K-068: Automated Web Interface Scans IIS for Multiple Vulnerabilities

PROBLEM:       Several vulnerabilites may be exploited in Microsoft's Internet
               Information Server (IIS).
PLATFORM:      All platforms running IIS versions 1.0, 2.0, 3.0, and 4.0
DAMAGE:        An outsider can gain access to the source code of scripts,
               possibly containing usernames and passwords, locations of MS
               Access MDB files or other sensitive information.
SOLUTION:      Apply the patches indicated below. Install Service Pack 1 for
               Windows 2000.
VULNERABILITY  The risk is HIGH. The vulnerabilites and exploits have been
ASSESSMENT:    discussed in public forums.


[ Start iDEFENSE Analysis Report ]

Automated Web Interface Scans IIS for Multiple Vulnerabilities

A newly released automated Web interface scans Microsoft's Internet
Information Server (IIS) for multiple reported IIS vulnerabilities.
Through successful exploitation of these vulnerabilities, an attacker
can gain access to the source code of scripts, possibly containing
usernames and passwords, locations of MS Access MDB files or other
sensitive information. This Web interface could be used to scan
unsuspecting systems to identify vulnerabilities prior to an attack.

Using the automated Web interface, a Czech Republic security firm
reported being able to penetrate dozens of systems and obtain
information from email addresses to usernames and passwords. This
interface is publicly available on a Web site hosted in the Czech
Republic. Due to the public release of this interface, coupled with
the long length of time these vulnerabilities have been known,
iDEFENSE Intelligence Services expects an increase of exploits against
systems operating IIS.

The following vulnerabilities are among those being scanned for by the
automated Web interface:

Codebrws.asp

Codebrws.asp is a viewer file that ships with Microsoft IIS, but is
not installed by default. The viewer is intended to be installed by
the administrator to allow for the viewing of sample files as a
learning exercise; however, the viewer does not restrict what files
can be accessed. A remote attacker can exploit this vulnerability to
view the contents of any file on the victim's server. However, there
are several issues to be aware of:

1. Codebrws.asp is not installed by default.
2. The vulnerability only allows for viewing of files.
3. The vulnerability does not bypass WindowsNT Access Control Lists
(ACLs).
4. Only files in the same disk partition can be viewed.
5. Attackers must know the location of the requested file.

Microsoft has released a patch for this vulnerability located at
ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/Viewcode-fix/.

Null.htw

Microsoft IIS running with Index Server contains a vulnerability
through Null.htw even if no .htw files exist on the server. The
vulnerability displays the source code of an ASP page or other
requested file. The ability to view ASP pages could provide sensitive
information such as usernames and passwords. An attacker providing IIS
with a malformed URL request could escape the virtual directory,
providing access to the logical drive and root directory. The
"hit-highlighting" function in the Index Server does not adequately
restrain what types of files may be requested, allowing an attacker to
request any file on the server. Microsoft has released a patch for
Windows 2000 addressing this vulnerability. The patch is located at
http://www.microsoft.com/downloads/release.asp?ReleaseID=17726.

+.HTR

The +.HTR vulnerability (iAlert, July 17, 2000), allows for the
viewing of certain file types. Requesting a filename with an appendage
of "+" and .htr will force IIS to call ISM.DLL ISAPI to open the
target file. If the target file is not a .HTR file, part of the target
files source code will be revealed. Microsoft has released a patch
addressing the .HTR vulnerability located at
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=22709 for version 4.0 and
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=22708 for version 5.0.

Translate:f

A newly reported vulnerability in Microsoft's IIS is the Translate:f
vulnerability. An attacker requesting a file with a specialized header
and one of several particular characters at the end will prevent ISAPI
processing from taking place. This will allow for the display of the
source code of the requested file, including .ASP pages. Microsoft has
released a patch addressing this vulnerability located at
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=23769.

$DATA

The $DATA vulnerability, published in mid-1998, results from an error
in the way the Internet Information Server parses file names. $DATA is
an attribute of the main data stream (which holds the "primary
content") stored within a file on NT File System (NTFS). By creating a
specially constructed URL, it is possible to use IIS to access this
data stream from a browser. Doing so will display the code of the file
containing that data stream and any data that file holds. This method
can be used to display a script-mapped file that can normally be acted
upon only by a particular Application Mapping. The contents of these
files are not ordinarily available to users. However, in order to
display the file, the file must reside on the NTFS partition and must
have ACLs set to allow at least read access; the unauthorized user
must also know the file name. Microsoft Windows NT Server's IIS
versions 1.0, 2.0, 3.0 and 4.0 are affected by this vulnerability.
Microsoft has produced a hotfix for IIS versions 3.0 and 4.0. The fix
involves IIS "supporting NTFS alternate data streams by asking Windows
NT to make the file name canonical" according the Microsoft. The fixes
are available from:
ftp://ftp.microsoft.com/bussys/IIS/iis-public/fixes/usa/security/iis3-d
atafix/iis3fixi.exe for IIS 3.0 on Intel,
ftp://ftp.microsoft.com/bussys/IIS/iis-public/fixes/usa/security/iis3-d
atafix/iis3fixa.exe for IIS 3.0 on Alpha,
ftp://ftp.microsoft.com/bussys/IIS/iis-public/fixes/usa/security/iis4-d
atafix/iis4fixi.exe for IIS 4.0 on Intel and
ftp://ftp.microsoft.com/bussys/IIS/iis-public/fixes/usa/security/
iis4-datafix/iis4fixa.exe for IIS 4.0 on Alpha.

Customers are strongly urged to obtain Service Pack 1 for Windows
2000. Service Pack 1 contains fixes for these vulnerabilities in IIS
4.0 and 5.0 along with patches for several unrelated vulnerabilities.
Service Pack 1 for Windows 2000 may be obtained from
http://www.microsoft.com/windows2000/downloads/recommended/sp1/x86Lang.
asp.


[ End iDEFENSE Analysis Report ]

    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@llnl.gov
    World Wide Web:  http://www.ciac.org/
                     http://ciac.llnl.gov
                     (same machine -- either one will work)
    Anonymous FTP:   ftp.ciac.org
                     ciac.llnl.gov
                     (same machine -- either one will work)