From mnemonix@globalnet.co.uk Sun Jul 12 17:42:29 1998
Date: Mon, 13 Jul 1998 01:31:11 +0100
From: Mnemonix <mnemonix@globalnet.co.uk>
To: info@rootshell.com
Subject: New Perl.exe, IIS exploit 

Russ Cooper of ntbugtraq seems unwilling to publish this information -
perhaps it shows how to exploit this too much:

****************************************************************************

All versions of Internet Information Server seem to have a feature that can
cause security problems when it has been configured to run Perl scripts to
produce dynamic web pages, although really it is a combination of IIS and
the Perl command interpreter (Perl.exe) acting together that can cause this
hole. Basically the security implications of this problem is that data can
be read from execute only virtual directories sometimes leading to the
discovery of UserIDs and passwords.

Script extentions (in this case .cgi or .pl) are mapped against the
interpreter in the registry under the following key:

HKLM\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\ScriptMap

When the web service receives a request from a browser it checks the
extention of the file requested and deals with it accordingly. In this case
if a .pl or .cgi file is requested IIS checks the registry to see what
interpreter should deal with that kind of file and then passes the requested
information to the interpreter, perl.exe. This is the "fault" of IIS : that
it does not check to see whether the file actually exists or not; it just
blindly passes the information to the interpreter. IIS leaves this
responsibilty to the interpreter.

The second part of this problem is caused by the interpreter : perl.exe.
Perl.exe will open and try to execute any file that actually exists as long
as it has the extention .pl (if that is the registered extention.)
Consequently if a space (%20) and .pl is appended to the end of a URL
Internet Information Server will pass the request to perl.exe which will
then open the file and try to execute it:

http://www.site.com/scripts/file.ext%20.pl

To demonstrate how this could be a problem : Some CGI scripts often require
a .txt file that contains a userID and password such as wwwboard.cgi.
Create a text file with two lines. On the first line type "Webadmin" and on
the secondline type "Password". Like so:

Webadmin
Password

And name the file pass.txt the request the following URL:

http://www.site.com/scripts/pass.txt%20.pl

You should receive a response similar to :

Can't call method "webadmin" in empty package "password" at
C:\InetPub\scripts\pass.txt line 1

You can also glean information from other "sensitive" files such as .asp or
.idc

http://www.site.com/scripts/default.asp%20.pl or

http://www.site.com/scripts/database.idc

You could even run old perl scripts that are still in the /scripts
directory but have had their extention changed:

http://www.site.com/scripts/script.pl.old%20.pl
 

This problem is exacerbated by the fact that perl.exe will accept willcards
such as * and ? so you don't even need to know that name of a file. You can
request :

http://www.site.com/scripts/*.txt%20.pl

and perl.exe will open the first text file in the scripts directory that it
comes across. 
 
This was tested with Perl version 5.001 build 110. It is not yet known if
other versions are affected. Testing would be appreciated.

Affected machines:
NT Server 4.0 Service pack 1    IIS 2.0
NT Server 4.0 Service pack 3    IIS 3.0
NT Server 4.0 Service pack 3    IIS 4.0
NT Wkst   4.0 Service pack 3    PWS 3.0

It is not yet know if other Web servers such as Netscape are affected.
Again testing will prove if this is so and would be appreciated.
 
The solution to this problem is to use the ISAPI interpreter instead :
PerlIS.dll. This leads to better performance anyway as the script is run in
the same memory space as IIS and only one instance of it ever needs to be
loaded into memory unlike perl.exe where for each script requested a new
instance of perl.exe is loaded into its own memory space.

Mnemonix
http://www.users.globalnet.co.uk/~mnemonix

****************************************************************************

Thought you might be interested. Cheers.
Mnemonix
http://www.users.globalnet.co.uk/~mnemonix