TUCoPS :: Web :: IIS :: ciack068.htm

Automated Web Interface Scans IIS for Multiple Vulnerabilities
Automated Web Interface Scans IIS for Multiple Vulnerabiliti Privacy and Legal Notice


K-068: Automated Web Interface Scans IIS for Multiple Vulnerabilities

August 16, 2000 17:00 GMT
PROBLEM:       Several vulnerabilites may be exploited in Microsoft's Internet
               Information Server (IIS).
PLATFORM:      All platforms running IIS versions 1.0, 2.0, 3.0, and 4.0
DAMAGE:        An outsider can gain access to the source code of scripts,
               possibly containing usernames and passwords, locations of MS
               Access MDB files or other sensitive information.
SOLUTION:      Apply the patches indicated below. Install Service Pack 1 for
               Windows 2000.

VULNERABILITY The risk is HIGH. The vulnerabilites and exploits have been ASSESSMENT: discussed in public forums.
[ Start iDEFENSE Analysis Report ] Automated Web Interface Scans IIS for Multiple Vulnerabilities A newly released automated Web interface scans Microsoft's Internet Information Server (IIS) for multiple reported IIS vulnerabilities. Through successful exploitation of these vulnerabilities, an attacker can gain access to the source code of scripts, possibly containing usernames and passwords, locations of MS Access MDB files or other sensitive information. This Web interface could be used to scan unsuspecting systems to identify vulnerabilities prior to an attack. Using the automated Web interface, a Czech Republic security firm reported being able to penetrate dozens of systems and obtain information from email addresses to usernames and passwords. This interface is publicly available on a Web site hosted in the Czech Republic. Due to the public release of this interface, coupled with the long length of time these vulnerabilities have been known, iDEFENSE Intelligence Services expects an increase of exploits against systems operating IIS. The following vulnerabilities are among those being scanned for by the automated Web interface: Codebrws.asp Codebrws.asp is a viewer file that ships with Microsoft IIS, but is not installed by default. The viewer is intended to be installed by the administrator to allow for the viewing of sample files as a learning exercise; however, the viewer does not restrict what files can be accessed. A remote attacker can exploit this vulnerability to view the contents of any file on the victim's server. However, there are several issues to be aware of: 1. Codebrws.asp is not installed by default. 2. The vulnerability only allows for viewing of files. 3. The vulnerability does not bypass WindowsNT Access Control Lists (ACLs). 4. Only files in the same disk partition can be viewed. 5. Attackers must know the location of the requested file. Microsoft has released a patch for this vulnerability located at ftp://ftp.microsoft.com/bussys/iis/iis-public/fixes/usa/Viewcode-fix/. Null.htw Microsoft IIS running with Index Server contains a vulnerability through Null.htw even if no .htw files exist on the server. The vulnerability displays the source code of an ASP page or other requested file. The ability to view ASP pages could provide sensitive information such as usernames and passwords. An attacker providing IIS with a malformed URL request could escape the virtual directory, providing access to the logical drive and root directory. The "hit-highlighting" function in the Index Server does not adequately restrain what types of files may be requested, allowing an attacker to request any file on the server. Microsoft has released a patch for Windows 2000 addressing this vulnerability. The patch is located at http://www.microsoft.com/downloads/release.asp?ReleaseID=17726. +.HTR The +.HTR vulnerability (iAlert, July 17, 2000), allows for the viewing of certain file types. Requesting a filename with an appendage of "+" and .htr will force IIS to call ISM.DLL ISAPI to open the target file. If the target file is not a .HTR file, part of the target files source code will be revealed. Microsoft has released a patch addressing the .HTR vulnerability located at http://www.microsoft.com/Downloads/Release.asp?ReleaseID=22709 for version 4.0 and http://www.microsoft.com/Downloads/Release.asp?ReleaseID=22708 for version 5.0. Translate:f A newly reported vulnerability in Microsoft's IIS is the Translate:f vulnerability. An attacker requesting a file with a specialized header and one of several particular characters at the end will prevent ISAPI processing from taking place. This will allow for the display of the source code of the requested file, including .ASP pages. Microsoft has released a patch addressing this vulnerability located at http://www.microsoft.com/Downloads/Release.asp?ReleaseID=23769. $DATA The $DATA vulnerability, published in mid-1998, results from an error in the way the Internet Information Server parses file names. $DATA is an attribute of the main data stream (which holds the "primary content") stored within a file on NT File System (NTFS). By creating a specially constructed URL, it is possible to use IIS to access this data stream from a browser. Doing so will display the code of the file containing that data stream and any data that file holds. This method can be used to display a script-mapped file that can normally be acted upon only by a particular Application Mapping. The contents of these files are not ordinarily available to users. However, in order to display the file, the file must reside on the NTFS partition and must have ACLs set to allow at least read access; the unauthorized user must also know the file name. Microsoft Windows NT Server's IIS versions 1.0, 2.0, 3.0 and 4.0 are affected by this vulnerability. Microsoft has produced a hotfix for IIS versions 3.0 and 4.0. The fix involves IIS "supporting NTFS alternate data streams by asking Windows NT to make the file name canonical" according the Microsoft. The fixes are available from: ftp://ftp.microsoft.com/bussys/IIS/iis-public/fixes/usa/security/iis3-d atafix/iis3fixi.exe for IIS 3.0 on Intel, ftp://ftp.microsoft.com/bussys/IIS/iis-public/fixes/usa/security/iis3-d atafix/iis3fixa.exe for IIS 3.0 on Alpha, ftp://ftp.microsoft.com/bussys/IIS/iis-public/fixes/usa/security/iis4-d atafix/iis4fixi.exe for IIS 4.0 on Intel and ftp://ftp.microsoft.com/bussys/IIS/iis-public/fixes/usa/security/ iis4-datafix/iis4fixa.exe for IIS 4.0 on Alpha. Customers are strongly urged to obtain Service Pack 1 for Windows 2000. Service Pack 1 contains fixes for these vulnerabilities in IIS 4.0 and 5.0 along with patches for several unrelated vulnerabilities. Service Pack 1 for Windows 2000 may be obtained from http://www.microsoft.com/windows2000/downloads/recommended/sp1/x86Lang. asp. [ End iDEFENSE Analysis Report ]

CIAC wishes to acknowledge the contributions of iDEFENSE, Inc. for the information contained in this bulletin.

CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can be contacted at:
    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@llnl.gov
    World Wide Web:  http://www.ciac.org/
                     (same machine -- either one will work)
    Anonymous FTP:   ftp.ciac.org
                     (same machine -- either one will work)

This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.
[Privacy and Legal Notice]

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH