away too much information about the
>system.
>http://www.shadey.com/cgi-bin/testcgi/*?*
><http://www.shadey.com/cgi-bin/test-cgi/*?*>
>Some versions of test-cgi have a vulnerability where *NIX shell
>metacharacters can be fed in and reveal directory listings etc. test-cgi
>should be removed anyway as it gives away too much information about the
>system.
><http://www.shadey.com/cgi-bin/test.cgi>
>Enusre that test.cgi, found in the /cgi-bin strips out shell metacharacters
>from HTTP input test.cgi should be removed anyway as it gives away too much
>information about the system.
><http://www.shadey.com/cgi-bin/environ.pl>
>environ.pl should be removed anyway as it gives away too much information
>about the system.
><http://www.shadey.com/scripts/environ.pl>
>environ.pl should be removed anyway as it gives away too much information
>about the system.
><http://www.shadey.com/server-info>
>server-info reveals too much information about the system. Limit access to
>this location in httpd.conf
><http://www.shadey.com/server-status>
>server-status reveals too much information about the system. Limit access to
>this location in httpd.conf
><http://www.shadey.com/cgi-bin/tcsh>
>The UNIX shell interpreter "tcsh" has been found in the /cgi-bin/. This
>should be removed as it could allow remote attackers to run commands on the
>web server remotely
><http://www.shadey.com/cgi-bin/cgitest.exe>
>Cgitest.exe, by Antelope Software, found in the /cgi-bin/ directory,
>exhibits a buffer overrun
>vulnerability caused by an overly long User-Agent HTTP client header field.
>If exploited it can
>allow attackers to execute arbritary code. Cgitest.exe should be removed.
><http://www.shadey.com/~root>
>Access to /~root is allowed. This potentially gives an attacker access to
>the whole
>files system. This should be fixed as soon as is possible.
><http://www.shadey.com/~ftp>
>Access to /~ftp is allowed. This presents a problem if Server Side Includes
>are turned on and
>anonymous uploads are allowed via ftp. Even still, remote users should be
>denied access to this directory.
><http://www.shadey.com/cgi-bin/phf?Qalias=&Qname=haqr&Qemail=&Qnickname=&Qof
>fice_phone=>
>Older versions of the phf script don't strip the newline character from user
>supplied input. Consequently
>it allows attackers to run arbitary commands on the web server. Ensure this
>script is not vulnerable.
><http://www.shadey.com/cgi-bin/count.cgi>
>Some versions of count.cgi contain a buffer overrun. A CERT advisory was
>issued reference this
>issue. See <http://www.cert.org>.
><http://www.shadey.com/cgi-bin/nph-test-cgi>
>Some versions of the nph-test-cgi script do not check user supplied input
>properly allowing attackers
>to get directory listings. It's would be safer to removed it anyway as it
>gives out too much information.
><http://www.shadey.com/cgi-bin/webdist.cgi>
>Webdist.cgi, as distributed with IRIX 5.x and 6.x contains a vulnerability
>that allows remote attackers
>execute commands. It should be removed.
><http://www.shadey.com/cgi-bin/aglimpse>
>Some early versions of the aglimpse script ( < c. late 1997) contain a
>vulnerability that allows
>remote attackers to run commands on the server. If you have not updated
>recently see <http://glimpse.cs.arizona.edu>.
