Some Past Frontpage Exploits

From: chameleon (chameleonat_private)
Date: Sun Apr 26 1998 - 15:55:18 PDT

Next message: David LeBlanc: "Re: Some Past Frontpage Exploits"

Previous message: Harold Gutch: "nestea.c, BSD-Port"
Next in thread: David LeBlanc: "Re: Some Past Frontpage Exploits"
Reply: David LeBlanc: "Re: Some Past Frontpage Exploits"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I've seen a few posts here recently talking about frontpage bugs and things
of the such so I thought I would share something things me and Vacuum found
6 or so months ago. Note: goto www.rhino9.org/com/net and get the new paper
by Vacuum and I on nt hacking and things of the such. NT registry is Vacuums
b!tch.


1. Frontpage extensions for un!x can lead to some bad bad problems. Around
90% of the time when your sitting on a shell of a provider that has
frontpage server extensions you can do a find / -name service.pwd -print and
then from that list grep out readable ones. Usualy as I said 90% of the
time... you will beable to have read access and sometimes write access to a
persons service.pwd.

2. Frontpage extensions for un!x..... Also more then 50% or so of the time I
have seen that if you do http://www.victim.com/_vti_pvt/service.pwd you will
beable to read the remote computer service.pwd because of bad chmod
permissions.

3. Frontpage password cracking: As Vacuum and I first discovered an
documented, frontpage server extensions use DES encryption. So basically you
can take the frontpage service.pwd (chameleon:jk53kjnb43) and then add
chameleon:jk53kjnb43:0:0:comments:/:/bin/bash and drop that into your
password cracker and boom. You get the idea. Note: A lot of times people
will use the same frontpage password as their other passwords for the un!x
shell. Thats a givin though to any hacker/cracker/security d00d :-]

4. I saw a post today I believe about someone being able to connect to a
server with frontpage server extensions and being able to alter the page
without any password. The reason you can do this is the NT everyone group.
Its very common that a server with, NT4.0 server, IIS3.0 and frontpage
server extensions installed, you can alter their webpage via frontpage
because the everyone group is on the computer and it drops you right in.
That shouldnt be too hard to understand. Note: Right after installation of
frontpage server extensions on a NT4.0 IIS3.0 box it addes the everyone
group to have access to the server via frontpage explorer etc.

5. Find File exploit used for frontpage hacking. It is possible to use the
find file exploit (http://www.victim.com/samples/search/queryhit.htm) and
search for FILENAME=*.pwd. About 20% of the time or so you will beable to
find pwd files on the remote sytem. Note: By default the find file exploit
will let you read any file in its search area with no access restrictions.

6. Something for the neato people out there to look into are the frontpage
buffer overflows. Enough said I hope.

-chameleon
Rhino9 Security Team (www.rhino9.org/com/net)
InterCore Security

"Pointless quote goes here."

"N34t0 4NS1 G03S H3R3" tee hee ;-]

Next message: David LeBlanc: "Re: Some Past Frontpage Exploits"
Previous message: Harold Gutch: "nestea.c, BSD-Port"
Next in thread: David LeBlanc: "Re: Some Past Frontpage Exploits"
Reply: David LeBlanc: "Re: Some Past Frontpage Exploits"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:51:25 PDT