RE: Microsoft IIS - Possible authentication flaw?

From: ZeroBreak (ZeroBreak@softhome.net)
Date: 05/29/02


From: "ZeroBreak" <ZeroBreak@softhome.net>
To: vuln-dev@securityfocus.com
Date: Tue, 28 May 2002 22:24:09 -0400

I found this quite interesting. However do to time restraints I didn't
have long to sit here and play tonight :(. My test's were done using IIS
5.0 with service pack 2 and up to date with all hot fixes that pertain
to it. In my test's I found that sending the % followed by any number
and then any character will result the strange event logs. I.e.: '%11'
works just the same as '%1p' or '%9b' etc... But with that it will yield
2 event logs. (This does leave normal traces behind in the IIS logs, so
it's not untraceable).

I haven't been able to get any similar results using anything other than
'%' + num + any_char combinations. But like I said all '%' + num +
any_char combinations worked.

        [Event Log 1 of 2 with %11]
        Date: 5/28/2002
        Time: 21:36
        Type: Failure
        User: NT AUTHORITY\SYSTEM
        Computer: SERVER
        Source: Security
        Category: Logon/Logoff
        Event ID: 529
        Description:
                Reason: Unknown user name or password
                User Name: %11
                Domain: %2
                Logon Type: %3
                Logon Process: %4
                Authentication Package: %5
                Workstation Name: %6

        [Event Log 2 of 2 with %11]
        Date: 5/28/2002
        Time: 21:36
        Type: Failure
        User: NT AUTHORITY\SYSTEM
        Computer: SERVER
        Source: Security
        Category: Account Logon
        Event ID: 681
        Description:
                The logon to account: %11
                by: %1
                from workstation: %3
                failed. The error code was: %4

But what I found even more interesting is when we fill our username box
in the authentication dialog. By sending
'%1aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa' as our username we get much
different results as seen below.

In the second event log under the User Name: there was, in the event
log, a %1 followed by 25,600 a's. But for the sake of everyone else I
shortened it :).
        
        [Event Log 1 of 2 when filling the username box in the
authentication dialog]
        Date: 5/28/2002
        Time: 21:45
        Type: Success
        User: SERVER\Administrator
        Computer: SERVER
        Source: Security
        Category: Privilege Use
        Event ID: 578
        Description:
                Privileged object operation:
                        Object Server: EventLog
                        Object Handle: 0
                        Process ID: 248
                        Primary User Name: SERVER$
                        Primary Domain: WORKGROUP
                        Primary Logon ID: (0x0,0x3E7)
                        Client User Name: Administrator
                        Client Domain: SERVER
                        Client Login ID: (0x0,0xBDB5)
                        Privileges:
SeSecurityPrivilege

        [Event Log 2 of 2 when filling the username box in the
authentication dialog]
        Date: 5/28/2002
        Time: 21:45
        Type: Failure
        User: NT AUTHORITY\SYSTEM
        Computer: SERVER
        Source: Security
        Category: Logon/Logoff
        Event ID: 537
        Description:
                Logon Failure:
                        Reason: An unexpected error
occurred during logon
                        User Name: %1(a * 25,600)
                        Domain: %2
                        Logon Type: %3
                        Logon Process: %4
                        Authentication Package: %5
                        Workstation Name: %6
                        

Like I said earlier I havn't really had time to play with this at all.
If anyone else finds anything interesting post to the list cause I would
definatly like to know :). Hopefully tommarow will allow more to for
play, hehe.

        ZeroBreak
        (ZeroBreak@softhome.net) or (ZeroBreak@mailandnews.com)

-----Original Message-----
From: root@synopse.homeip.net [mailto:root@synopse.homeip.net]
Sent: Monday, May 27, 2002 4:37 PM
To: vuln-dev@securityfocus.com
Subject: Microsoft IIS - Possible authentication flaw?

Greetings,

I was playing around with Microsoft IIS 5.1 when I noticed

something very weird. If you go to a directory which has

basic authentication enabled, and enter the string: %1p as

the login, it will put this into the event logs under the

system subsection:

Event Type: Warning

Event Source: W3SVC

Event Category: None

Event ID: 100

Date: 14/05/2002

Time: 2:21:35 PM

User: N/A

Computer: WINDOWS

Description:

The server was unable to logon the Windows NT account

'%

1ppppppppppppppppppppppppppppppppppppppppppppppppppppppppppp

pppppppppppppppppppppppppppppppppppppppp' due to the

following error: %2 The data is the error code.

For additional information specific to this message please

visit the Microsoft Online Support site located at:

http://www.microsoft.com/contentredirect.asp.

For more information, see Help and Support Center at

http://go.microsoft.com/fwlink/events.asp.

Data:

0000: 2e 05 00 00 ....

(Note: The p after %1 can be any character it seems. I just

used %1p as my

example.)

---

If you enter the string: %2 as the login, it will also put

this into the event logs under the system sub section:

Event Type: Warning

Event Source: W3SVC

Event Category: None

Event ID: 100

Date: 14/05/2002

Time: 2:24:20 PM

User: N/A

Computer: WINDOWS

Description:

The server was unable to logon the Windows NT

account 'Logon failure: unknown user name or bad

password. ' due to the following error: Logon

failure: unknown user name or bad password. The data is

the error code.

For additional information specific to this message please

visit the Microsoft Online Support site located at:

http://www.microsoft.com/contentredirect.asp.

For more information, see Help and Support Center at

http://go.microsoft.com/fwlink/events.asp.

Data:

0000: 2e 05 00 00 ....

--

If you repeat %2, or %1p it will produce longer entries in

the event logs, depending on how many times you wish to

repeat it. I've been playing with this for a while now, and

it only appears that %2 and %1 (followed by a character)

will cause these weird entries in the event logs. I tested

this on Windows XP Pro with all updates and patches,

running IIS 5.1.

Georgi Guninski confirmed that this format strings "flaw"

is present in Windows 2000 with IIS 5.0, as well as the

Microsoft FTP service.

I've given up on playing around with this "flaw", so I'm

posting it to vuln-dev to let other people have a chance

and see what else can be found.

Cheers,

0x00



Relevant Pages

  • Re: IIS 5.0 Strange issue
    ... IIS State we did not run continuously. ... >>with icons when I restart IIS??. ... Is there somwhere a memory leak happening??. ... > Event logs, other logs, the IISState tool... ...
    (microsoft.public.inetserver.iis)
  • Re: Remote Web Workplace not working properly
    ... There is nothing in the event logs? ... Another possibility is alterations to the IIS Application Pool ... administrator, take control of the server in the room right next to me, ... back to the login window. ...
    (microsoft.public.windows.server.sbs)
  • Re: VS2003 hangs creating ASP.NET webservice
    ... VS2005 hanging when I tried to create or open C# ASP.NET web services. ... I have as clean an install of IIS, VS, 1.1 .Net as I can achieve. ... Security and System event logs last entries relate to ...
    (microsoft.public.vsnet.general)
  • IIS 5.0 keeps restarting
    ... My IIS 5.0 server keeps restarting for some reason. ... the event logs or the IIS logs. ...
    (microsoft.public.inetserver.iis)
  • Re: IIS keeps stopping.
    ... > I have a problem with IIS on a Windows 2000 server. ... > I checked the event logs and can't find any thing to give an indication on ...
    (microsoft.public.windows.server.general)