>
>ACCESS LOG from apache
>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/ HTTP/1.0" 403
>291
>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "HEAD / HTTP/1.0" 200 0
>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /*.idc HTTP/1.0" 403
>288
>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /scripts/ HTTP/1.0" 404
>287
>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/csh HTTP/1.0"
>404 290
>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/sh HTTP/1.0"
>404 289
>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/ksh HTTP/1.0"
>404 290
>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/cmd.exe?/c
>HTTP/1.0" 404 294
>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /scripts/cmd.exe?/c
>HTTP/1.0" 404 294
>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/cmd32.exe
>HTTP/1.0" 404 296
>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /scripts/cmd32.exe
>HTTP/1.0" 404 296
>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/perl.exe?-v
>HTTP/1.0" 404 295
>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /scripts/perl.exe?-v
>HTTP/1.0" 404 295
>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET
>/scripts/tools/newdsn.exe HTTP/1.0" 404 303
>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET
>/_vti_bin/fpcount.exe?Page=default.htm|Image=3|Digits=15 HTTP/1.0" 404 299
>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET
>/samples/search/queryhit.htm HTTP/1.0" 404 306
>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET
>/iissamples/issamples/query.asp HTTP/1.0" 404 309
>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /scripts/*%0a.pl
>HTTP/1.0" 404 292
>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET
>/iissamples/exair/search/advsearch.asp HTTP/1.0" 404 316
>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /iisadmpwd/aexp3.htr
>HTTP/1.0" 404 298
>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /scripts/repost.asp
>HTTP/1.0" 404 297
>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "OPTIONS / HTTP/1.0" 200 -
>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "OPTIONS /users/ HTTP/1.0"
>200 -
>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "OPTIONS /cgi-bin/ HTTP/1.0"
>200 -
>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "OPTIONS /scripts/ HTTP/1.0"
>200 -
>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET
>/msadc/samples/selector/showcode.asp HTTP/1.0" 404 314
>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET
>/iissamples/exair/howitworks/codebrws.asp HTTP/1.0" 404 319
>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /?PageServices
>HTTP/1.0" 200 1852
>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /search? HTTP/1.0" 404
>285
>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /index.html%20
>HTTP/1.0" 200 1852
>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/rguest.exe
>HTTP/1.0" 404 297
>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /scripts/rguest.exe
>HTTP/1.0" 404 297
>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /scripts/wguest.exe
>HTTP/1.0" 404 297
>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/wguest.exe
>HTTP/1.0" 404 297
>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/get32.exe
>HTTP/1.0" 404 296
>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/alibaba.pl
>HTTP/1.0" 404 297
>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/tst.bat
>HTTP/1.0" 404 294
>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-win/uploader.exe
>HTTP/1.0" 404 299
>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET
>/cgi-bin/FormHandler.cgi HTTP/1.0" 404 302
>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/testcgi
>HTTP/1.0" 404 294
>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/test-cgi/*?*
>HTTP/1.0" 404 297
>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/test.cgi
>HTTP/1.0" 404 295
>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/enivron.pl
>HTTP/1.0" 404 297
>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /scripts/environ.pl
>HTTP/1.0" 404 297
>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /server-info HTTP/1.0"
>404 290
>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /server-status
>HTTP/1.0" 404 292
>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/tcsh HTTP/1.0"
>404 291
>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/cgitest.exe
>HTTP/1.0" 404 298
>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /~root HTTP/1.0" 404
>284
>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /~ftp HTTP/1.0" 404 283
>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET
>/cgi-bin/phf?Qalias=&Qname=haqr&Qemail=&Qnickname=&Qoffice_phone= HTTP/1.0"
>404 290
>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/count.cgi
>HTTP/1.0" 404 296
>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/nph-test-cgi
>HTTP/1.0" 404 299
>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/webdist.cgi
>HTTP/1.0" 404 298
>12.251.183.246 - - [07/Mar/2002:10:19:07 -0800] "GET /cgi-bin/aglimpse.cgi
>HTTP/1.0" 404 299
>
>



Relevant Pages

  • RE: Web Services
    ... >>Cerberus WebScan is telling me this about my server, it says its iis/5.0, ... >>be removed as it could allow remote attackers to run commands on the web ...
    (Focus-Microsoft)
  • Re: Web Services
    ... Cerberus WebScan is telling me this about my server, it says its iis/5.0, ... Web Server Software is Microsoft-IIS/5.0 ... should be removed as it could allow remote attackers to run commands on the ...
    (Focus-Microsoft)
  • RE: Web Services
    ... Cerberus WebScan is telling me this about my server, it says its iis/5.0, ... Web Server Software is Microsoft-IIS/5.0 ... should be removed as it could allow remote attackers to run commands on the ...
    (Focus-Microsoft)
  • Re: Web Services
    ... >>Cerberus WebScan is telling me this about my server, it says its iis/5.0, ... >>should be removed as it could allow remote attackers to run commands on the ... >>web server remotely ...
    (Focus-Microsoft)
  • Web Services
    ... Cerberus WebScan is telling me this about my server, it says its iis/5.0, ... Web Server Software is Microsoft-IIS/5.0 ... should be removed as it could allow remote attackers to run commands on the ...
    (Focus-Microsoft)